All Products
Search
Document Center

Use resource groups to control the permissions of a RAM user

Last Updated: Nov 04, 2021

When you create Elastic Container Instance resources, you can specify a resource group for each resource. This allows you to manage resources by group. This topic describes how to grant RAM users the permissions on resource groups. Then, the RAM users can manage only resources in the resource groups on which they have permissions.

Background information

You can use resource groups to categorize and manage resources in your Alibaba Cloud account. This simplifies the resource and permission management of your Alibaba Cloud account. Take note of the following items when you use resource groups:

  • A resource group can contain cloud resources from different regions. For example, Resource Group A can contain instances from the China (Beijing) and China (Hangzhou) regions.

  • If resources that belong to different resource groups in the same account are located within the same region, these resources can be correlated with each other. For example, an instance in the China (Beijing) region of Resource Group A can be added to the virtual private cloud (VPC) in the China (Beijing) region of Resource Group B.

  • Resource groups inherit the global permissions of a RAM user. For example, if you authorize a RAM user to manage all Alibaba Cloud resources, the RAM user can see all the resource groups that belong to the Alibaba Cloud account.

Scenarios

Elastic Container Instance resources contain elastic container instances and image caches. Each Elastic Container Instance resource must belong to only one resource group. When you create an Elastic Container Instance resource, you can specify a resource group for the resource. If no resource group is specified, the resource is added to the default resource group.

Note

You can add an Elastic Container Instance resource to a specified resource group or the default resource group only when you create the resource. You cannot modify the resource group after it is specified. After you delete a resource, the resource is automatically removed from the resource group.

You can add Elastic Container Instance resources that are used for different purposes to specific resource groups. Then you can specify different RAM users as administrators for these resource groups to manage resources in a decentralized manner.

For example, if you have one elastic container instance for the production environment and the other instance for the test environment, you can add the two instances to their respective resource groups in the production and test environments. Then, you can authorize RAM User A to perform operations on the instance in the resource group of the production environment and RAM User B to perform operations on the other instance in the resource group of the test environment. To test a product, RAM User B performs operations on the instance in the resource group of the test environment. To launch a product, RAM User A performs operations on the instance in the resource group of the production environment. The two environments are managed by different RAM users. This facilitates permission control and helps avoid misoperations.

Procedure

The following scenario is used as an example: Two resource groups are created to group Elastic Container Instance resources and RAM users are authorized to perform operations on the resources in specific resource groups.

  • Two resource groups are created. One is created for the production environment, and the other is created for the test environment.

  • Two RAM users are created. RAM User A has the AliyunECIFullAccess permission on the production environment, and RAM User B has the AliyunECIFullAccess permission on the test environment.

    Note

    AliyunECIFullAccess is a system policy provided by Resource Access Management (RAM) and contains all permissions to perform operations on Elastic Container Instance resources.

The procedure is as follows:

  1. Create two resource groups. For more information, see Create a resource group.

  2. Create two RAM users. For more information, see Create a RAM user.

  3. Specify each RAM user as an administrator for only a resource group. For more information, see Add RAM authorization.

    When you grant permissions to the two RAM users, select the AliyunECIFullAccess permission.

  4. Create an elastic container instance with its resource group specified.

    • If you create an elastic container instance on the instance buy page in the Elastic Container Instance console, specify a resource group on the Other settings (optional) page.

    • If you create an elastic container instance by calling the CreateContainerGroup operation, pass ResourceGroupId to specify the resource group ID.

Expected results

The expected results are as follows:

  • In the Elastic Container Instance console, the RAM user can only view and perform operations on the elastic container instance in the resource group on which the user has permissions.

  • If a RAM user calls an operation, the RAM user can only view and perform operations on the elastic container instance in the resource group on which the RAM user has permissions. The following operations are used as examples:

    • CreateContainerGroup

      To create an elastic container instance, the RAM user must specify the resource group ID for authentication. If no resource group ID is specified or the specified resource group ID is incorrect, the authentication fails.

      Note

      If the RAM user has permissions on the default resource group, the RAM user does not need to specify the resource group ID. The elastic container instance is added to the default resource group by default.

    • DescribeContainerGroups

      To query the information about elastic container instances, the RAM user must specify the resource group ID for authentication. If no resource group ID is specified or the specified resource group ID is incorrect, the authentication fails.

      Note

      If the ID of the specified elastic container instance does not match the resource group ID, the elastic container instance does not belong to the resource group. In this case, the RAM user cannot view the information about the elastic container instance even if the resource group ID is correct.

    • DescribeContainerLog

      To query the logs of an elastic container instance, the RAM user does not need to specify the resource group ID. The system automatically retrieves the resource group to which the elastic container instance belongs and authenticates the request.

    • DeleteContainerGroup

      To delete an elastic container instance, the RAM user does not need to specify the resource group ID. The system automatically retrieves the resource group to which the elastic container instance belongs and authenticates the request.