Permissions define the conditions for the system to allow or deny specific operations on specific resources.
Procedure
Permissions are defined in policies. You can define permissions when you create custom policies.
Define actions
To define actions for a policy, you must specify API operations in the Action parameter. When you create a policy to grant permissions on IoT Platform, specify IoT Platform actions in the Action parameter. Each IoT Platform action must start with iot:. Multiple actions must be separated by commas (,). You can also set the Action parameter to an asterisk (*), which indicates a wildcard. For information about the API operations of IoT Platform, see API permissions.
The following examples show you how to define actions.
- Specify a single API operation to define an action.
"Action": "iot:CreateProduct" - Specify multiple API operations to define actions.
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ] - Specify all read-only API operations to define actions, including the actions that
are involved when the rules engine forwards data to a product.
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] } - Specify all read/write API operations to define actions, including the actions that
are involved when the rules engine forwards data to a product.
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ "cms:QueryMetricList" ], "Resource": "*", "Effect": "Allow" } ] } - Define actions for specific resources.
Examples:
- Configure a policy that contains the permission to query the information about a specific
product.
{ "Statement": [ { "Action": "iot:QueryProduct", "Effect": "Allow", "Resource": "acs:iot:$regionid:$accountid:product/*$productKey" } ], "Version": "1" } - Configure a policy that contains the permission to query the information about a specific
device.
{ "Statement": [ { "Action": "iot:QueryDeviceDetail", "Effect": "Allow", "Resource": "acs:iot:$regionid:$accountid:product/*$productKey/device/$deviceName" } ], "Version": "1" } - Configure a policy that contains the permission to query the information about a specific
rule.
{ "Statement": [ { "Action": "iot:GetRule", "Effect": "Allow", "Resource": "acs:iot:$regionid:$accountid:rule/*$ruleId" } ], "Version": "1" }
- Configure a policy that contains the permission to query the information about a specific
product.
Define conditions
RAM policies support multiple authentication conditions. For example, you can set limits on the access IP addresses and access time. You can also specify whether HTTPS-based access is allowed, and whether multi-factor authentication (MFA) is required. All API operations of IoT Platform support these authentication conditions.
- IP address-based access control
RAM allows you to specify the source IP addresses from which access requests are allowed. You can also use Classless Inter-Domain Routing (CIDR) blocks to specify source IP addresses. The following examples show you how to set limits on access IP addresses.
- Specify a single IP address or CIDR block. In the following example, only access requests
from the IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111", "10.101.169.111/24" ] } } } ], "Version": "1" } - Specify multiple IP addresses. In the following sample example, only access requests
from the IP addresses 10.101.168.111 and 10.101.169.111 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111", "10.101.169.111" ] } } } ], "Version": "1" }
- Specify a single IP address or CIDR block. In the following example, only access requests
from the IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.
- HTTPS-based access control
RAM allows you to specify whether resources must be requested over HTTPS.
In the following example, only access requests over HTTPS are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" } - MFA-based access control
RAM allows you to specify whether to enable MFA for access requests. MFA applies to console logon and is not required for API requests.
In the following example, only access requests that pass MFA are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent ": "true" } } } ], "Version": "1" } - Time-based access control
RAM allows you to specify the access time. Access requests earlier than the specified time are allowed or denied.
In the following example, only access requests that are earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" } } } ], "Version": "1" }
Scenarios
Based on the Action, Resource, and Condition parameters that are described in the preceding sections, this section describes the scenarios of custom policies.
- A custom policy that allows specific access requests
Scenario: Only access requests that are sent over HTTPS, from the IP addresses in 10.101.168.111/24, and earlier than 00:00:00 on January 1, 2019 (UTC+8) are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111/24" ] }, "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" } - A custom policy that denies specific access requests
Scenario: Read requests from the IP address 10.101.169.111 are denied.
{ "Statement": [ { "Effect": "Deny", "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.169.111" ] } } } ], "Version": "1" }
After a policy is created, attach the policy to RAM users. Then, the RAM users can perform the operations that are defined in the policy. For more information about how to create and authorize RAM users, see Use RAM users.