All Products
Search
Document Center

Elastic Compute Service:Manage the executions of Cloud Assistant commands based on tags

Last Updated:Mar 29, 2024

You can add tags, such as environment-specific tags, application tags, or resource-type tags, to Elastic Compute Service (ECS) resources for fine-grained management. If you want to filter for ECS instances that have specific tags to run Cloud Assistant commands or upload files by using Cloud Assistant, you can attach the policies in which the tags are specified to Resource Access Management (RAM) users. Then, the RAM users can run Cloud Assistant commands on the ECS instances that have the tags and control access to the instances. This topic describes how to use tags to manage the executions of Cloud Assistant commands.

Prerequisites

  • A RAM user is created. For more information about how to create a RAM user, see Create a RAM user.

  • A Cloud Assistant command is created. For more information, see Create a command.

Working principles

A combination of tags and RAM users helps implement fine-grained management of ECS resources. You can specify tags as match conditions in the policies attached to RAM users.

Note
  • Each tag consists of a key and a value. You can use tags to mark ECS instances and categorize and manage resources. For information about tags, see Overview.

  • RAM allows you to manage user identities and cloud resource access and operation permissions based on policies. You can define custom policies based on regions and the operations that you want to perform on ECS instances and Cloud Assistant commands. You can attach custom policies to RAM users to manage their permissions to use Cloud Assistant commands. For more information, see Overview of RAM users and Policy overview.

The following figure shows how to use tags to manage resource access and operation permissions of RAM users, which is called tag-based authentication.

image

Sample scenarios

This topic describes how to implement tag-based authentication to manage Cloud Assistant commands in the following scenarios:

  • RAM users can run commands only on ECS instances that have specific tags. Example tag: test:tony.

  • RAM users can transfer files only to ECS instances that have specific tags added. Example tag: test:tony.

  • RAM users can query tags, instances, and Cloud Assistant commands and the corresponding execution results.

Procedure

In this example, an Alibaba Cloud account is used to create a custom policy named UseTagAccessResources and the UseTagAccessResources custom policy is attached to a RAM user. The RAM user can run commands on or upload files to the ECS instances that have the test:tony tag.

  1. Create an ECS instance that has a specific tag.

    In this example, an ECS instance that has the test:tony tag is created. For more information, see Create a resource with a specific tag.

  2. Log on to the RAM console by using an Alibaba Cloud account.

  3. Create the UseTagAccessResources custom policy.

    For more information, see Create custom policies.

    You can configure multiple tag-based authentication conditions in the Condition element of the custom policy to limit permissions on ECS resources. The following table describes the supported tag-based authentication conditions.

    Tag-based authentication condition

    Description

    acs:RequestTag

    Indicates that a specific tag must be included in each API request.

    If an API request does not include tag-related parameters, the acs:RequestTag condition cannot be used and authentication fails.

    acs:ResourceTag

    Indicates that a specific tag must be added to a resource.

    If an API request does not include a resource ID, the acs:ResourceTag condition cannot be useda and authentication fails.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand",
                    "ecs:RunCommand",
                    "ecs:StopInvocation",
                    "ecs:SendFile"
                ],
                "Resource": "acs:ecs:*:*:instance/*",
                "Condition": {
                    "StringEquals": {
                        "acs:ResourceTag/test": "tony"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand",
                    "ecs:RunCommand",
                    "ecs:StopInvocation",
                    "ecs:SendFile"
                ],
                "Resource": "acs:ecs:*:*:command/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeTag*",
                    "ecs:DescribeInstance*",
                    "ecs:DescribeCommands",
                    "ecs:CreateCommand",
                    "ecs:DeleteCommand",
                    "ecs:ModifyCommand",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeSendFileResults",
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInvocations",
                    "ecs:DescribeResourceByTags",
                    "ecs:DescribeTagKeys",
                    "ecs:DescribeTags",
                    "ecs:ListTagResources",
                    "ecs:DescribeManagedInstances"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "oos:ListSecretParameters",
                "Resource": "*"
            }
        ]
    }

    The preceding policy grants the following permissions to RAM users:

    • Run Cloud Assistant commands on or send files to ECS instances that have the test:tony tag. Sample policies:

       {
             "Effect": "Allow",
             "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
             ],
             "Resource": "acs:ecs:*:*:instance/*",
             "Condition": {
                 "StringEquals": {
                     "acs:ResourceTag/test": "tony"
                }
            }
       },
       {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "acs:ecs:*:*:command/*"
      }
    • Query resources such as tags, instances, and Cloud Assistant commands. Sample policies:

      {
           "Effect": "Allow",
           "Action": [
                 "ecs:DescribeTag*",
                 "ecs:DescribeInstance*",
                 "ecs:DescribeCommands",
                 "ecs:CreateCommand",
                 "ecs:DeleteCommand",
                 "ecs:ModifyCommand",
                 "ecs:DescribeInvocationResults",
                 "ecs:DescribeSendFileResults",
                 "ecs:DescribeInstances",
                 "ecs:DescribeCloudAssistantStatus",
                 "ecs:DescribeInvocations",
                 "ecs:DescribeResourceByTags",
                 "ecs:DescribeTagKeys",
                 "ecs:DescribeTags",
                 "ecs:ListTagResources",
                 "ecs:DescribeManagedInstances"
              ],
              "Resource": "*"
       },
      {
           "Effect": "Allow",
           "Action": "oos:ListSecretParameters",
           "Resource": "*"
      }
  4. Attach the UseTagAccessResources custom policy to a RAM user for which you want to control access.

    For more information, see Grant permissions to a RAM role.

  5. Check whether the custom policy takes effect.

    Log on to the ECS管理控制台 and perform the following operations on the ECS instance:

    Note

    When the system runs Cloud Assistant commands on or sends files to ECS instances, the system can query the specific tag, the instances that have the specific tag, and the Cloud Assistant commands with which the specific tag is associated at the same time.

    • Run Cloud Assistant commands on ECS instances that have the test:tony tag and that have tags other than test:tony.

      On the Commands tab of the Cloud Assistant page, find a Cloud Assistant command and click Create Task in the Actions column to run the command on the ECS instances. In this example, the Cloud Assistant command whose ID is c-hz02jt1ncrf**** is used. For more information, see Run a command.

      Note

      If no Cloud Assistant commands exist on the Commands tab, create a Cloud Assistant command and perform the preceding step. For more information, see Create a command.

    • Send files to ECS instances that have the test:tony tag and ECS instances that have tags other than test:tony.

      In the upper-right corner of the Cloud Assistant page, click Send File to send a file to ECS instances that have the test:tony tag and the ECS instances that have tags other than test:tony. For more information, see Upload files to ECS instances.

    If the execution results match the execution results described in the Execution results section, the custom policy is in effect. If the execution results do not match the execution results described in the Execution results section, the custom policy is not in effect. To troubleshoot the issue, see FAQ.

Execution results

  • The following section describes the execution results of running a Cloud Assistant command on ECS instances if the custom policy is in effect:

    • After the command is run on ECS instances that have the test:tony tag, Successful is displayed in the Status column corresponding to the command execution task.命令执行-zh

    • After the command is run on ECS instances that do not have the test:tony tag, a message indicating that the command failed to run appears.失败提示

  • The following section describes the execution results of sending a file to ECS instances if the custom policy is in effect:

    • After the file is sent to ECS instances that have the test:tony tag, Successful is displayed in the Status column corresponding to the file sending task.文件发送

    • After the file is sent to ECS instances that do not have the test:tony tag, a message indicating that the file failed to be sent appears.失败

FAQ

What do I do if a custom policy is not in effect?

If a custom policy is not in effect, check whether the Effect element is set to Allow for the following parameters in the Action element of the custom policy attached to a RAM user. If the Effect element is set to Allow, remove the sub-policy from the policy that is attached to the RAM user.

  • ecs:InvokeCommand

  • ecs:RunCommand

  • ecs:StopInvocation

  • ecs:SendFile

For example, if a custom policy that is attached to a RAM user contains the following sub-policy, remove the sub-policy from the custom policy.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "*"
        }
    ]
}

References

  • You can attach specific policies to a RAM user to allow the RAM user to manage access to ECS instances based on tags. For more information, see Control access to resources by using tags.

  • You can add the same tag to multiple ECS instances and use the smart tag synchronization feature of CloudMonitor to assign the instances to the same application group for group-based automatic monitoring. The metrics of monitoring include the health status, CPU utilization, and memory usage of ECS instances. For more information, see Implement automatic resource monitoring by group based on tags.

  • If a tag is no longer suitable for managing and retrieving resources, you can remove the tag from the resources. For more information, see Remove or delete a tag.