This topic describes how to grant a Resource Access Management (RAM) role to Realtime Compute in exclusive mode.

Procedure of automatically granting a RAM role

  1. Click Authorize to go to the authentication page.
    Note The message appears only when you have not properly granted the default RAM role to the service account of Realtime Compute in exclusive mode.
  2. Select AliyunStreamDefaultRole and click Authorize to grant the default RAM role to Realtime Compute.
Note After the RAM role is granted, refresh the page in the Realtime Compute console. Then, you can perform service operations.

Check the current policy of the RAM role

  1. Log on to the RAM console.
  2. Click RAM Roles in the left-side navigation pane. On the page that appears, click AliyunStreamDefaultRole in the RAM Role Name column.
  3. On the AliyunStreamDefaultRole page, click AliyunStreamRolePolicy on the Permissions tab.
  4. On the Policy Document tab, you can check the current policy, which contains the following information:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ots:List*",
            "ots:DescribeTable",
            "ots:Get*",
            "ots:*Row"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "dhs:Create*",
            "dhs:List*",
            "dhs:Get*",
            "dhs:PutRecords",
            "dhs:DeleteTopic"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*",
            "log:Get*",
            "log:Post*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "mns:List*",
            "mns:Get*",
            "mns:Send*",
            "mns:Publish*",
            "mns:Subscribe"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "drds:DescribeDrdsInstance",
            "drds:ModifyDrdsIpWhiteList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "rds:Describe*",
            "rds:ModifySecurityIps*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:CreateNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:AttachNetworkInterface",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:CreateNetworkInterfacePermission"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "oss:*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

Add a policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choosePermissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, set the Policy Name and Note parameters.
  5. Under Configuration Mode, select Visualized or Script.
    • If you select Visualized, click Add Statement. On the page that appears, configure the permission effect, actions, and resources.
    • If you select Script, edit the policy script according to thePolicy structure and grammar .
  6. In the code box under Policy Document, enter the following code and click OK:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:CreateNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:AttachNetworkInterface",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:CreateNetworkInterfacePermission"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }                    
    Note You can delete the following permissions after the cluster is created:
    • ecs:CreateSecurityGroup
    • ecs:AuthorizeSecurityGroup
  7. Click RAM Roles in the left-side navigation pane. On the page that appears, click Add Permissions in the Actions column for AliyunStreamDefaultRole.
  8. In the Add Permissions dialog box that appears, select System Policy from the drop-down list in the Select Policy section, and enter AliyunOSSFullAccess in the search box on the right.
  9. Click AliyunOSSFullAccess in the Policy Name column.
  10. Select Custom Policy from the drop-down list in the Select Policy section.
  11. Enter AliyunStreamDefaultRole in the search box on the right.
  12. Click AliyunStreamDefaultRole in the Policy Name column.
  13. Click OK.