By default, Alibaba Cloud accounts have full access to all resources. To limit exposure, use Resource Access Management (RAM) identities—RAM users and RAM roles—and attach policies to control exactly which Elastic GPU Service resources each identity can access.
Elastic GPU Service shares the same access control mechanisms as Elastic Compute Service (ECS): identities, policies, and service-linked roles. The sections below describe each mechanism.
-
Identities
RAM users and RAM roles are the two identity types you can grant permissions to. RAM users are long-term identities tied to a person or application. RAM roles are temporary identities assumed by services, applications, or other Alibaba Cloud accounts—useful for cross-account access or service-to-service authorization. Grant each identity only the permissions it needs. For more information, see Identities.
-
Policies
Two types of identity-based policies are supported: system policies and custom policies. Attach a policy to a RAM identity to grant the permissions defined in that policy.
System policy: Predefined policies created and maintained by Alibaba Cloud. Use system policies to get started quickly with common permission sets—you can attach them but cannot modify them. For more information, see System policies for ECS.
Custom policy: Policies you create, update, and delete based on your requirements. Use custom policies when system policies grant more permissions than needed—custom policies let you define permission boundaries precisely. For more information, see Custom policies for ECS.
-
Service-linked roles
A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. Elastic GPU Service uses service-linked roles to access other cloud services or resources. For more information, see Service-linked roles.
-
RAM role-based access to KMS keys
To use Key Management Service (KMS) keys to encrypt ECS resources—such as disks, snapshots, or images—use a RAM role to authorize ECS to access KMS keys. To share encrypted snapshots or images with other Alibaba Cloud accounts, first grant those accounts permission to access the KMS keys. For more information, see Grant access to KMS keys through RAM roles.