Custom RAM policies for ARMS

Updated at:
Copy as MD

If system policies do not meet your requirements, you can create custom policies. Custom policies provide fine-grained access control and enhance the security of your resource access. This topic describes how to use custom policies for ARMS.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Prerequisites

Important

This feature is enabled by default for Alibaba Cloud accounts that activated ARMS after 00:00 on April 1, 2022. If you activated ARMS before this date, you must submit a ticket to enable the feature.

  • Before you create a custom policy, understand the basic structure and syntax of permission policies. For more information, see Basic elements of a permission policy.

  • The RAM user must have the ReadOnlyAccess or AliyunARMSReadOnlyAccess system policy attached to log on to the ARMS console.

    Important

    To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.

  • Make sure that the AliyunARMSFullAccess system policy is not attached to the RAM user.

Background information

ARMS provides system policies that grant coarse-grained permissions. If these policies do not meet your requirements, you can create custom policies. For example, to control a RAM user's permissions on a specific application, you must use a custom policy.

Step 1: Create a custom policy

  1. Sign in to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

    image

  4. On the Create Policy page, click the JSON tab. Write your policy content in the policy editor.

    For more information about the elements in a permission policy, see Policy elements.

    Example: This policy grants read-only permissions on applications in the China (Hangzhou) region that have the tag key0: value01 or key0: value02.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "arms:ReadTraceApp"
          ],
          "Resource": "acs:arms:cn-hangzhou:*:armsapp/*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "arms:tag/key0":[
                "value01",
                "value02"
              ]
            }
          }
        }
      ]
    }
  5. At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.

    This feature performs the following tasks:

    • Splits resources or conditions for incompatible actions.

    • Reduces the resource scope for greater precision.

    • Removes duplicate statements or merges statements.

  6. On the Create Policy page, click OK.

  7. In the Create Policy dialog box, enter a policy name and Description, then click OK.

Step 2: Attach a permission policy

Attach permission policy to a RAM user

Console

The RAM console provides two methods to grant permissions to a RAM user. You can use either method to grant permissions to a single user or to multiple users at once. Choose the method that best suits your workflow:

  • From the Users page: After you select a target user in the user list, the authorization panel automatically selects the principal. This method is ideal for a user-centric approach.

  • From the Authorization page: You must manually select a principal, but you can see an overview of all authorization records in your account. This approach is ideal for a permission-centric view.

Note

Recommendation for large-scale management: To grant the same permissions to multiple RAM users with similar responsibilities, add these users to a user group and then attach the policy to the user group (console path: Identity Management > User Groups). This approach is easier to maintain than granting permissions to each user individually.

From the Users page
  1. Log on to the .

  2. In the navigation pane on the left, choose Identity Management > Users.

  3. On the Users page, find the RAM user and click Actions in the Attach Policy column.

    You can also select multiple RAM users and click Attach Policy below the user list to grant permissions to multiple RAM users.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    • Select a Resource Scope:

      • Entire Account: The permissions apply to all resources within the current Alibaba Cloud account. This is suitable for general scenarios that do not require isolation by resource group.

      • Specific Resource Group: The permissions apply only to the resources within the specified resource group. This is suitable for scenarios where multiple teams share an account and require permission isolation. When a RAM user is granted permissions on a specific resource group, they must select that group from the top navigation bar in the console to access its resources.

        Note
        1. The system automatically flags high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. These policies typically grant full control over all cloud resources or full management access to RAM. Grant these policies with caution.

        2. For an example of resource group authorization, see Use a resource group to control a RAM user's access to specific ECS instances.

    • Select Principals:

      The principals are the RAM users to whom you want to grant permissions. If you started from the Users page, the system automatically selects the RAM user you are editing. If you initiated the process from the Grants page, you must manually select one or more RAM users.

    • Select Policies:

      • System Policies: You can search for and select system policies. Search tip: Use the search box to quickly find a policy. You can perform a fuzzy search by product name (for example, ECS or OSS), permission level (for example, ReadOnly or FullAccess), or the full policy name.

      • Custom Policies: You must first create a custom policy before you can attach it.

    • (Optional) Enter a Description: We recommend providing a reason for the authorization to aid future auditing and traceability, such as "Authorization for OSS upload tasks".

    • Submit the authorization: Click OK.

  5. Review the result of the operation and click Close.

From the Grants page
  1. Log on to the .

  2. In the navigation pane on the left, choose Permission Management > Grants.

  3. On the Grants page, click Add Grant.

  4. In the Add Grant panel, grant permissions to the RAM user. The configuration is the same as described in the previous section.

  5. Review the result of the operation and click Close.

API

Grant a custom policy
  1. Call the CreatePolicy operation to create a custom policy. You can refer to Basic elements of a permission policy and Overview of permission policy examples.

  2. Call the AttachPolicyToUser operation to grant permissions at the account-level to a RAM user. Set the PolicyType parameter to Custom.

    Alternatively, call the AttachPolicy operation to grant permissions at the resource group-level to a RAM user.

Grant a system policy
  • Call the AttachPolicyToUser operation to attach a policy to a RAM user. Set the PolicyType parameter to System. For more information about the PolicyName parameter, see System policy reference.

  • Alternatively, call the AttachPolicy operation to grant permissions at the resource group-level to a RAM user.

Attach a permission policy to a RAM role

After you attach a permission policy to a RAM role, you can use the RAM role to log on to the ARMS console. For more information, see Assume a RAM role.

Permission policy elements

Effect

The authorization effect can be Allow or Deny.

Action

Action

Permission description

arms:ReadTraceApp

Read-only permission for Application Real-Time Monitoring Service (ARMS). This permission lets you view information such as application overviews, API calls, and application diagnostics.

arms:EditTraceApp

Edit permission for ARMS. This permission lets you customize application configurations and set custom parameters.

arms:DeleteTraceApp

Delete permission for ARMS. This permission lets you delete applications.

Resource

Specifies the object that the authorization applies to.

The format is as follows:

"Resource": [
     "acs:arms:<regionid>:*:armsapp/<appname>"
 ]
  • Replace <regionid> with the ID of a specific region. To grant permissions on resources in all regions, use an asterisk (*).

  • Replace <appname> with the name of a specific application. To grant permissions on all applications, use an asterisk (*). If the authorization applies to applications that share a name prefix, use prefix*, such as k8s*.

Condition

A condition block consists of one or more condition clauses. A condition clause consists of a condition operator, a condition key, and a condition value. Condition block evaluation logic

Evaluation logic:

  • Condition match: A condition key can have one or more values. The condition is met if the key's value in the request matches any of the values specified in the policy (logical OR).

  • Condition clause match: A condition clause is met only if all its condition keys are met (logical AND).

  • Condition block match: A condition block is met only if all of its condition clauses are met (logical AND).

ARMS lets you use tag key-value pairs to specify the objects for authorization. For more information about how to set application tags, see Tag management.

  • The following condition operators are supported for tag key-value pairs:

    • StringEquals

    • StringNotEquals

    • StringEqualsIgnoreCase

    • StringNotEqualsIgnoreCase

    • StringLike

    • StringNotLike

  • Condition key: arms:tag.

  • Condition value: The tag key-value pair.

Example: Grant permissions to applications where the tag key-value pair is key0: value01 or key0: value02.

"Condition": {
  "StringEquals": {       // Condition operator.
    "arms:tag/key0":[      // Condition key
      "value01",        // Condition value
      "value02"
    ]
  }
}

Authorization reference

To use custom policies, understand your service's permission requirements and the authorization information for Application Real-Time Monitoring Service (ARMS). For more information, see Authorization information.