Resource Access Management (RAM) is a service that allows you to manage user identities and resource permissions in a centralized manner. If multiple employees or applications in your enterprise need to access Cloud Migration Hub resources, you can use RAM to manage permissions in a centralized manner and grant different access permissions based on your business requirements. Before you use RAM to manage the permissions on Alibaba Cloud services, we recommend that you learn about RAM features that can work with Alibaba Cloud services. This topic describes the RAM features supported by Cloud Migration Hub and how Cloud Migration Hub works with RAM.
RAM features supported by Cloud Migration Hub
The following table describes RAM features and whether the features are supported by Cloud Migration Hub.
RAM feature | Supported by Cloud Migration Hub |
RAM user-based access | Yes |
Security Token Service (STS) token-based access | Yes |
Identity-based policies at the account level | Yes |
Identity-based policies at the resource group level | Yes (partially supported) |
Operation-level authorization | Yes |
Resource-level authorization | Yes |
Condition keys specific to Alibaba Cloud services | Yes |
Tag-based authorization | Yes (partially supported) |
Regular service roles | No |
Service-linked roles | Yes |
For more information about all services that can work with RAM and STS, see Services that work with RAM and Services that work with STS.
RAM user-based access
Cloud Migration Hub supports RAM user-based access.
A RAM user is a physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. If a RAM user uses an identity credential to access Cloud Migration Hub, Cloud Migration Hub verifies the permissions of the RAM user on resources.
Identity credentials are configured when you create a RAM user. You can create a RAM user only by using an administrator account. If you use a RAM user to access the resources of a cloud service in the console of the service, you must provide the username and password of the RAM user. If you use a RAM user to access the resources by calling API operations, you must provide the AccessKey pair of the RAM user. We recommend that you change the password of a RAM user on a regular basis and do not write the plaintext AccessKey pair of a RAM user in code. This improves the security of RAM identity credentials. For more information, see Identity management.
NoteAn administrator account is an Alibaba Cloud account or a RAM user or role that has administrative rights.
By default, a RAM user does not have any permissions. After you create a RAM user, you must use an administrator account to attach the required policies to the RAM user to grant the RAM user the access or management permissions on cloud resources. Identity-based policies include system policies and custom policies. System policies are created by Alibaba Cloud. You can create custom policies.
References
STS token-based access
Cloud Migration Hub supports STS token-based access.
STS is a sub-service provided by RAM. STS issues tokens to allow trusted entities to assume RAM roles. An STS token is an identity credential used by a RAM role to access cloud resources. A RAM role is a virtual RAM identity. A RAM role does not have long-term identity credentials and must be assumed by a trusted entity.
Compared with long-term identity credentials such as AccessKey pairs, temporary identity credentials such as STS tokens help reduce exposure duration and improve the security of cloud assets. For more information about the trusted entities and the common scenarios in which RAM roles and STS tokens are used, see RAM role overview.
By default, a RAM role does not have any permissions. You must use an administrator account to attach the required policies to the RAM role to grant the RAM role the access or management permissions on cloud resources. Identity-based policies include system policies and custom policies. System policies are created by Alibaba Cloud. You can create custom policies.
References
Identity-based policies
Cloud Migration Hub supports identity-based policies.
You can attach identity-based policies to RAM identities, such as RAM users, RAM user groups, or RAM roles. Identity-based policies define what operations the preceding RAM identities can perform on which resources and under what conditions.
From the perspective of management, identity-based policies include system policies and custom policies System policies are created and maintained by Alibaba Cloud. You can only use system policies. You cannot modify or delete system policies. You can create and maintain custom policies. You can create custom policies in the RAM console or by calling API operations.
From the perspective of authorization scopes, identity-based policies include account-level policies and resource group-level policies. The authorization scope of account-level policies includes all resources within an Alibaba Cloud account. The authorization scope of resource group-level policies includes all resources in a resource group. Account-level policies take precedence over resource group-level policies. For more information about the definitions and authorization scopes, see Policy models. You can specify the authorization scope when you grant permissions to a RAM identity.
References
Operation-level authorization
Cloud Migration Hub supports operation-level authorization.
In a policy, the Action element specifies the operations that an identity can or cannot perform. In most cases, the operations specified by the Action element are the same as the API operations of the related Alibaba Cloud services. The Action element is in the <ram-code>:<action-name> format.
Cloud Migration Hub supports the operation-level authorization granularity. You can configure access permissions for a specific operation in a policy.
In most cases, you can use operation-level authorization when you create custom policies to implement access control.
For more information about the RAM code of Cloud Migration Hub, see . For more information about the RAM codes of other Alibaba Cloud services, see Services that work with RAM.
For more information about all operations that are supported by Cloud Migration Hub, see .
Example of the Action element in a policy of Cloud Migration Hub
{
"Statement": [
{
"Action": "apds:ListMigrationPlans",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Resource-level authorization
Cloud Migration Hub supports resource-level authorization.
In a policy, the Resource element specifies one or more resource objects on which an identity can or cannot perform operations. A resource is a manageable object that is provided by an Alibaba Cloud service. For example, objects can be Object Storage Service (OSS) buckets or Elastic Compute Service (ECS) instances. The Resource element is identified by the Alibaba Cloud Resource Names (ARN) of an Alibaba Cloud service. The Resource element is in the acs:<ram-code>:<region>:<account-id>:<relative-id> format. If an operation does not support resource-level authorization, you can use a wildcard character (*) to specify that the operation takes effect on all resources
Cloud Migration Hub supports the resource-level authorization granularity. You can configure access permissions for a specific resource object in a policy. In most cases, you can use resource-level authorization when you create custom policies to implement access control. For more information about all resources that are supported by Cloud Migration Hub, see .
Example of the Resource element in a policy of Cloud Migration Hub
"Resource": [
"acs:vpc:cn-beijing:135********:routerinterface/*",
"acs:vpc:cn-beijing:135********:vrouter/*"
]Condition keys specific to Alibaba Cloud services
Cloud Migration Hub supports condition keys specific to Alibaba Cloud services.
In a policy, the Condition element specifies the conditions that are required for a policy to take effect. This element is optional. The Condition element can contain one or more conditions. Each condition consists of condition operators, condition keys, and condition values. RAM defines condition operators. Condition keys include common condition keys, which are in the acs:<condition-key> format, and condition keys that are specific to Alibaba Cloud services, which are in the <ram-code>:<condition-key> format. Condition values vary based on the condition keys. For more information about the Condition element, see Policy elements.
Cloud Migration Hub supports condition keys specific to Alibaba Cloud services. You can configure conditions that are required for a policy to take effect when you configure permissions for specific operations and resource objects. In most cases, you can use condition keys specific to Alibaba Cloud services when you create custom policies to implement access control. For more information about condition keys specific to Alibaba Cloud services that are supported by Cloud Migration Hub, see .
Example of the Condition element in a policy of Cloud Migration Hub
"Condition": {
"StringEquals": {
"vpc:TargetAccountRDId": [
"12****"
]
},
"Bool": {
"acs:SecureTransport": [
"true"
]
}Tag-based authorization
Cloud Migration Hub supports tag-based authentication.
In a policy, tags are common condition keys, which are acs:ResourceTag/{tag-key} and acs:RequestTag/{tag-key}. You can use tags to classify, search for, and aggregate cloud resources that have the same characteristics from different dimensions. This facilitates resource management. For more information about Alibaba Cloud services that can work with tags, see Services that work with Tag.
Tag-based authentication allows you to grant the same permissions to cloud resources that have the same tags when you manage permissions on the cloud resources. In most cases, you can use tag-based authentication in custom policies.
Example of tag-based authentication in Cloud Migration Hub
This section describes common scenarios for tag-based authentication.
References
Regular service roles
Cloud Migration Hub does not support regular service roles.
Regular service roles are RAM roles that are assumed by trusted Alibaba Cloud services. Regular service roles are used for access across Alibaba Cloud services. When you use a specific feature of Cloud Migration Hub, user authorization is triggered to automatically create a regular service role and grant the required resource access permissions to the role. After the role is created, Cloud Migration Hub can assume the role to access other cloud services.
You can manually create, modify, and delete regular service roles in RAM. You can also modify the policies that are attached to the regular service roles. If you modify a regular service role or the policies that are attached to the role, the features that are provided by Cloud Migration Hub are affected. Proceed with caution. For more information, see .
Service-linked roles
Cloud Migration Hub supports service-linked roles.
Service-linked roles are RAM roles that are assumed by trusted Alibaba Cloud services. Service-linked roles are used for access across Alibaba Cloud services. When you use a specific feature of Cloud Migration Hub, user authorization is triggered to automatically create a service-linked role and grant the required resource access permissions to the role. After the role is created, Cloud Migration Hub can assume the role to access other cloud services.
The service-linked roles of Cloud Migration Hub are RAM roles that only Cloud Migration Hub can assume. The policies that are attached to the service-linked roles are defined, updated, and used by Cloud Migration Hub. You can view the policies that are attached to the service-linked roles in RAM. You cannot modify or delete the policies. You cannot attach policies to or detach policies from the roles. For more information, see .