Resource groups let you assign different RAM users administrative control over separate sets of ECI resources — for example, giving one team access to production instances while another manages only the test environment. This guide walks you through the setup.
Prerequisites
Before you begin, make sure you have:
An Alibaba Cloud account with Resource Access Management (RAM) enabled
Permission to create resource groups and RAM users
How it works
Each Elastic Container Instance resource — elastic container instances and image caches — belongs to exactly one resource group. When you grant a RAM user permissions scoped to a specific resource group, that user can only view and manage resources within that group.
Key behaviors:
A resource group can span multiple regions. For example, a single group can contain instances from China (Beijing) and China (Hangzhou).
Resources in different resource groups within the same region can interact. An instance in Resource Group A can join a virtual private cloud (VPC) in Resource Group B if both are in the same region.
Resource groups inherit a RAM user's global permissions. If a RAM user has account-wide access, all resource groups in the account are visible to that user.
To move an existing ECI resource to a different resource group, go to the Resource Groups page in the RAM console. For details, see Transfer resources across resource groups.
Set up resource group permissions
This section uses a common scenario: separating production and test ECI resources so that RAM User A manages only production instances and RAM User B manages only test instances.
By the end of these steps, you will have:
Two resource groups, one for production and one for testing
Two RAM users, each with
AliyunECIFullAccesspermissions scoped to their respective resource group
Note: AliyunECIFullAccess is a system policy provided by RAM that grants all permissions for ECI operations.Step 1: Create two resource groups
Create one resource group for the production environment and one for the test environment.
For details, see Create a resource group.
Step 2: Create two RAM users
Create RAM User A and RAM User B.
For details, see Create a RAM user.
Step 3: Grant each RAM user access to one resource group
Assign RAM User A as the administrator of the production resource group, and RAM User B as the administrator of the test resource group. Select the AliyunECIFullAccess policy when assigning permissions.
For details, see Add RAM authorization.
Step 4: Create an elastic container instance in the target resource group
Assign each instance to its resource group at creation time. If you skip this step, the instance is added to the default resource group.
ECI console: On the instance creation page, go to the Other Settings (Optional) step and select the resource group.
API: Call
CreateContainerGroupand pass theResourceGroupIdparameter.
Verify results
After setup, each RAM user can only view and operate on ECI resources in their assigned resource group. The following table describes how resource group authentication works for each API operation.
| API operation | Must specify ResourceGroupId? | Authentication behavior |
|---|---|---|
CreateContainerGroup | Yes (unless the user has access to the default resource group) | Authentication fails if ResourceGroupId is omitted or incorrect. If the user has permissions on the default resource group, the instance is added there automatically without specifying an ID. |
DescribeContainerGroups | Yes | Authentication fails if ResourceGroupId is omitted or incorrect. Even with a valid resource group ID, instances that don't belong to that group are not returned — the instance ID must match the resource group ID. |
DescribeContainerLog | No | The system automatically determines the resource group from the instance and authenticates the request. |
DeleteContainerGroup | No | The system automatically determines the resource group from the instance and authenticates the request. |
What's next
Transfer resources across resource groups — move existing ECI resources between resource groups
Add RAM authorization — update permissions for RAM users