edit-icon download-icon

Use RAM to control resource access

Last Updated: Apr 03, 2018

Resource Access Management (RAM) is a cloud service that helps you manage user accounts and control resources access. With RAM, you can control what resource operations a user account can perform to specific resource stacks. In this way, you can control and manage your resource access in stacks.

For more information about RAM, see RAM user guide.

How to use RAM to control resource access

  1. Log on to the Alibaba Cloud RAM console with your main Alibaba Cloud account.

  2. Click Settings from the left-side navigation pane. Set the enterprise alias, password strength, and security settings for the user account. If you have any question about the settings, see Set up RAM.

  3. Click Users from the left-side navigation pane to create users and set logon passwords and AccessKeys for the created users. For more information, see Create RAM users.

  4. Click Policies from the left-side navigation pane to create authorization policies (you can do this in advance). For more information, see Create a custom policy.

    For policy reference, see Elements and Syntax.

    In the following, we provide the operation names, descriptions, and examples for custom authorization policies. You can use the following information to build the content of Action and Resource in authorization policies. Action indicates the operation to be authorized, and Resource indicates the resource stack to be operated.

    ROS operations

    Operation Description
    ros:DescribeStacks View the stack resource list.
    ros:CreateStack Create resource stacks.
    ros:DeleteStack Delete resource stacks.
    ros:UpdateStack Update resource stacks.
    ros:CancelUpdateStack Cancel the resource stack update.
    ros:AbandonStack Discard resource stacks.
    ros:ValidateTemplate Validate templates.
    ros:DescribeStackDetail View resource stack details.
    ros:DescribeStackResources View the resource list.
    ros:DescribeStackResourceDetail View resource details.
    ros:DescribeStackEvents View the event list.
    ros:DescribeStackTemplate View template contents.

    ROS resource descriptor

    In RAM authorization policy, you can describe the operation in the following way, and use an asterisk (*) as a variable to represent all the resources.

    1. acs:ros:{region_id}:{owner_id}:stack/{stack_name}/{stack_id}

    Example

    1. acs:ros:cn-beijing:*:stack/myStack/94dd5431-2df6-4415-81ca-732a7082252a

    Example: A policy that grants permission to view resource stacks

    1. {
    2. "Statement": [
    3. {
    4. "Action": [
    5. "ros:DescribeStacks",
    6. "ros:DescribeStackDetail"
    7. ],
    8. "Effect": "Allow",
    9. "Resource": "acs:ros:cn-beijing:*:stack/*"
    10. }
    11. ],
    12. "Version": "1"
    13. }

    The policy grants permission to view the resource stack list and resource stack details in the cn-beijing region. In the policy, the asterisk (*) is a wildcard, which indicates all the resource stacks in the cn-beijing region.

    Example: A policy that grants permission to create and view resource stacks

    1. {
    2. "Statement": [
    3. {
    4. "Action": [
    5. "ros:CreateStack",
    6. "ros:DescribeStacks",
    7. "ros:DescribeStackDetail",
    8. "ros:ValidateTemplate"
    9. ],
    10. "Effect": "Allow",
    11. "Resource": "*"
    12. }
    13. ],
    14. "Version": "1"
    15. }

    With this policy, users are authorized to create and view resource stacks in all regions.

    Example: A policy that grants a specified user permission to update specific resource stacks

    1. {
    2. "Statement": [
    3. {
    4. "Action": [
    5. "ros:UpdateStack"
    6. ],
    7. "Effect": "Allow",
    8. "Resource": "acs:ros:cn-beijing:123456789:stack/myStack/94dd5431-2df6-4415-81ca-732a7082252a"
    9. }
    10. ],
    11. "Version": "1"
    12. }

    The policy authorizes the user (ID: 12456789) to update the resource stack titled “myStack” with the ID “94dd5431-2df6-4415-81ca-732a7082252a”.

  5. In the Users or Groups lists, find the user or group and authorize them.
Thank you! We've received your feedback.