Resource Access Management (RAM) is a service provided by Alibaba Cloud for managing user identities and resource access permissions. You can use RAM to create and manage RAM users and grant resource permissions to the RAM users. RAM is applicable to scenarios where multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant users the minimal required permissions and keep your Alibaba Cloud account and password confidential, which helps you minimize security risks.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Alibaba Cloud official website.

Background information

You can use RAM to manage the operations that RAM users can perform on ROS or on resources within specified stacks.

Notice We recommend that you do not use the acs:SourceIp or acs:SecureTransport conditions on dependent services used in a template.
  • In scenarios where Security Token Service (STS) is used, ROS provisions resources by using its own IP address instead of the IP address of the originating request. For example, when you create a stack, ROS makes requests from its IP address to start an ECS instance, not from the IP address obtained from the CreateStack call.
  • In other scenarios, ROS passes through SourceIp and SSL informatioin. Supported services include Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB for RDS, ApsaraDB for Redis, Alibaba Cloud DNS PrivateZone (pvtz), Container Service, Function Compute, Object Storage Service (OSS), Log Service, API Gateway, and ActionTrail.
The acs:SourceIp and acs:SecureTransport conditions can be used in ROS.

Procedure

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, click Settings.
    You can set security policies for RAM users. For more information, see Set security policies for RAM users.
  3. In the left-side navigation pane, click Users. On the Users page, click Create User. On the Create User page, configure the logon password and AccessKey pair for the RAM user.
    For more information, see Create a RAM user.
  4. Create authorization policies to define the permissions of the RAM user on stacks.

    For more information, see Create a custom policy.

    For more information about policy languages, see Policy elements and Policy structure and syntax.

    The following operations, descriptions, and examples can be used when you create authorization policies.

    The following table describes the operations that can be used to configure the Action and Resource elements in authorization policies. The Action element indicates the specific API operation to be authorized. The Resource element indicates the resource on which the operation is performed.

    • ROS operations
      Operation Description
      ros:DescribeStacks Queries the list of stacks.
      ros:CreateStack Creates a stack
      ros:DeleteStack Deletes a stack
      ros:UpdateStack Updates a stack
      ros:CancelUpdateStack Cancels a stack update.
      ros:AbandonStack Abandons a stack.
      ros:ValidateTemplate Validates a template.
      ros:DescribeStackDetail Queries the details of a stack.
      ros:DescribeStackResources Queries the list of stack resources.
      ros:DescribeStackResourceDetail Queries the details of a resource.
      ros:DescribeStackEvents Queries the list of stack events.
      ros:DescribeStackTemplate Queries the template content of a stack.
      ros:SetDeletionProtection Enables or disables deletion protection.
    • ROS resource descriptor
      You can describe stacks in RAM authorization policies by using the following method. You can use an asterisk (*) as a wildcard to indicate all resources. For example, the following structure describes the authorization policy for viewing the list and details of stacks within a region: 
      acs:ros:{region_id}:{owner_id}:stack/{stack_name}/{stack_id}
      Example: 
      acs:ros:cn-beijing:*:stack/myStack/94dd5431-2df6-4415-81ca-732a7082****
      • Example: a policy that grants permissions to view stacks 
        {
  "Statement": [
    {
      "Action": [
        "ros:DescribeStacks",
        "ros:DescribeStackDetail"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:*:stack/*"
    }
  ],
  "Version": "1"
}

        This policy grants permissions to view the list of stacks and details of each stack in the China (Beijing) region. The asterisk (*) is a wildcard that indicates all stacks in the China (Beijing) region.

      • Example: a policy that grants permissions to create and view stacks 
        {
  "Statement": [
    {
      "Action": [
        "ros:CreateStack",
        "ros:DescribeStacks",
        "ros:DescribeStackDetail",
        "ros:ValidateTemplate"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

        This policy grants users the permissions to create and view stacks in all regions.

      • Example: a policy that grants a user the permissions to update a specified stack 
        {
  "Statement": [
    {
      "Action": [
        "ros:UpdateStack"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:12345****:stack/myStack/94dd5431-2df6-4415-81ca-732a7082****"
    }
  ],
  "Version": "1"
}

        The policy grants the user with the ID 12345**** the permissions to update the myStack stack. The stack ID is 94dd5431-2df6-4415-81ca-732a7082****.

  5. On the Users or Groups page, find the target RAM users or groups and grant them permissions.