Grant permissions on elastic container instances to RAM users - Elastic Container Instance

By default, you can use an Alibaba Cloud account or a Resource Access Management (RAM) user to manage Elastic Container Instance resources. However, when a RAM user is created for an Alibaba Cloud account, the RAM user does not have permissions to manage the resources within the Alibaba Cloud account. You must grant the required permissions to the RAM user before you can manage Elastic Container Instance resources as the RAM user. This topic describes how to grant permissions on Elastic Container Instance resources to a RAM user.

Prerequisites

A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

Permission description

You can attach a policy to a RAM user to grant specific permissions to the RAM user. The following table describes the permission policies that are related to Elastic Container Instance resources:

Permission policy	Description
AliyunECIReadOnlyAccess	Grants read-only permissions on Elastic Container Instance resources. This is a default system policy and contains the following permissions: eci:Describe: the permissions to query Elastic Container Instance resources eci:List: the permissions to query Elastic Container Instance resources ecs:DescribeSecurityGroups: the permissions to query security groups vpc:DescribeVSwitches: the permissions to query vSwitches vpc:DescribeVpcs: the permissions to query virtual private clouds (VPCs)
AliyunECIFullAccess	Grants permissions to manage Elastic Container Instance resources. This is a default system policy and contains the following permissions: eci: all permissions to manage Elastic Container Instance resources ecs:DescribeSecurityGroups: the permissions to query security groups vpc:DescribeVSwitches: the permissions to query vSwitches vpc:DescribeVpcs: the permissions to query VPCs vpc:DescribeEipAddresses: the permissions to query elastic IP addresses (EIPs)
Other permissions to perform operations in the Elastic Container Instance console	If you want to perform operations in the Elastic Container Instance console, you must have the following permissions in addition to the default permissions granted by the AliyunECIFullAccess policy: ram:ListRoles: the permissions to query RAM roles of instances nas:DescribeFileSystems: the permissions to query Apsara File Storage NAS file systems oss:ListBuckets: the permissions to query Object Storage Service (OSS) buckets vpc:DescribeCommonBandwidthPackages: the permissions to query EIP bandwidth plans cr:GetRepoList: the permissions to query image repositories cr:GetRepoTags: the permissions to query tags of images in a repository cr:GetImageManifest: the permissions to query manifest information about an image cr:SearchRepo: the permissions to search for image repositories

Procedure

Log on to the RAM console by using your Alibaba Cloud account.

Create a custom policy.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

Click the JSON tab, copy the following script to the code editor, and then click Next to edit policy information.

{
    "Statement": [
        {
            "Action": "ram:ListRoles",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "nas:DescribeFileSystems",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "oss:ListBuckets",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "vpc:DescribeCommonBandwidthPackages",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cr:GetRepoList",
                "cr:GetRepoTags",
                "cr:GetImageManifest",
                "cr:SearchRepo"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Enter a policy name in the Name field and click OK.

Grant permissions to the RAM user based on your needs.

In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, configure parameters to attach policies to the RAM user.

The following table describes the parameters.

Parameter	Description
Authorized Scope	The authorization scope. Alibaba Cloud Account: Permissions take effect on the current Alibaba Cloud account. Specific Resource Group: Permissions take effect on a specific resource group.
Principal	The RAM user to which you want to grant permissions. The selected RAM user is automatically entered in the Principal field. You can also specify another RAM user.
Select Policy	The policies that you want to attach to the RAM user. Select policies that fit your needs. If you want the RAM user only to view Elastic Container Instance resources, select the AliyunECIReadOnlyAccess system policy. If you want the RAM user to manage Elastic Container Instance resources by calling API operations, select the AliyunECIFullAccess system policy. If you want the RAM user to manage Elastic Container Instance resources by using the Elastic Container Instance console, select the AliyunECIFullAccess system policy and the custom policy that you created in Step 2.

Click OK.
Confirm the authorization scope and the policies and click Complete.

References

If you want to control the permissions of RAM users on Elastic Container Instance resources, you can use resource groups and tags to manage the RAM users by group and by permission. For more information, see: