You can assign a RAM role to an Elastic Compute Service (ECS) instance to access Application Configuration Management without the need to configure an AccessKey pair. This method improves the security. This topic describes how to automatically assign a RAM role to an ECS instance to access Application Configuration Management when you add the ECS instance to an application by using a mount script in EDAS.

Background

In the past, for an application deployed in an ECS instance to access ACM, the Access Key ID and Access Key Secret (“AK”) must be stored in the ECS instance as a configuration file or in other forms. However, this increases the complexity of AK management and the risk of leaking sensitive data.

Now, with the RAM role of an instance, you can associate a RAM role with an ECS instance, and then inform ACM SDK (Version 1.0.8 and later) of the name of this RAM role, so that you can access ACM without configuring AK later. In addition, with RAM (Resource Access Management), you can also have multiple instances with different authorizations for ACM by tweaking their roles and authorization policies. For example, if assigned a role with a read-only authorization policy, an ECS instance can read ACM configurations but can’t add or modify one.

Prerequisites

RAM is activated. For more information, see Billing.

Step 1: Create a RAM role and configure the authorization policy

  1. Log on to the RAM console. Click Roles in the left-side navigation pane.
  2. Click New in the upper right corner of the page.
  3. In the Create Role dialog box, complete the following steps.
    1. On the Select Role Type page, click Service Role.
    2. On the Enter Type page, select ECS Elastic Compute Service.
    3. On the Configure Basic Information page, enter a custom Role Name and optionally a description, and click Create.
    Note A newly created role doesn’t have any authorizations.
  4. In Role management page, click to the right of the role Operation of a column Authorization.
  5. In the Edit Role Authorization Policy dialog box, search for the authorization policy AliyunACMFullAccess, and click the > button to move it to the right-side Selected Authorization Policy Name list, and then click OK. To use the configuration encryption and decryption features, add the AliyunKMSCryptoAccess authorization policy.

    Now this role is granted all authorizations for ACM.

Step 2: Create a policy

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the Policies page, click Create Policy. The Create Custom Policy page appears.
  3. Enter AttachACMRamRoleToECSPolicy in the Policy Name field, and enter information in the Note field.
  4. Set the Configuration Mode parameter to Script, and enter the following content in the Policy Document field:
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ecs:AttachInstanceRamRole",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ecs:DescribeInstanceRamRole",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ram:*",
                "Resource": "acs:ram:*:<Your Alibaba Cloud account ID>:role/<Name of the RAM role that you created in Step 1: Create a RAM role and configure the authorization policy>"
            }
        ],
        "Version": "1"
    }
  5. Click OK.

Step 3: Create a RAM user and grant permissions to the RAM user

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, click Create User.
  3. On the Create User page, specify Logon Name and Display Name in the User Account Information section.
    Note You can click Add User to create multiple RAM users at a time.
  4. In the Access Mode section, select OpenAPI Access and click OK.
    The User Information section displays the AccessKey ID and AccessKey secret of the created user. Record and properly keep them for subsequent use.
  5. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  6. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: If you select this option, permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: If you select this option, permissions take effect on a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  7. In the field above Authorization Policy Name, enter the policy name that is generated in Step 2: Create a policy
  8. Click OK. Then, click Complete to close the panel.

Step 4: Assign the RAM role to an ECS instance by using a mount script

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, click Applications. In the top navigation bar, select a region. In the upper part of the page, select a namespace. On the Applications page, click the name of the desired application.
  3. On the Basic Information tab of the application, click Edit in the Application Settings section, and then select Mount Script from the drop-down list.
  4. In the Mount Script dialog box, click to expand Prepare Instance Script.
  5. Enter the following script in the field, and then click Modify.
    Notice The following script contains the AccessKey pair of the RAM user that you created in Step 3: Create a RAM user and grant permissions to the RAM user. Properly keep the AccessKey pair.
    #!/bin/sh
    fileURL='https://edas-public.oss-cn-hangzhou.aliyuncs.com/samples/acm/attachAcmRamRole.sh'
    file=/tmp/attachAcmRamRoleToEcs.sh
    wget "$fileURL" -O "$file" &>/dev/null
    chmod +x "$file"
    # Replace <accessKeyId> with the AccessKey ID of the RAM user. 
    # Replace <accessSecret> with the AccessKey secret of the RAM user. 
    # Replace <ecsRamRoleForACM> with the name of the RAM role that you created in Step 1: Create a RAM role and configure the authorization policy. 
    bash "$file" <accessKeyId> <accessSecret> <ecsRamRoleForACM>

    After the script is run, <ecsRamRoleForACM> is assigned to the added ECS instance.

Additional information