Permissions define the conditions for the system to allow or deny specific operations on target resources.
Procedure
Permissions are defined in authorization policies. Customizing permissions refers to defining certain permissions during permission policy customization.
Define actions
Action is an application programming interface (API) operation name. When creating an authorization policy, use iot: as the prefix for each action, and separate multiple actions with commas (,). Asterisk (*) are wildcard characters. For information about operation name definitions that are used on IoT Platform, see API permissions.
The following section provides some examples on action definitions.
- Define a single API operation.
"Action": "iot:CreateProduct"
- Define multiple API operations.
"Action": [ "iot:UpdateProduct", "iot:QueryProduct" ]
- Define all read-only API operations, including the permissions of the rules engine
to transfer data to the target product.
{ "Version": "1", "Statement": [ { "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*", "iot:Check*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:ListTable", "ots:DescribeTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ cms:QueryMetricList ], "Resource": "*", "Effect": "Allow" } ] }
- Define all read/write API operations, including the permissions of the rules engine
to transfer data to the target product.
{ "Version": "1", "Statement": [ { "Action": "iot:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDatabases", "rds:DescribeAccounts", "rds:DescribeDBInstanceNetInfo", "rds:ModifySecurityIps*" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:ListRoles", "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:ListTopic", "mns:GetTopicRef" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:ListTable", "ots:DescribeTable", "ots:GetInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:ListServices", "fc:GetService", "fc:GetFunction", "fc:ListFunctions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListShards", "log:ListLogStores", "log:ListProject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "iot.aliyuncs.com" } } }, { "Action": [ cms:QueryMetricList ], "Resource": "*", "Effect": "Allow" } ] }
- Define resource-level authorization. .
Example
- The following code provides an example of a permission policy for querying information
about a specific product:
{ "Statement": [ { "Action": "iot:QueryProduct", "Effect": "Allow", "Resource": "acs:iot:$regionid:$accountid:product/aleEs48****", } ], "Version": "1" }
- The following code provides an example of a permission policy for querying information
about a specific device:
{ "Statement": [ { "Action": "iot:QueryDeviceDetail", "Effect": "Allow", "Resource": "acs:iot:$regionid:$accountid:product/aleEs48****/device/testdevice1", } ], "Version": "1" }
- The following code provides an example of a permission policy for querying information
about a specific rule:
{ "Statement": [ { "Action": "iot:GetRule", "Effect": "Allow", "Resource": "acs:iot:$regionid:$accountid:rule/6601****", } ], "Version": "1" }
- The following code provides an example of a permission policy for querying information
about a specific product:
Define conditions
RAM permission policies currently support multiple authentication conditions, such as restrictions on allowed IP addresses, restrictions on access time, whether HTTPS access is allowed, and whether multi-factor authentication (MFA) access is required. All API operations on IoT Platform support these authentication conditions.
- Restriction on Access IP addresses
This access control restricts source IP addresses that can access IoT Platform, and filters IP addresses by using Classless Inter-Domain Routing (CIDR) blocks. Typical scenarios are as follows:
- Specify one IP address or CIDR block. In the following example, only access requests
from IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111", "10.101.169.111/24" ] } } } ], "Version": "1" }
- Specify multiple IP addresses. For example, the following code indicates that only
access requests from IP addresses 10.101.168.111 and 10.101.169.111 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111", "10.101.169.111" ] } } } ], "Version": "1" }
- Specify one IP address or CIDR block. In the following example, only access requests
from IP address 10.101.168.111 or CIDR block 10.101.169.111/24 are allowed.
- HTTPS-based access control
RAM allows you to specify whether resources must be accessed by requests over HTTPS.
For example, the following code indicates that only HTTPS-based access is allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
- MFA-based access control
This access control allows you to enable or disable MFA-based access. MFA access applies to console logon. An MFA code is not required for API access.
For example, the following code indicates that only MFA-based access is allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "Bool": { "acs:MFAPresent ": "true" } } } ], "Version": "1" }
- Time-based access control
This access control allows you to limit the access time of requests. Access requests earlier than the specified time are allowed or rejected based on the access control.
In the following example, only access requests earlier than 00:00:00 UTC+8 on January 1, 2019 are allowed.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" } } } ], "Version": "1" }
Typical scenarios
Based on the above definitions of actions, resources, and conditions, authorization policies are described in the following typical scenarios:
- The following is an example of a permission policy that allows access.
Scenario: Assigns IoT Platform access permissions to IP address 10.101.168.111/24, and only allows HTTPS access before 00:00:00 UTC+8 on January 1, 2019.
{ "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.168.111/24" ] }, "DateLessThan": { "acs:CurrentTime": "2019-01-01T00:00:00+08:00" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
- The following code provides an example of a permission policy that denies access.
Scenario: Denies read requests from IP address 10.101.169.111.
{ "Statement": [ { "Effect": "Deny", "Action": [ "iot:Query*", "iot:List*", "iot:Get*", "iot:BatchGet*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.101.169.111" ] } } } ], "Version": "1" }
After the permission policy is created, apply it to the RAM users. Authorized RAM users can perform the operations defined in this policy. For more information about how to create RAM users and how to grant permissions, see Use RAM users.