Examples of cross-account access to ECS resources

Last Updated: Dec 11, 2017

Assume that the user John@aliyun.com has created an ECS instance with InstanceId of I-instance1. Now John@aliyun.com wants to authorize Mary@aliyun.com to manage this instance, and allows Mary@aliyun.com to call ECS APIs to perform only the RebootInstance (restarting the instance), StopInstance (stopping the instance), and DescribeInstanceAttribute (querying the instance information) operations on this instance. To implement the preceding authorization, John needs to do the following:

  1. Add Mary to John’s user space in RAM. Here, John needs to call the AddUser interface of RAM. Parameter UserName=ALIYUN$Mary@aliyun.com;

    1. https://ram.aliyuncs.com/?Action=AddUser
    2. &UserName=ALIYUN$Mary@aliyun.com
    3. &<Other Public Request Parameters>
  2. Define the authorization Policy. Policy is a JsonString. Its json structure must contain the following elements:

    1. {
    2. "Version": "1",
    3. "Statement":[
    4. {
    5. "Effect": "Allow",
    6. "Action": ["ecs:RebootInstance","ecs:StopInstance", "ecs:DescribeInstanceAttribute"],
    7. "Resource": ["acs:ecs:*:instance/I-instance1"]
    8. }]
    9. }
  3. Call the PutPolicy interface of RAM, and set the Policy for Mary. The value web_front_server_policy of the parameter PolicyName is the policy name specified by John.

    1. https://ram.aliyuncs.com/?Action=PutUserPolicy
    2. &UserName=ALIYUN$Mary@aliyun.com
    3. &PolicyName=web_front_server_policy
    4. &PolicyDocument=$policy defined in step 2
    5. &<Other Public Request Parameters>

    After the policy is set, Mary has been assigned the permissions to use ECS APIs RebootInstance, StopInstance, and DescribeInstanceAttribute to access John’s ECS instance I-instance1.

  4. Mary calls an ECS API, for example, RebootInstance, to operate on the ECS instance. During the call, the parameter ResourceOwnerAccount must be used to specify that the API is called to operate John’s resource.

    1. https://ecs.aliyuncs.com/?Action=RebootInstance
    2. &InstanceId=I-instance1
    3. &ResourceOwnerAccount=John@aliyun.com
    4. &<Other Public Request Parameters>
  5. When John wants to cancel Mary’s permissions, John needs to call DeleteUserPolicy of RAM to delete the policy.

    1. https://ram.aliyuncs.com/?Action=DeleteUserPolicy
    2. &UserName=ALIYUN$Mary@aliyun.com
    3. &PolicyName=web_front_server_policy
    4. &<Other Public Request Parameters>
  6. If Mary tries to call an ECS API to access the ECS instance, the request is denied, and the following response is returned:

    1. {
    2. "RequestId": "7463B73D-35CC-4D19-A010-6B8D65D242EF",
    3. "HostId": "ecs.aliyuncs.com",
    4. "Code": " Forbidden",
    5. "Message": " User not authorized to operate on the specified resource."
    6. }
Thank you! We've received your feedback.