All Products
Search
Document Center

Grant permissions to a RAM user

Last Updated: Jun 15, 2021

By default, you can use an Alibaba Cloud account or a Resource Access Management (RAM) user to manage Elastic Container Instance resources. However, when a RAM user is created for an Alibaba Cloud account, the RAM user does not have permissions to manage the resources within the Alibaba Cloud account. You must grant the required permissions to the RAM user before you can use it to manage Elastic Container Instance resources. This topic describes how to grant permissions to a RAM user.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can attach a policy to a RAM user to grant the user permissions. The following permissions related to Elastic Container Instance can be granted:

  • AliyunECIReadOnlyAccess

    Grants read-only permissions on Elastic Container Instance resources. This is a default system policy and contains the following permissions:

    • eci:Describe*: the permissions to query Elastic Container Instance resources

    • eci:List*: the permissions to query Elastic Container Instance resources

    • ecs:DescribeSecurityGroups: the permissions to query security groups

    • vpc:DescribeVSwitches: the permissions to query vSwitches

    • vpc:DescribeVpcs: the permissions to query virtual private clouds (VPCs)

  • AliyunECIFullAccess

    Grants permissions to manage Elastic Container Instance resources. This is a default system policy and contains the following permissions:

    • eci: all permissions to manage Elastic Container Instance resources

    • ecs:DescribeSecurityGroups: the permissions to query security groups

    • vpc:DescribeVSwitches: the permissions to query vSwitches

    • vpc:DescribeVpcs: the permissions to query VPCs

    • vpc:DescribeEipAddresses: the permissions to query elastic IP addresses (EIPs)

  • Other permissions to perform operations in the Elastic Container Instance console

    If you want to perform operations in the Elastic Container Instance console, you must have the following permissions in addition to the default permissions granted by the AliyunECIFullAccess policy:

    • ram:ListRoles: the permissions to query RAM roles of instances

    • nas:DescribeFileSystems: the permissions to query Apsara File Storage NAS file systems

    • oss:ListBuckets: the permissions to query Object Storage Service (OSS) buckets

    • vpc:DescribeCommonBandwidthPackages: the permissions to query EIP bandwidth plans

    • cr:GetRepoList: the permissions to query image repositories

    • cr:GetRepoTags: the permissions to query tags of images in a repository

    • cr:GetImageManifest: the permissions to query manifest information about an image

    • cr:SearchRepo: the permissions to search for image repositories

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. If you want to grant a RAM user permissions to manage Elastic Container Instance resources in the Elastic Container Instance console, you must create corresponding custom policies.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Custom Policy page, configure parameters for the custom policy.

      Specify a name for the custom policy, set Configuration Mode to Script, and then copy the following script to the Policy Document code editor:

      {
          "Statement": [
              {
                  "Action": "ram:ListRoles",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": "nas:DescribeFileSystems",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": "oss:ListBuckets",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": "vpc:DescribeCommonBandwidthPackages",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": [
                      "cr:GetRepoList",
                      "cr:GetRepoTags",
                      "cr:GetImageManifest",
                      "cr:SearchRepo"
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
    4. Click OK.

  3. Grant permissions to the RAM user based on your needs.

    1. In the left-side navigation pane, choose Identities > Users.

    2. Find the RAM user to which to grant permissions and click Add Permissions in the Actions column.

    3. In the Add Permissions panel, configure parameters to attach policies to the RAM user.

      The following table describes the parameters.

      Parameter

      Description

      Authorized Scope

      The authorization scope.

      • Alibaba Cloud Account: Permissions take effect on the current Alibaba Cloud account.

      • Specific Resource Group: Permissions take effect on a specific resource group.

      Principal

      The RAM user to which to grant permissions. The selected RAM user is automatically entered in the Principal field. You can also specify another RAM user.

      Select Policy

      The policies to be attached to the RAM user. Select policies based on your needs.

      • If you want the RAM user to be able to only view Elastic Container Instance resources, select the AliyunECIReadOnlyAccess system policy.

      • If you want the RAM user to be able to manage Elastic Container Instance resources by calling API operations, select the AliyunECIFullAccess system policy.

      • If you want the RAM user to be able to manage Elastic Container Instance resources by using the Elastic Container Instance console, select the AliyunECIFullAccess system policy and the custom policy that you created in Step 2.

    4. Click OK.

    5. Confirm the authorization scope and the policies and click Complete.