Using tags for RAM user authentication - Elastic Container Instance

This allows you to grant different users permissions for different cloud resources.

Background information

You can use tags to identify and categorize cloud resources. Resource Access Management (RAM) uses policies to control access to and operations on these resources. By combining tags and RAM, you can use tags as conditions in a policy to achieve fine-grained permission management for cloud resources.

The logic of controlling RAM user permissions based on tags, also known as tag-based authentication, is as follows:

标签鉴权逻辑

Note

ECI resources that support tags include ECI instances, image caches, and virtual nodes. You can attach tags to ECI resources only when you create or update them. For more information, see Use tags to manage ECI instances.

Configuration example

Example scenario

This topic uses the following scenario to demonstrate tag-based authentication.

Assume that you need to restrict a RAM user to operating only on ECI resources with a specific tag, for example, env:test, as shown in the following figure: 标签鉴权

The specific requirements are as follows:

Requirement 1: To create an ECI resource, the user must tag it with env:test during creation.
Requirement 2: The user can operate only on ECI resources tagged with env:test.
Requirement 3: When querying ECI resources, the user can view only the resources that are tagged with env:test.

Step 1: Configure and grant a custom policy

Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

Configure the custom policy.

Click the Import Policy tab.
In the dialog box that appears, select System Policy from the filter options on the right. Then, search for and select AliyunECIFullAccess, and click Import.
AliyunECIFullAccess is the default system policy for managing ECI resources. It includes permissions to operate on ECI resources, query related resources such as security groups and VPCs, and create a service-linked role for ECI.
Click the JSON Editor tab.

Modify the policy content in the editor, and then click Next to edit policy information.

Note

A policy is a set of access permissions. It consists of a version number and a list of statements. Each statement includes an effect (Effect), actions (Action), resources (Resource), and optional conditions (Condition). For more information, see Policy structure and syntax and Policy elements.

In the Condition element of a policy, you can add tag-based conditions to restrict permissions. The following tag condition keys are supported:

Tag condition key

Description

acs:RequestTag

Restricts the request to include a specific tag.

If an API request does not include a tag parameter, you cannot use acs:RequestTag in the policy. Otherwise, authentication fails.

acs:ResourceTag

Restricts operations to resources that contain a specific tag.

If an API request does not include a resource ID parameter, you cannot use acs:ResourceTag in the policy. Otherwise, authentication fails.

Note

When you design a permission policy, you can set acs:RequestTag or acs:ResourceTag based on your business requirements and the characteristics of the API operation, such as whether it requires a resource ID or supports passing tags. For more information, see API authentication.

To meet the requirements in the example scenario, design the policy as follows:

Requirement	Policy
An ECI resource can be created only if it is tagged with `env:test`.	`{ "Effect": "Allow", "Action": "eci:Create", "Resource": "", "Condition": { "StringEquals": { "acs:RequestTag/env": "test" } } }`
The user can operate only on ECI resources that are tagged with env:test.	`{ "Effect": "Allow", "Action": "eci:", "Resource": "", "Condition": { "StringEquals": { "acs:ResourceTag/env": "test" } } }`
When querying ECI resources, the user can view only resources that are tagged with env:test.	`{ "Effect": "Allow", "Action": "eci:Describe", "Resource": "", "Condition": { "StringEquals": { "acs:RequestTag/env": "test" } } }`

The complete example policy, which includes the permissions from AliyunECIFullAccess, is as follows:

{
 "Version": "1",
 "Statement": [{
   "Effect": "Allow",
   "Action": "eci:Create*",
   "Resource": "*",
   "Condition": {
    "StringEquals": {
     "acs:RequestTag/env": "test"
    }
   }
  },
  {
   "Effect": "Allow",
   "Action": "eci:*",
   "Resource": "*",
   "Condition": {
    "StringEquals": {
     "acs:ResourceTag/env": "test"
    }
   }
  },
  {
   "Effect": "Allow",
   "Action": "eci:Describe*",
   "Resource": "*",
   "Condition": {
    "StringEquals": {
     "acs:RequestTag/env": "test"
    }
   }
  },
  {
   "Action": [
    "ecs:DescribeSecurityGroups"
   ],
   "Resource": "*",
   "Effect": "Allow"
  },
  {
   "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:DescribeEipAddresses"
   ],
   "Resource": "*",
   "Effect": "Allow"
  },
  {
   "Action": "ram:CreateServiceLinkedRole",
   "Resource": "*",
   "Effect": "Allow",
   "Condition": {
    "StringEquals": {
     "ram:ServiceName": [
      "eci.aliyuncs.com",
      "vnode.eci.aliyuncs.com"
     ]
    }
   }
  }
 ]
}

Note

If you use OpenAPI to operate on ECI resources, the AliyunECIFullAccess policy is sufficient. If you use the ECI console, you must grant additional permissions. For more information, see Grant permissions to a RAM user.

Enter a name for the policy and click OK.

Grant the custom policy to a RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. Create a RAM user.
  If you do not have a RAM user, create one based on your management needs. For more information, see Create a RAM user.
3. Grant permissions to the RAM user.
  Grant the custom policy to the RAM user. For more information, see Manage permissions for a RAM user.

Step 2: Verify the policy

Log on to OpenAPI Explorer as the RAM user.
Verify that the policy is effective.
The following tests use an ECI instance as an example:
- Create an ECI instance
  - If you set the env:test tag, the instance is created successfully.
  - If you do not set a tag or you set a different tag, the creation fails and a permission denied error is returned.
- Delete an ECI instance
  - If an ECI instance is tagged with env:test, the deletion succeeds.
  - If an ECI instance is not tagged with env:test, the deletion fails and returns a permission denied error.
- Query an ECI instance
  - If you specify an instance that is tagged with env:test but do not specify a tag in the query, the query returns information about the specified ECI instance.
  - If you specify an instance that is not tagged with env:test, the query returns an empty result.
  - If you do not specify an instance and set only the env:test tag in the query, the query returns information about all instances with the env:test tag.
  - If you do not specify an instance or a tag, the query returns an empty result.

API authentication

The following table describes how API calls from a RAM user with a tag-based policy are authenticated.

Operation	Description
Create operations, such as CreateContainerGroup and CreateImageCache	These operations do not require a resource ID, so authentication is based on `acs:RequestTag`: Authentication fails if the request does not include the authorized tag. Authentication succeeds if the request includes the authorized tag.
Query operations, such as DescribeContainerGroups and DescribeImageCaches	These operations can optionally specify a resource ID or provide tags, so authentication is based on either `acs:ResourceTag` or `acs:RequestTag`: If you provide both a resource ID and tags, authentication succeeds if the tag of the specified resource matches `acs:ResourceTag` or the provided tag matches `acs:RequestTag`. Otherwise, authentication fails. If you provide a resource ID but no tags, authentication succeeds if the tag of the specified resource matches `acs:ResourceTag`. Otherwise, authentication fails. If you provide tags but no resource ID, authentication succeeds if the provided tags match `acs:RequestTag`. Otherwise, authentication fails. If you provide neither a resource ID nor tags, authentication fails. Note If authentication for a query operation fails, an empty result is returned instead of an error.
Update operations, such as UpdateContainerGroup and UpdateImageCache	These operations require a resource ID, so authentication is based on `acs:ResourceTag`: If you do not provide tags, authentication succeeds if the tag of the specified resource matches the condition. Otherwise, authentication fails. If you provide tags to update existing ones, authentication succeeds only if the resource's current tag matches the condition and the user has permission for the new tag. Otherwise, authentication fails. Note When you update tags, the RAM user must have permission for the resource's current tags and permission to apply the new tags. This may require policy conditions for both the original and new tags.
Other operations, such as RestartContainerGroup and ExecContainerCommand	These operations require a resource ID, so authentication is based on `acs:ResourceTag`: Authentication fails if the tag of the specified resource does not match the condition. Authentication succeeds if the tag of the specified resource matches the condition.