When multiple users collaborate on shared resources, you can delegate permissions by granting different levels of access to RAM users based on their roles. This approach enhances management efficiency and reduces the risk of information leaks. This topic describes how to use resource-level authentication to control RAM user permissions, granting them specific access and operational rights for different Auto Scaling resources.
Background information
-
Alibaba Cloud permissions are managed with policies. You can configure RAM-related policies based on different roles. In a policy, you can define resource-level permissions and then attach one or more policies to a RAM user or a user group. For more information about policies, see Policy overview.
-
Managing permissions for Auto Scaling resources without resource-level authentication is inconvenient. For example, you are limited to granting permissions at a coarse-grained level, such as for all resources within a region. Auto Scaling's resource-level authentication provides greater flexibility by allowing you to grant permissions for specific resources.
NoteFor more information about RAM, see What is RAM?.
Scenarios
The following scenarios describe how to implement resource-level authentication.
|
Scenario |
Permission goal |
|
Scenario 1: Create scaling groups, and then configure a resource-level authentication policy Example:
|
Allow all operations on scaling group 1, but deny all operations on scaling group 2. |
|
Scenario 2: Configure a resource-level authentication policy, and then create scaling groups |
Allow creating scaling groups only in a specific region, such as China (Hangzhou). Deny creating them in other regions, such as China (Beijing). |
APIs without resource-level authentication
After you attach a policy that grants resource-level permissions to a RAM user, resource-level authentication is not supported for the following API operations.
|
API |
Resource auth unsupported |
|
DescribeRegions |
Yes |
|
For a scheduled task that is not associated with a scaling group:
|
Yes |
|
For an alarm task that is not associated with a scaling group:
|
Yes |
Procedure
Before you begin, ensure you have created a RAM user. For more information, see Create a RAM user.
Scenario 1: Create scaling groups, then configure policy
-
Create two scaling groups.
For more information, see Manage scaling groups.
-
Scaling group 1: name asg-001, ID asg-bp17np35ywjwh2cx****.
-
Scaling group 2: name asg-002, ID asg-bp1c5pl2qc6ozgbl****.
-
-
Log in to the RAM console.
-
Create a custom policy.
For more information, see Create a custom policy.
This custom policy allows you to view, modify, and delete scaling group asg-001 in the Auto Scaling console or by calling API operations. It denies these operations on asg-002.
Example custom policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ess:*", "Resource": "acs:ess:cn-hangzhou:160998252992****:scalinggroup/asg-bp17np35ywjwh2cx****" }, { "Effect": "Deny", "Action": "ess:*", "Resource": "acs:ess:cn-hangzhou:160998252992***8:scalinggroup/asg-bp1c5pl2qc6ozgbl****" }, { "Effect": "Allow", "Action": [ "ess:DescribeRegions", "ess:CreateScheduledTask", "ess:ModifyScheduledTask", "ess:DescribeScheduledTasks", "ess:DeleteScheduledTask", "ess:CreateAlarm", "ess:DescribeAlarms", "ess:ModifyAlarm", "ess:EnableAlarm", "ess:DeleteAlarm" ], "Resource": "*" } ] } -
Attach the custom policy to the RAM user.
For more information, see Grant permissions to a RAM user.
-
Use the Auto Scaling console or call API operations to view, modify, and delete asg-001 and asg-002.
You can perform normal operations such as view, modify, and delete on scaling group asg-001. However, you cannot perform these operations on asg-002. An error is returned, indicating that resource-level authentication is working.
Receiving the error code
Forbidden.Unauthorizedand the message "The user is not authorized to perform this operation because the user is not granted the required permissions. Please grant permissions and try again." confirms that resource-level authentication is working.
Scenario 2: Configure policy, then create scaling groups
-
Log in to the RAM console.
-
Create a custom policy.
For more information, see Create a custom policy.
This custom policy allows you to create scaling groups in the China (Hangzhou) region, either in the Auto Scaling console or by using API operations. It denies these operations in the China (Beijing) region.
Example custom policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ess:*", "Resource": "acs:ess:cn-hangzhou:160998252992****:*" }, { "Effect": "Deny", "Action": "ess:*", "Resource": "acs:ess:cn-beijing:160998252992****:*" }, { "Effect": "Allow", "Action": [ "ess:DescribeRegions", "ess:CreateScheduledTask", "ess:ModifyScheduledTask", "ess:DescribeScheduledTasks", "ess:DeleteScheduledTask", "ess:CreateAlarm", "ess:DescribeAlarms", "ess:ModifyAlarm", "ess:EnableAlarm", "ess:DeleteAlarm" ], "Resource": "*" } ] } -
Attach the custom policy to the RAM user.
For more information, see Grant permissions to a RAM user.
-
Use the Auto Scaling console or call API operations to create scaling groups.
You can create scaling groups in the China (Hangzhou) region but not in the China (Beijing) region. An error is returned, indicating that resource-level authentication is working.
Receiving the error code
Forbidden.Unauthorizedand the message "The user is not authorized to perform this operation because the user is not granted the required permissions. Please grant permissions and try again." confirms that resource-level authentication is working.
Related topics
-
To grant permissions to a RAM user programmatically, see the AttachPolicyToUser operation.
-
To create a custom policy programmatically, see the CreatePolicy operation.
-
To create one or more scaling groups programmatically, see the CreateScalingGroup operation.
-
To manage permissions by using tag-based authentication, see Manage scaling group permissions with tag-based authentication.
-
To group and manage cloud resources by using resource groups, see Use resource groups to manage scaling groups.