All Products
Search

This Product

    Resource Orchestration Service:Use RAM to control access to resources

    Document Center

    Resource Orchestration Service:Use RAM to control access to resources

    Last Updated:Jun 01, 2023

    Resource Access Management (RAM) is a service that Alibaba Cloud provides for you to manage user identities and control access to resources. You can create RAM users and authorize the RAM users to perform operations on resources. When multiple users in your enterprise need to collaboratively manage resources, you can grant the users the minimum required permissions by using RAM. This keeps your Alibaba Cloud account and password confidential and mitigates data risk.

    Create RAM users and grant permissions to the RAM users

    Attach a system policy to RAM users

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Settings to configure basic settings.

      On the Security Settings tab, you can configure security policies for RAM users. For more information, see Configure security policies for RAM users.

    3. In the left-side navigation pane, choose Identities > Users. On the Users page, click Create User. On the Create User page, create RAM users and configure the logon passwords and AccessKey pairs for the RAM users.

      For more information, see Create a RAM user.

    4. On the Users page, select the RAM users to which you want to grant permissions and attach a system policy to the RAM users.

      Note

      • If you want to grant the read-only permissions on ROS to the RAM users, attach the AliyunROSReadOnlyAccess policy.

      • If you want to grant all permissions on ROS to the RAM users, attach the AliyunROSFullAccess policy.

    Attach a custom policy to RAM users

    1. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy to create a custom policy.

      You can attach a custom policy to RAM users to allow them to perform operations on stacks. For more information, see Create a custom policy.

      A policy can contain multiple statements. You must specify the action and resource elements for each statement. For more information about the action and resource elements that you can specify for ROS, see RAM authorization.

    2. In the left-side navigation pane, choose Identities > Users. On the page that appears, attach the custom policy to the RAM users.

      Note

      You can also attach the custom policy to RAM user groups. If you grant permissions to a RAM user group, all RAM users in the group have the permissions.

    Examples of custom policies for ROS

    • Example 1: View stacks

      The following policy allows RAM users to view all stacks that are deployed in the China (Beijing) region and the details of the stacks. The wildcard character (*) matches all stacks that are deployed in the China (Beijing) region. 

      {
  "Statement": [
    {
      "Action": [
        "ros:DescribeStacks",
        "ros:DescribeStackDetail"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:*:stack/*"
    }
  ],
  "Version": "1"
}

    • Example 2: Create and view stacks

      The following policy allows RAM users to create and view stacks in all regions: 

      {
  "Statement": [
    {
      "Action": [
        "ros:CreateStack",
        "ros:DescribeStacks",
        "ros:DescribeStackDetail",
        "ros:ValidateTemplate"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

    • Example 3: Update a stack

      The following policy allows a RAM user to update a stack. In this example, the RAM user ID is 12345**** and the stack ID is 94dd5431-2df6-4415-81ca-732a7082****. 

      {
  "Statement": [
    {
      "Action": [
        "ros:UpdateStack"
      ],
      "Effect": "Allow",
      "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****"
    }
  ],
  "Version": "1"
}

    • Example 4: Access all features and resources of ROS

      The following policy allows RAM users to access all features and resources only of ROS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy takes effect regardless of whether you use Alibaba Cloud Security Token Service (STS) to grant temporary access permissions on ROS. The policy includes the following parameters:

      • acs:SourceIp: The parameter is set to 42.120.XX.XX/24. In this case, the features and resources are accessed from the CIDR block 42.120.XX.XX/24.

      • acs:SecureTransport: This parameter is set to true. In this case, the features and resources are accessed over HTTPS. 

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ros:*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "42.120.XX.XX/24"
        },
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}

    • Example 5: Access all features and resources of ROS and whether to access ECS

      • If you use STS to grant temporary access permissions on ROS, you cannot specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode. In this case, you can attach the following policy to RAM users so that the RAM users can access all features and resources of ROS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy cannot allow the RAM users to access other services, including Elastic Compute Service (ECS).

      • If you do not use STS to grant temporary access permissions on ROS, you can attach the following policy to RAM users so that the RAM users can access all features and resources of ROS and ECS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy cannot allow the RAM users to access other services.

        Note

        If you do not use STS to grant temporary access permissions on ROS, you can specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode to allow access to the following services: ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS, ApsaraDB for Redis, Alibaba Cloud DNS PrivateZone, Container Service for Kubernetes (ACK), Function Compute, Object Storage Service (OSS), Log Service, API Gateway, and ActionTrail. 

        {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ros:*",
        "ecs:*"
      ],
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "42.120.XX.XX/24"
        },
        "Bool": {
          "acs:SecureTransport": "true"
        }
      }
    }
  ],
  "Version": "1"
}

    • Example 6: Access and manage ROS resources by using tag-based authentication

      The following policy allows RAM users to manage ROS resources to which the {"Enviroment": "TEST"} tag is added: 

      {
  "Statement": [
    {
      "Action": "ros:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/Enviroment": "TEST"
        }
      }
    }
  ],
  "Version": "1"
}