Serverless App Engine (SAE) integrates Microservices Engine (MSE), including governance center, registration configuration center, end-to-end gray-release, and cloud-native gateway features. To use SAE service to call MSE service, RAM users need to be granted permissions. This topic describes how to grant RAM users MSE service.
Procedure
Create a custom permission
Log on to the RAM console by using an Alibaba Cloud account. In the left navigation pane, choose.
Click Create Policy. On the Create Policy page, click JSON tab.
Copy the MSE custom permissions to the text box in the JSON tab.
Grant the custom permission to a RAM user
In the left navigation pane, choose , and then click the Logon Name of the target user.
Click the Permissions tab, and then click Grant Permission on the Individual tab.
On the Grant Permission page, configure the following parameters, and then click Grant permissions.
Select Resource Scope as Account.
Select Principal as target RAM user.
Select Policy as Custom Policy, and then select the target policy.
MSE custom permissions
When RAM users call MSE service in SAE, the required permissions vary with the following scenarios:
Scenario 1: Call MSE Nacos instances
In this example, mse-cn-71j48jjx503 instance is used. mse-cn-71j48jjx503 is the InstanceId, not the ClusterId.
Grant a RAM user read and write permissions to call MSE Nacos instances
{
"Statement": [
{
"Action": "mse:ListClusters",
"Resource": "acs:mse:*:*:*",
"Effect": "Allow"
},
{
"Action": "mse:*",
"Resource": "acs:mse:*:*:instance/mse-cn-71j48jjx503",
"Effect": "Allow"
}
],
"Version": "1"
}Grant a RAM user read-only permissions to call MSE Nacos instances
{
"Statement": [
{
"Action": [
"mse:List*",
"mse:Query*",
"mse:Get*"
],
"Resource": "acs:mse:*:*:*",
"Effect": "Allow"
}
],
"Version": "1"
}Scenario 2: Call microservices governance and end-to-end canary release features
RAM users need to be granted read and write permissions at the MSE namespace level.
SAE integrates both MSE Professional Edition and Enterprise Edition. After you activate a specific version of MSE service in the SAE console, MSE automatically creates a namespace corresponding to that version. The following namespaces are created:
The namespace for MSE Professional Edition is
sae-pro.The namespace for MSE Enterprise Edition is
sae-ent.
You can grant your RAM users read and write permissions to the corresponding namespace based on the MSE version you have activated. The following example demonstrates how to grant RAM users read and write permissions at the sae-ent namespace level.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/sae-ent/application/*"
},
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:QueryAppSummaryMetricsOverview",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage",
"mse:DeleteSwimmingLan",
"mse:QueryResourceTopN",
"mse:GetApplicationInstancesWithMetircs",
"mse:ListMscEventRecords",
"mse:ListAdaptiveOverloadProtectionConfig",
"mse:ListFlowRules",
"mse:GetAppMessageQueueRoute",
"mse:GetLocalityRule",
"mse:GetServiceMethodPageWithMetrics",
"mse:GetDubboServicePageWithMetrics",
"mse:ListAppResourceWithMetrics",
"mse:QueryAppSystemMetricsOfGroup",
"mse:ListDefaultCircuitBreakerRules",
"mse:ListIsolationRules",
"mse:ListCircuitBreakerRules",
"mse:ListHotParamRules",
"mse:ListWebFlowRules",
"mse:ListSentinelBlockFallbackDefinitions",
"mse:QueryAppResourceMetrics",
"mse:ListEventOfReource",
"mse:QueryAppResourceMetricsByInstance",
"mse:QueryAppSystemMetricsOfGroupByInstance",
"mse:QueryAppRPCMacMetrics",
"mse:QueryMetricsAveragedByInstance",
"mse:CheckUserReadinessConfig",
"mse:GetLosslessRuleByApp"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/sae-ent"
}
]
}Scenario 3: Call MSE cloud-native gateway
This section describes how to grant RAM users the read and write permissions of an instance. In this example, gw-8090caa2a3ab447a8bc5fdf3******** is used as the instance.
Grant a RAM user read and write permissions to call a specific MSE cloud-native gateway instance
{
"Version": "1",
"Statement": [
{
"Action": [
"mse:*"
],
"Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********",
"Effect": "Allow"
},
{
"Action": [
"mse:QueryDefaultAlertStatus",
"mse:CreateDefaultAlert",
"mse:ListGatewayZone",
"mse:ListUpgradableGatewayVersions",
"mse:ListEventRecords",
"mse:GetEventFilterOptions",
"mse:GetEventDetail",
"mse:GetGatewaySelection",
"mse:GetGatewayAlarms",
"mse:GetGatewayMigrateNamespacedServices",
"mse:GetPluginGuide",
"mse:GetRegExpCheck",
"mse:GetRegExpTest",
"mse:CheckPluginLua",
"mse:*TagResources",
"mse:*CustomPlugin",
"mse:*GatewayIngressMigrateTask*"
],
"Resource": "acs:mse:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"log:DescribeService",
"log:ListProject",
"log:GetProductDataCollection",
"log:OpenProductDataCollection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:SearchContactGroup"
],
"Resource": "*",
"Effect": "Allow"
}
]
}