manage Auto Scaling resources by resource authentication - Auto Scaling

In scenarios in which multiple users simultaneously access resources, you can create multiple Resource Access Management (RAM) users and grant the RAM users permissions based on their roles. This way, different RAM users can access and manage different resources. This can improve management efficiency and reduce the risk of information leaks. This topic describes how to grant different RAM users different permissions on Auto Scaling resources based on resource authentication.

Background information

Alibaba Cloud provides policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple resource-level permissions in each policy and attach one or more policies to RAM users or RAM user groups. For more information about policies, see Policy overview.
RAM does not support resource-level authentication, which may cause inconvenience when you manage Auto Scaling resources. For example, managing the permissions on Auto Scaling resources in a region at a coarse granularity may be inefficient. Auto Scaling allows you to configure policies that include resource-level permissions and attach the policies to RAM users. This facilitates flexible management of Auto Scaling resources.
Note
For more information about RAM, see What is RAM?

Scenarios

The following table describes the scenarios in which you can configure policies that include resource-level permissions.

Scenario

Policy

Scenario 1: Create scaling groups and then configure a policy that includes resource-level permissions

Examples:

Scaling Group 1: The scaling group name is asg-001 and the scaling group ID is asg-bp17np35ywjwh2cx****.
Scaling Group 2: The scaling group name is asg-002 and the scaling group ID is asg-bp1c5pl2qc6ozgbl**** .

RAM users have only the permissions on specific resources in Scaling Group 1. RAM users do not have the permissions on resources in Scaling Group 2.

Scenario 2: Configure policy that includes resource-level permissions and then create scaling groups

RAM users have the permissions to create scaling groups only in specific regions, such as the China (Hangzhou) region. RAM users do not have the permissions to create scaling groups in other regions, such as the China (Beijing) region.

API operations that do not support resource-level authentication

After you attach a policy that includes resource-level permissions to RAM users, the RAM users cannot call the API operations described in the following table.

Operation	Unsupported for resource authentication
DescribeRegions	Yes
Operations that are related to scheduled tasks: CreateScheduledTask ModifyScheduledTask DescribeScheduledTasks DeleteScheduledTask	Yes
Operations that are related to event-triggered tasks: CreateAlarm DescribeAlarms ModifyAlarm EnableAlarm DeleteAlarm	Yes

Procedure

Note

A RAM user is created. For more information about how to create RAM users, see Create a RAM user.

Scenario 1: Create scaling groups and then configure a policy that includes resource-level permissions

Create two scaling groups.
For more information, see Manage scaling groups.
- Scaling Group 1: The scaling group name is asg-001 and the scaling group ID is asg-bp17np35ywjwh2cx****.
- Scaling Group 2: The scaling group name is asg-002 and the scaling group ID is asg-bp1c5pl2qc6ozgbl****.
Log on to the RAM console.

Create a custom policy.

For more information, see Create custom policies.

The custom policy that you created in this step allows RAM users to view, modify, and delete the asg-001 scaling group by using the Auto Scaling console or calling an API operation. However, RAM users cannot perform operations on the asg-002 scaling group.

Sample custom policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ess:*",
            "Resource": "acs:ess:cn-hangzhou:160998252992****:scalinggroup/asg-bp17np35ywjwh2cx****"
        },
        {
            "Effect": "Deny",
            "Action": "ess:*",
            "Resource": "acs:ess:cn-hangzhou:160998252992***8:scalinggroup/asg-bp1c5pl2qc6ozgbl****"
        },
        {
           "Effect": "Allow",
           "Action": [
                   "ess:DescribeRegions",
                   "ess:CreateScheduledTask",
                   "ess:ModifyScheduledTask",
                   "ess:DescribeScheduledTasks",
                   "ess:DeleteScheduledTask",
                   "ess:CreateAlarm",
                   "ess:DescribeAlarms",
                   "ess:ModifyAlarm",
                   "ess:EnableAlarm",
                   "ess:DeleteAlarm"
                ],
            "Resource": "*"
        }
    ]
}

Attach the custom policy to the RAM users whose access permissions on Auto Scaling resources you want to manage.
For more information, see Grant permissions to a RAM user.
View, modify, and delete the asg-001 and asg-002 scaling groups by using the Auto Scaling console or calling an API operation as a RAM user.
You can view, modify, and delete the asg-001 scaling group, but you cannot view, modify, or delete the asg-002 scaling group. If an error message that is shown in the following figure appears, the policy takes effect.

Scenario 2: Configure policy that includes resource-level permissions and then create scaling groups

Log on to the RAM console.

Create a custom policy.

For more information, see Create custom policies.

The custom policy that you created in this step allows RAM users to create scaling groups in the China (Hangzhou) region by using the Auto Scaling console or calling an API operation. However, RAM users do not have the permissions to create scaling groups in the China (Beijing) region.

Sample custom policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ess:*",
            "Resource": "acs:ess:cn-hangzhou:160998252992****:*"
        },
        {
            "Effect": "Deny",
            "Action": "ess:*",
            "Resource": "acs:ess:cn-beijing:160998252992****:*"
        },
        {  
           "Effect": "Allow",
           "Action": [
                   "ess:DescribeRegions",
                   "ess:CreateScheduledTask",
                   "ess:ModifyScheduledTask",
                   "ess:DescribeScheduledTasks",
                   "ess:DeleteScheduledTask",
                   "ess:CreateAlarm",
                   "ess:DescribeAlarms",
                   "ess:ModifyAlarm",
                   "ess:EnableAlarm",
                   "ess:DeleteAlarm"
                ],
            "Resource": "*"                       
        }
    ]
}

Attach the custom policy to the RAM users whose access permissions on Auto Scaling resources you want to manage.
For more information, see Grant permissions to a RAM user.
Create scaling groups by using the Auto Scaling console or calling an API operation as a RAM user.
You can create scaling groups in the China (Hangzhou) region, but you cannot create scaling groups in the China (Beijing) region. If an error message that is shown in the following figure appears, the policy takes effect.

References

For information about how to grant permissions to RAM users by calling an API operation, see AttachPolicyToUser.
For information about how to create a custom policy by calling an API operation, see CreatePolicy.
For information about how to create one or more scaling groups by calling an API operation, see CreateScalingGroup.
For information about how to manage Auto Scaling resources by tag-based authentication, see Manage Auto Scaling resources by tag-based authentication.
For information about how to create resource groups and manage cloud resources by resource group, see Use resource groups to manage scaling groups in a fine-grained manner.