All Products
Search

This Product

    Elastic Container Instance:Use resource groups for fine-grained resource control

    Document Center

    Elastic Container Instance:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    When managing resources, you can combine resource groups with Resource Access Management (RAM) to implement resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes which Elastic Container Instance resources support resource groups and provides steps for granting resource group-level permissions.

    Note

    How it works

    You can use resource groups to group and manage resources in your Alibaba Cloud account. For example, you can create resource groups for different projects and move resources into the corresponding groups to centrally manage the resources for each project. For more information, see What is a resource group.

    After you group your resources, you can grant permissions scoped to a specific resource group to different RAM principals, such as RAM users, RAM user groups, or RAM roles. This ensures that the principal can manage only resources within that resource group. For more information, see Resource grouping and authorization.

    The benefits of this authorization method include:

    • Fine-grained permissions: This isolates resources by project, preventing them from being managed together.

    • Scalability: The RAM identity automatically gains the necessary permissions for the new resources.

    Grant group-level permissions to a RAM user

    This procedure uses a RAM user to demonstrate how to grant permissions on Elastic Container Instance resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and transfer your resources to it. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

    2. Grant resource group-level permissions

    You can grant resource group-level permissions by using one of the following methods.

    Method 1: Resource Management console

    Grant permissions to a RAM user by using the permission management feature of the resource group. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.

    • On the Manage Permissions tab, click Add Permission.

    • In the Add Permission panel, configure the principal and policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom policy.

    • Click OK.

    Method 2: RAM console

    Grant permissions to a RAM user in the RAM console. For more information, see Manage permissions for a RAM user.

    • Log on to the RAM console by using your Alibaba Cloud account (master account) or a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Add Permissions panel, grant permissions to the RAM user.

      • Resource Scope: Select Resource Group.

      • Principal: Select the RAM user that you created, or select another existing user.

      • Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom policy.

    • Click OK.

    Resource types that support resource groups

    The following table lists the Elastic Container Instance resource types that support resource groups.

    Cloud service

    Service code

    Resource type

    Elastic Container Instance

    eci

    containergroup: container group

    Elastic Container Instance

    eci

    imagecache: image cache
    Note

    If you need resource group support for a resource type that is not listed, you can submit feedback in the Resource Management console.

    image

    Actions without resource group authorization

    The following Elastic Container Instance actions do not support resource group-level authorization:

    Action

    Description

    eci:DeleteContainerGroups

    -

    eci:DeleteLaunchTemplate

    -

    eci:DescribeCommandResult

    -

    eci:DescribeContainerGroupPrice

    Queries the price of an ECI instance.

    eci:DescribeContainerInstanceStatus

    -

    eci:DescribeImageCacheMetrics

    -

    eci:DescribeUpdateConfigMapTask

    -

    eci:DescribeUpdateSecretTask

    -

    eci:DescribeVnodeCapacity

    -

    eci:ListUsage

    Queries the resource quotas in a specified region, including the used amount and the upper limit.

    eci:RunCommand

    -

    eci:UpdateVirtualNodeStatusEvents

    -

    eci:UploadVirtualNodeConfig

    -

    Setting the resource scope to the resource group level has no effect for actions that do not support resource group-level authorization. To grant these permissions to a RAM user, you must create a custom policy and set the resource scope to the account level.

    image.pngThe following are two examples of a custom policy. You can modify the policy content as needed.

    • Allow all read-only actions that do not support resource group-level authorization:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eci:DescribeCommandResult",
        "eci:DescribeContainerGroupPrice",
        "eci:DescribeContainerInstanceStatus",
        "eci:DescribeImageCacheMetrics",
        "eci:DescribeUpdateConfigMapTask",
        "eci:DescribeUpdateSecretTask",
        "eci:DescribeVnodeCapacity",
        "eci:ListUsage"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow all actions that do not support resource group-level authorization:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eci:DeleteContainerGroups",
        "eci:DeleteLaunchTemplate",
        "eci:DescribeCommandResult",
        "eci:DescribeContainerGroupPrice",
        "eci:DescribeContainerInstanceStatus",
        "eci:DescribeImageCacheMetrics",
        "eci:DescribeUpdateConfigMapTask",
        "eci:DescribeUpdateSecretTask",
        "eci:DescribeVnodeCapacity",
        "eci:ListUsage",
        "eci:RunCommand",
        "eci:UpdateVirtualNodeStatusEvents",
        "eci:UploadVirtualNodeConfig"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can operate on all relevant resources across the account. Always follow the principle of least privilege and grant permissions with caution to ensure that the permissions meet your security requirements.

    FAQ

    Viewing a resource's group

    • Method 1: Click the resource name to go to the resource details page. The page displays the resource's resource group.

    • Method 2: Log on to the Resource Management console. In the left-side navigation pane, click Resource Center > Resource Search. In the left-side navigation pane, select the account to which the resource belongs (the Current Account is selected by default), use filter conditions to find the resource, and then view its resource group.

    Viewing product resources in a resource group

    • Method 1: Log on to the Resource Management console. In the left-side navigation pane, click Resource Center > Resource Search. In the left-side navigation pane, under the account to which the resource belongs (the Current Account is selected by default), click the name of the target resource group. On the right side of the page, select the product from the Select Resource Type drop-down list to view all resources of the product in the resource group.

    • Method 2: Log on to the Resource Management console. In the left-side navigation pane, click Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all resources of the product in the resource group.

    Bulk-transferring resources between groups

    Log on to the Resource Management console. In the left-side navigation pane, click Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the resource management page, use filter conditions to find the resources. Select the check boxes next to the resources, click Transfer Resource Group at the bottom of the page, and then follow the on-screen instructions to complete the transfer.