You can assign a Resource Access Management (RAM) role to an Elastic Compute Service (ECS) instance to access Application Configuration Management (ACM) without the need to configure an AccessKey pair. This method improves the security. This topic describes how to automatically assign a RAM role to an ECS instance to access ACM when you add the ECS instance to an application by using a mount script in EDAS.
Background
In the past, if an application that is deployed in an ECS instance needed to access ACM, you must store the AccessKey pair as a configuration file or in other forms on the ECS instance. This makes the AccessKey pair management more complex and increases the risk of AccessKey pair leakage. For information about how to create an AccessKey pair, see Create an AccessKey pair.
Now, you can associate a RAM role with an ECS instance and set the parameters about the RAM role on the ACM SDK (version 1.0.8 and later). This way, you can access ACM without the need to configure an AccessKey pair.Overview In addition, you can use RAM roles and authorization policies to grant ECS instances with different permissions to access ACM.What is RAM? For example, if you grant read-only permissions to a RAM role, your application on the ECS instance with which the RAM role is associated can only read the configurations of ACM. Configurations of ACM cannot be added or modified.
Prerequisites
RAM is activated. For more information, see Billing methods.
Step 1. Create a RAM role and configure an authorization policy
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM role.
- Click OK.
- Click Complete.
AliyunACMFullAccess in the search box, click the AliyunACMFullAccess policy to add it to the Selected column on the right, and then click OK. If you need to configure encryption and decryption, add the AliyunKMSCryptoAdminAccess authorization policy for this RAM role. Now, this role is granted all permissions of ACM.
Step 2: Create a policy in RAM
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click JSON. On the JSON tab that appears, enter a custom policy for the test service, and then click Next: Edit Basic Information.
The following policy is a sample permission policy:
{ "Statement": [ { "Effect": "Allow", "Action": "ecs:AttachInstanceRamRole", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:DescribeInstanceRamRole", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:*", "Resource": "acs:ram:*:<ID of your Alibaba Cloud account>:role/<Name of the RAM role that you have created>" } ], "Version": "1" } - Enter AttachACMRamRoleToECSPolicy in the Policy Name field and enter information in the Note field. If the message The custom policy has been created appears, the custom policy is created.
- Click OK.
Step 3: Create a RAM user and attach the policy to the RAM user
- In the left-side navigation pane, choose .
- On the Users page, click Create User.
- In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Optional:Tag: You can click the
icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
Note You can click Add User to create multiple RAM users at a time. - In the Access Mode section, select OpenAPI Access and click OK. RAM automatically generates an AccessKey pair for a RAM user. This way, the RAM user can access ACM by calling the required API operations. Record and properly keep the AccessKey pair for subsequent use.
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, set Authorized Scope.
- In the field above Authorization Policy Name, enter the policy name that has been generated. For more information about the policy name, see Step 2: Create a policy in RAM.
- Click OK.
Step 4: Assign the RAM role to an ECS instance by using a mount script
- Log on to the EDAS console.
- In the left-side navigation pane, choose . In the top navigation bar, select the region. In the upper part of the Applications page, select the microservices namespace from the Microservice Namespace drop-down list and then click the name of the desired application.
- On the Basic Information tab of the application, find the Application Settings section and click Mount Script.
- In the Mount Script dialog box, click to expand Prepare Instance Script .
- Enter the following script in the field, and then click Modify. Important The following script contains the AccessKey pair of the RAM user that you created. Please keep the AccessKey pair properly. For more information about how to obtain the AccessKey pair, see Step 3: Create a RAM user and attach the policy to the RAM user.
#!/bin/sh fileURL='https://edas-public.oss-cn-hangzhou.aliyuncs.com/samples/acm/attachAcmRamRole.sh' file=/tmp/attachAcmRamRoleToEcs.sh wget "$fileURL" -O "$file" &>/dev/null chmod +x "$file" # Replace <accessKeyId> with the AccessKey ID of the RAM user. # Replace <accessSecret> with the AccessKey secret of the RAM user. # Replace <ecsRamRoleForACM> with the name of the RAM role that you created. bash "$file" <accessKeyId> <accessSecret> <ecsRamRoleForACM>After the script is run, <ecsRamRoleForACM> is assigned to the added ECS instance.