Use RAM to control resource access

Resource Access Management (RAM) is a cloud service that helps you manage user accounts and control resources access. With RAM, you can control what resource operations a user account can perform to specific resource stacks. In this way, you can control and manage your resource access in stacks.

For more information about RAM, see RAM user guide.

How to use RAM to control resource access

1. Log on to the Alibaba Cloud RAM console with your main Alibaba Cloud account.

2. Click Settings from the left-side navigation pane. Set the enterprise alias, password strength, and security settings for the user account. If you have any question about the settings, see Set up RAM.

3. Click Users from the left-side navigation pane to create users and set logon passwords and AccessKeys for the created users. For more information, see Create RAM users.

4. Click Policies from the left-side navigation pane to create authorization policies (you can do this in advance). For more information, see Create a custom policy.

   For policy reference, see Elements and Syntax.
   In the following, we provide the operation names, descriptions, and examples for custom authorization policies. You can use the following information to build the content of Action and Resource in authorization policies. Action indicates the operation to be authorized, and Resource indicates the resource stack to be operated.
   ROS operations

   Operation	Description
   ros:DescribeStacks	View the stack resource list.
   ros:CreateStack	Create resource stacks.
   ros:DeleteStack	Delete resource stacks.
   ros:UpdateStack	Update resource stacks.
   ros:CancelUpdateStack	Cancel the resource stack update.
   ros:AbandonStack	Discard resource stacks.
   ros:ValidateTemplate	Validate templates.
   ros:DescribeStackDetail	View resource stack details.
   ros:DescribeStackResources	View the resource list.
   ros:DescribeStackResourceDetail	View resource details.
   ros:DescribeStackEvents	View the event list.
   ros:DescribeStackTemplate	View template contents.

   ROS resource descriptor

   In RAM authorization policy, you can describe the operation in the following way, and use an asterisk (*) as a variable to represent all the resources.

   acs:ros:{region_id}:{owner_id}:stack/{stack_name}/{stack_id}

   Example

   acs:ros:cn-beijing:*:stack/myStack/94dd5431-2df6-4415-81ca-732a7082252a

   Example: A policy that grants permission to view resource stacks

   {
   "Statement": [
    {
      "Action": [
        "ros:DescribeStacks",
        "ros:DescribeStackDetail"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:*:stack/*"
    }
   ],
   "Version": "1"
   }

   The policy grants permission to view the resource stack list and resource stack details in the cn-beijing region. In the policy, the asterisk (*) is a wildcard, which indicates all the resource stacks in the cn-beijing region.

   Example: A policy that grants permission to create and view resource stacks

   {
   "Statement": [
    {
      "Action": [
        "ros:CreateStack",
        "ros:DescribeStacks",
        "ros:DescribeStackDetail",
        "ros:ValidateTemplate"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
   ],
   "Version": "1"
   }

   With this policy, users are authorized to create and view resource stacks in all regions.

   Example: A policy that grants a specified user permission to update specific resource stacks

   {
   "Statement": [
    {
      "Action": [
        "ros:UpdateStack"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:123456789:stack/myStack/94dd5431-2df6-4415-81ca-732a7082252a"
    }
   ],
   "Version": "1"
   }

   The policy authorizes the user (ID: 12456789) to update the resource stack titled “myStack” with the ID “94dd5431-2df6-4415-81ca-732a7082252a”.

5. In the Users or Groups lists, find the user or group and authorize them.