By default, you can use an Alibaba Cloud account or a Resource Access Management (RAM) user to manage Elastic Container Instance resources. However, when a RAM user is created for an Alibaba Cloud account, the RAM user does not have permissions to manage the resources within the Alibaba Cloud account. You must grant the required permissions to the RAM user before you can manage Elastic Container Instance resources as the RAM user. This topic describes how to grant permissions on Elastic Container Instance resources to a RAM user.
Prerequisites
A RAM user is created. For information about how to create a RAM user, see Create a RAM user.
Permission description
You can attach a policy to a RAM user to grant specific permissions to the RAM user. The following table describes the permission policies that are related to Elastic Container Instance resources:
Permission policy | Description |
AliyunECIReadOnlyAccess | Grants read-only permissions on Elastic Container Instance resources. This is a default system policy and contains the following permissions:
|
AliyunECIFullAccess | Grants permissions to manage Elastic Container Instance resources. This is a default system policy and contains the following permissions:
|
Other permissions to perform operations in the Elastic Container Instance console | If you want to perform operations in the Elastic Container Instance console, you must have the following permissions in addition to the default permissions granted by the AliyunECIFullAccess policy:
|
Procedure
Log on to the RAM console by using your Alibaba Cloud account.
Create a custom policy.
In the left-side navigation pane, choose
.On the Policies page, click Create Policy.
Click the JSON tab, copy the following script to the code editor, and then click Next to edit policy information.
{ "Statement": [ { "Action": "ram:ListRoles", "Effect": "Allow", "Resource": "*" }, { "Action": "nas:DescribeFileSystems", "Effect": "Allow", "Resource": "*" }, { "Action": "oss:ListBuckets", "Effect": "Allow", "Resource": "*" }, { "Action": "vpc:DescribeCommonBandwidthPackages", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cr:GetRepoList", "cr:GetRepoTags", "cr:GetImageManifest", "cr:SearchRepo" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
Enter a policy name in the Name field and click OK.
Grant permissions to the RAM user based on your needs.
In the left-side navigation pane, choose
.Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, configure parameters to attach policies to the RAM user.
The following table describes the parameters.
Parameter
Description
Authorized Scope
The authorization scope.
Alibaba Cloud Account: Permissions take effect on the current Alibaba Cloud account.
Specific Resource Group: Permissions take effect on a specific resource group.
Principal
The RAM user to which you want to grant permissions. The selected RAM user is automatically entered in the Principal field. You can also specify another RAM user.
Select Policy
The policies that you want to attach to the RAM user. Select policies that fit your needs.
If you want the RAM user only to view Elastic Container Instance resources, select the AliyunECIReadOnlyAccess system policy.
If you want the RAM user to manage Elastic Container Instance resources by calling API operations, select the AliyunECIFullAccess system policy.
If you want the RAM user to manage Elastic Container Instance resources by using the Elastic Container Instance console, select the AliyunECIFullAccess system policy and the custom policy that you created in Step 2.
Click OK.
Confirm the authorization scope and the policies and click Complete.
References
If you want to control the permissions of RAM users on Elastic Container Instance resources, you can use resource groups and tags to manage the RAM users by group and by permission. For more information, see: