All Products
Search
Document Center

Resource Access Management:Use a resource group to grant a RAM user the permissions to manage a specific ECS instance

Last Updated:Feb 22, 2024

This topic describes how to add an Elastic Compute Service (ECS) instance to a resource group and grant a Resource Access Management (RAM) user the permissions to view and manage the ECS instance in the resource group.

Procedure

In this example, a RAM user named Alice has the permissions to view and manage only the ECS instance i-001. You can add the ECS instance to a resource group and grant the permissions on the resource group to Alice.

Note

During the authorization process, the ECS instance can work as expected.

You must use an account administrator to perform the following operations:

  1. Log on to the RAM console and create a RAM user named Alice.

    For more information, see Create a RAM user.

  2. Log on to the Resource Management console and create a resource group named ECS-Admin.

    For more information, see Create a resource group.

  3. In the Resource Management console, add the ECS instance i-001 to the resource group ECS-Admin.

    You can use one of the following methods to add the ECS instance to the resource group:

  4. In the RAM console, grant the required permissions to Alice.

    In this step, select Specific Resource Group in the Authorized Scope section, enter ECS-Admin in the field below Specific Resource Group, enter Alice in the Principal field, and then select the system policy AliyunECSFullAccess. For more information, see Grant permissions to a RAM user.资源组授权

    Note

    In an actual business environment, we recommend that you create a custom policy to grant only the required permissions to the RAM user based on the principle of least privilege. This prevents security risks caused by excessive user permissions.

Verify the result

  1. Log on to the ECS console as the RAM user Alice.

    For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region in which the ECS instance resides.

  4. In the top navigation bar, select ECS-Admin from the resource group drop-down list.

    选择资源组-zh.jpg

    Important

    The RAM user can view the ECS instances in the resource group only after the RAM user selects the related resource group. Otherwise, the RAM user cannot view ECS instances.

  5. On the Instances page, view the information about the instance and manage the instance.

References

You can manually transfer the associated resources of an ECS instance to the related resource group. You can also use the Transfer Associated Resources feature provided by Resource Management to automatically transfer the associated resources to the related resource group. For an ECS instance, the following associated resources support this feature: cloud disks, elastic network interfaces (ENIs), and elastic IP addresses (EIPs). For more information, see Use the Transfer Associated Resources feature.