This topic describes how to attach a custom policy to a RAM user.

Prerequisites

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.

Background information

The system policies provided by Application Real-Time Monitoring Service (ARMS) are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the operation permissions on a specific application to a RAM user, you must create a custom policy to meet this requirement.

Step 1: Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account or as an authorized RAM user.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab. Configure a permission policy in the editor.
    For more information, see Policy elements.

    The following example indicates the read-only permissions on applications that reside in the China (Hangzhou) region and are associated with the key0: value01 or key0: value02 tag. 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:ReadTraceApp"
      ],
      "Resource": "acs:arms:cn-hangzhou:*:armsapp/*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "arms:tag/key0":[
            "value01",
            "value02"
          ]
        }
      }
    }
  ]
}
  5. Click Next to edit basic information. In the Basic Information section, enter a policy name and then click OK.
  6. Return to the Policies page. You can enter the policy name or note in the search box and click the search icon to find the created custom policy.

Step 2: Attach the custom policy to a RAM user

  1. In the left-side navigation pane of the RAM console, choose Identities > Users.
  2. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  3. In the Add Permissions panel, grant permissions to the RAM user.
    1. Set Authorized Scope to Alibaba Cloud Account.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select the custom policy that is created in Step 1.
  4. Click OK.
  5. Click Complete.

Policy elements

Effect

Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

Action

Action Permission
arms:ReadTraceApp The read-only permissions on the specified application, including the permissions to view information such as application overview, interface calls, and application diagnostics.
arms:EditTraceApp The edit permissions on the specified application, including the permissions to apply custom configurations and set custom parameters.
arms:DeleteTraceApp The permissions to delete the specified application.

Resource

Specifies the resources on which the policy takes effect.

Format:

"Resource": [
     "acs:arms:<regionid>:*:armsapp/<appname>"
 ]
  • Replace <regionid> with the specified region ID. If you want to grant permissions to resources in all regions, replace <regionid> with *.
  • Replace <appname> with the specified application name. If you want to grant permissions on all applications, replace <appname> with *. If you want to specify applications that have the same name prefix, replace <appname> with Name prefix*, for example, k8s*.

Condition

A condition block contains one or more conditions. Each condition consists of operators, keys, and values. Condition block

Description

  • You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
  • A condition can have multiple keys that are attached to a single conditional operator. The condition of this type is met only if all requirements for the keys are met.
  • A condition block is met only if all of its conditions are met.

You can specify resources by using key-value pairs. For more information about how to attach tags to an application, see Manage tags.

  • Key-value pairs support the following operators:
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
  • Condition key: arms:tag.
  • Condition key value: key-value pairs.
The following example demonstrates a condition that matches applications associated with the key0: value01 or key0: value02 tag. 
"Condition": {
  "StringEquals": {       // The operator. 
    "arms:tag/key0":[      // The condition key.
      "value01",        // The value of the condition key.
      "value02"
    ]
  }
}