You can authorize a RAM user or a RAM role to use Alibaba Cloud Service Mesh (ASM) by granting permissions to the RAM user or RAM role as needed. Only authorized RAM users and RAM roles can perform operations such as creating ASM instances and updating ASM configurations in the ASM console. This eliminates security risks caused by the leakage of passwords of Alibaba Cloud accounts. This topic describes how to grant permissions to a RAM user and a RAM role.

Prerequisites

Background information

The permissions required by RAM users and RAM roles vary with different scenarios.

Attach system policies to RAM users and RAM roles

By default, ASM creates two system policies: AliyunASMReadOnlyAccess and AliyunASMFullAccess. You can attach the policies to RAM users and RAM roles. The following part describes the two system policies:
  • AliyunASMReadOnlyAccess

    The policy contains only read-only permissions on ASM instances. After you attach the policy to a RAM user, the RAM user can only view the information about ASM instances but cannot modify the configurations of ASM instances.

  • AliyunASMFullAccess

    The policy contains all permissions on ASM instances. After you attach the policy to a RAM user, the RAM user has the same permissions on ASM instances as an Alibaba Cloud account and can perform all operations on ASM instances.

The following part describes how to attach a system policy to a RAM user or RAM role. In the following example, the AliyunASMReadOnlyAccess policy is attached to a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
    Note To attach a policy to a RAM role, choose Identities > Roles in the left-side navigation pane.
  3. On the Users page, find the RAM user to which you want to attach a policy and click Add Permissions in the Actions column.
    Note To grant permissions to a RAM role, find the RAM role on the Roles page and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, attach a policy to the RAM user.
    1. Specify the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on all resources of the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you want to select Specific Resource Group, make sure that ASM supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify a principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Click System Policy in the Select Policy section, enter AliyunASMReadOnlyAccess in the field, and then click AliyunASMReadOnlyAccess in the Authorization Policy Name column.
    4. Click OK.
  5. Click Complete.

Attach custom policies to RAM users and RAM roles

If you want to enforce fine-grained control on permissions, you can create custom policies and attach custom policies to RAM users and RAM roles.

  1. Log on to the RAM console by using your Alibaba Cloud account or as an authorized RAM user.
  2. Create a policy that is used to grant permissions on ASM instances.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Policy page, click the JSON tab. In the code editor, write your policy and click Next Step.
      You can modify the Action field in the Statement block to enable fine-grained authentication for API operations. In this example, a policy with limited permissions is created. The policy grants all RAM permissions on ASM except role-based access control (RBAC) authorization permissions. A RAM user to which the policy is attached cannot grant RBAC permissions to other users but has all other permissions.
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "servicemesh:Add*",
                      "servicemesh:CRBatchDeletion",
                      "servicemesh:Create*",
                      "servicemesh:Delete*",
                      "servicemesh:Describe*",
                      "servicemesh:Enable*",
                      "servicemesh:Disable*",
                      "servicemesh:Get*",
                      "servicemesh:InvokeApiServer",
                      "servicemesh:List*",
                      "servicemesh:Modify*",
                      "servicemesh:Re*",
                      "servicemesh:Run*",
                      "servicemesh:Set*",
                      "servicemesh:Sync*",
                      "servicemesh:Update*",
                      "servicemesh:Upgrade*"
                  ],
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "log:ListLogStores",
                      "log:ListDashboard",
                      "log:GetDashboard",
                      "log:ListSavedSearch",  
                      "log:ListProject"
                  ],
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "log:GetLogStoreLogs",
                  "Resource": "acs:log:*:*:project/*/logstore/audit-*"
              },
              {
                  "Effect": "Allow",
                  "Action": "log:GetLogStoreLogs",
                  "Resource": "acs:log:*:*:project/*/logstore/istio-*"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": "servicemesh.aliyuncs.com"
                      }
                  }
              }
          ],
          "Version": "1"
      }
    4. In the Basic Information section, enter a policy name in the Name field. In this example, the policy name is ASMPolicy1. Then, click OK.
  3. Attach the custom policy to a RAM user or RAM role.
    1. In the left-side navigation pane, choose Identities > Users.
      Note To attach a policy to a RAM role, choose Identities > Roles in the left-side navigation pane.
    2. On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
      Note To grant permissions to a RAM role, find the RAM role on the Roles page and click Add Permissions in the Actions column.
    3. In the Add Permissions panel, select Alibaba Cloud Account for the Authorized Scope parameter. The name of the current RAM user is automatically filled in the Principal field. Click Custom Policy in the Select Policy section, enter and select ASMPolicy1, and then click OK.

Sample scenarios of custom policies

Scenario 1: Grant the permissions on a single ASM instance

You can use the following script to create a policy that grants the permissions on a single ASM instance. After you attach the policy to a RAM user or RAM role, the RAM user or RAM role can manage only the ASM instance with the specified ID.
Note When you create the policy, replace <ServicemeshId> in the script with the ID of the ASM instance on which you want to grant permissions.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "servicemesh:*",
      "Resource": "acs:servicemesh:*:*:servicemesh/<ServicemeshId>"
    },
    {
      "Effect": "Allow",
      "Action": "servicemesh:DescribeServiceMeshes",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "log:GetLogStoreLogs",
      "Resource": "acs:log:*:*:project/*/logstore/audit-<ServicemeshId>"
    },
    {
      "Effect": "Allow",
      "Action": "log:GetLogStoreLogs",
      "Resource": "acs:log:*:*:project/*/logstore/istio-<ServicemeshId>"
    }
  ],
  "Version": "1"
}

Scenario 2: Grant the permissions to read and write Istio resources in the ASM console

By default, the system policy AliyunASMReadOnlyAccess provided by ASM grants RAM users or RAM roles the read-only permissions on ASM instances. RAM users or RAM roles to which this policy is attached cannot manage Istio resources in ASM.

You can use the following script to create a policy that grants the read and write permissions on Istio resources. After you attach the policy to a RAM user or RAM role, the RAM user or RAM role can use the ASM console to manage Istio resources on ASM instances. However, the RAM user or RAM role cannot change other settings of the ASM instances, such as feature settings.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "servicemesh:List*",
                "servicemesh:Describe*",
                "servicemesh:Get*",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:ListLogStores",
                "log:ListDashboard",
                "log:GetDashboard",
                "log:ListSavedSearch"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/audit-*"
        }
    ],
    "Version": "1"
}

Scenario 3: Grant RBAC authorization permissions

You can use the following script to create a policy that grants RBAC authorization permissions. After you attach the policy to a RAM user or RAM role, the RAM user or RAM role can use the ASM console to manage the RBAC permissions of other RAM roles or RAM users. However, the RAM user or RAM role cannot manage ASM instances.
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "servicemesh:DescribeUserPermissions",
                "servicemesh:GrantUserPermissions",
                "servicemesh:DescribeServiceMeshes",
                "servicemesh:DescribeUsersWithPermissions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ims:ListUserBasicInfos",
            "Resource": "*"
        }
    ],
    "Version": "1"
}