Authentication rules - Elastic Compute Service - Alibaba Cloud Documentation Center

This topic describes the values of Action and Resource parameters that are used to implement Resource Access Management (RAM) authentication. You can use the Elastic Compute Service (ECS) console or call ECS API operations to authenticate team or department members, grant permissions to RAM users and roles, implement tag-based authentication, and grant permissions across cloud services. These parameters are suitable for scenarios where custom policies are created to implement fine-grained access control.

Background

Note If you already have permissions to access resources, skip this topic.

By default, both Alibaba Cloud accounts and RAM users can manage ECS resources by using the ECS console or by calling API operations. Specific permissions are required in the following scenarios:

A new RAM user does not have permissions required to manage resources in your Alibaba Cloud account.
You want to access ECS resources from other Alibaba Cloud services or access other Alibaba Cloud services from ECS.
Before you can manage a resource that is under access control, you must be granted the required permissions on the resource and on the relevant API operations by the resource owner.
Before you can manage a resource that uses tag-based authentication, you must be granted the required permissions on the resource and on the relevant API operations by the resource owner.

When an Alibaba Cloud account requests access to ECS resources in your Alibaba Cloud account by calling ECS API operations, Alibaba Cloud ECS instructs RAM to perform a permission check to ensure that the requester account is granted the required permissions. Required permissions vary based on the requested ECS resources and API operations. For more information, see What is RAM? and List of operations by function.

Custom policies

RAM allows you to manage user identities and resource access and operation permissions based on policies. A policy is a set of access permissions. Each policy includes a version number and one or more individual statements. Each statement includes the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.

Tags can be used to identify, group, or classify resources for easy management.

You can use tags as conditions in RAM policies for fine-grained resource permission management. The following table describes the tag-based conditions in RAM policies.


Tag-based authentication condition	Description
`acs:RequestTag`	Indicates that a specific tag must be included in each API request. If an API request does not include tag-related parameters, you cannot use the `acs:RequestTag` condition. Otherwise, authentication fails.
`acs:ResourceTag`	Specifies that a specific tag must be added to the specified resource. If an API request does not include a resource ID, you cannot use the `acs:ResourceTag` condition. Otherwise, authentication fails.

You can create a custom policy by using the RAM console or by calling the CreatePolicy operation provided by RAM. The following code provides a sample custom policy. When you create a custom policy, you must edit the policy based on the JSON template. In the policy statements, set Action and Resource to API operations and Alibaba Cloud Resource Name (ARN) values from the ARNs for API operations section and set parameters in the Condition element as described in the Tag-based authentication of requests to different API operations section. For more information, see Control access to resources by using RAM users and Policy elements.

For information about how to use tag-based authentication, see Implement fine-grained access control by using tags.

{
    "Version": "1",
    "Statement": [
        {
        "Effect": "Allow"
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
        "Condition": {
                "StringEquals": {
                    "acs:RequestTag/${key}":"${value}"
                }
        }, 
        {
        "Effect": "Allow"
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
        "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/${key}":"${value}"
                }
        }
    ]
}

ARNs for API operations

Note The following table describes ECS API operations (Action) and the ARNs that correspond to them. For more information about the format of ARN, see Terms.


Action	Resource	Description
AllocatePublicIpAddress	acs:ecs:$regionid:$accountid:instance/$instanceId	Assigns a public IP address to an ECS instance.
ApplyAutoSnapshotPolicy	acs:ecs::$accountid:snapshot/	Applies an automatic snapshot policy to one or more cloud disks or replaces the existing automatic snapshot policy of the cloud disks.
AttachClassicLinkVpc	acs:ecs:$regionid:$accountid:instance/$instanceId	Establishes a ClassicLink connection between an ECS instance of the classic network type and a virtual private cloud (VPC) to allow the instance to communicate with resources in the VPC over the internal network.
AttachDisk	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:instance/$diskId	Attaches a pay-as-you-go data disk to an ECS instance.
AttachKeyPair	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:keypair/$keypairName	Binds an SSH key pair to one or more Linux ECS instances.
AuthorizeSecurityGroup	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Add an inbound rule to a security group.
AuthorizeSecurityGroupEgress	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Add an outbound rule to a security group.
CancelAutoSnapshotPolicy	acs:ecs::$accountid:snapshot/	Disables an automatic snapshot policy for one or more cloud disks.
CancelCopyImage	acs:ecs:$regionid:$accountid:image/$imageNo	Cancels an ongoing image copy task.
CopyImage	acs:ecs:$fromRegionid:$accountid:image/$imageNo acs:ecs:$toRegionid:$accountid:image/*	Copies a custom image from one region to another.
ConvertNatPublicIpToEip	acs:ecs:$regionid:$accountid:instance/$instanceId	Converts the public IP address of an ECS instance that resides in a VPC into an elastic IP address (EIP).
CreateAutoSnapshotPolicy	acs:ecs::$accountid:snapshot/	Creates an automatic snapshot policy.
CreateDisk	acs:ecs:$regionid:$accountid:disk/* acs:ecs:$regionid:$accountid:snapshot/$snapshotId	Creates a pay-as-you-go or subscription data disk.
CreateImage	acs:ecs:$regionid:$accountid:image/* acs:ecs:$regionid:$accountid:snapshot/$snapshotId acs:ecs:$regionid:$accountid:instance/$instanceId	Creates a custom image.
CreateInstance	acs:ecs:$regionid:$accountid:instance/* acs:ecs:$regionid:$accountid:image/$imageNo acs:ecs:$regionid:$accountid:securitygroup/$groupNo acs:ecs:$regionid:$accountid:snapshot/$snapshotId Optional. acs:ecs:$regionid:$accountid:keypair/$keyPairName acs:vpc:$regionid:$accountid:vswitch/$vswitchId acs:vpc:$regionid:$accountid:vpc/$vpcId	Creates a subscription or pay-as-you-go ECS instance.
CreateKeyPair	acs:ecs:$regionid:$accountid:keypair/*	Creates an SSH key pair.
CreateSecurityGroup	acs:ecs:$regionid:$accountid:securitygroup/*	Creates a security group. By default, a new security group allows mutual access between instances within the security group. Access requests to the security group from outside are denied. If you want to allow requests from the Internet or requests from instances within other security groups, you can call the AuthorizeSecurityGroup operation.
CreateSnapshot	acs:ecs:$regionid:$accountid:snapshot/* acs:ecs:$regionid:$accountid:disk/$diskId acs:ecs:$regionid:$accountid:volume/$volumeId	Creates a snapshot for a cloud disk.
DeleteAutoSnapshotPolicy	acs:ecs::$accountid:snapshot/	Deletes an automatic snapshot policy.
DeleteDisk	acs:ecs:$regionid:$accountid:disk/$diskId	Releases a pay-as-you-go data disk.
DeleteImage	acs:ecs:$regionid:$accountid:image/$imageNo	Deletes a custom image.
DeleteInstance	acs:ecs:$regionid:$accountid:instance/$instanceId	Releases a pay-as-you-go instance or an expired subscription instance.
DeleteKeyPairs	acs:ecs:$regionid:$accountid:keypair/$keyPairName	Deletes one or more SSH key pairs.
DeleteSecurityGroup	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Deletes a security group.
DeleteSnapshot	acs:ecs:$regionid:$accountid:snapshot/$snapshotId	Deletes a specific snapshot.
DescribeClassicLinkInstances	acs:ecs:$regionid:$accountid:instance/*	Queries one or more instances of the classic network type that have established ClassicLink connections to VPCs.
DescribeDiskMonitorData	acs:ecs:$regionid:$accountid:disk/$diskId	Queries the monitoring data of a disk over a specific period of time.
DescribeDisks	acs:ecs:$regionid:$accountid:disk/$diskId acs:ecs:$regionid:$accountid:disk/*	Queries one or more cloud disks and local disks that you have created.
DescribeImages	acs:ecs:$regionid:$accountid:image/$imageNo acs:ecs:$regionid:$accountid:image/*	Queries available images.
DescribeInstanceMonitorData	acs:ecs:$regionid:$accountid:instance/$instanceId	Queries the monitoring data of an ECS instance.
DescribeInstances	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:instance/*	Queries the details of one or more ECS instances.
DescribeInstanceStatus	acs:ecs:$regionid:$accountid:instance/*	Queries the status information of one or more ECS instances.
DescribeInstanceVncUrl	acs:ecs:$regionid:$accountid:instance/$instanceId	Queries the Virtual Network Computing (VNC) URL of an ECS instance.
DescribeKeyPairs	acs:ecs:$regionid:$accountid:keypair/$keyPairName acs:ecs:$regionid:$accountid:keypair/*	Queries one or more SSH key pairs.
DescribePrice	acs:ecs::$accountid:	Queries the most recent prices of ECS resources.
DescribeRenewalPrice	acs:ecs:$regionid:$accountid:instance/$instanceId	Queries the renewal prices of ECS resources. Renewal prices of only subscription resources can be queried.
DescribeSecurityGroupAttribute	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Query the rules of a security group.
DescribeSecurityGroups	acs:ecs:$regionid:$accountid:securitygroup/$groupNo acs:ecs:$regionid:$accountid:securitygroup/*	Queries the basic information of security groups.
DescribeSnapshotLinks	acs:ecs:$regionid:$accountid:disk/$diskId acs:ecs:$regionid:$accountid:disk/*	Queries the snapshot chains of one or more cloud disks.
DescribeSnapshotMonitorData	acs:ecs::$accountid:snapshot/	Queries the monitoring data of changes in snapshot sizes in a region over the last 30 days.
DescribeSnapshots	acs:ecs:$regionid:$accountid:snapshot/$snapshotId acs:ecs:$regionid:$accountid:snapshot/*	Queries all the snapshots of an ECS instance or a cloud disk.
DetachClassicLinkVpc	acs:ecs:$regionid:$accountid:instance/$instanceId	Removes the ClassicLink connection between an ECS instance of the classic network type and a VPC.
DetachDisk	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:disk/$diskId	Detaches a pay-as-you-go disk from an ECS instance.
DetachKeyPair	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:keypair/$keypairName	Unbinds an SSH key pair from one or more Linux instances.
ExportImage	acs:ecs:$regionid:$accountid:image/$imageNo	Exports a custom image to an Object Storage Service (OSS) bucket in the same region.
ImportImage	acs:ecs:$regionid:$accountid:image/*	Imports an existing image to ECS. The imported image appears as a custom image in the destination region.
ImportKeyPair	acs:ecs:$regionid:$accountid:keypair/*	Imports the public key of an RSA-encrypted key pair that is generated by a third-party tool. After the key pair is imported, Alibaba Cloud stores the public key. You must securely store the private key.
JoinSecurityGroup	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Adds an ECS instance to a security group.
LeaveSecurityGroup	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Removes an ECS instance from a security group.
ListTagResources	acs:ecs:$regionid:$accountid:$resourceType/$resourceId	Queries tags that are added to one or more ECS resources.
ModifyDiskAttribute	acs:ecs:$regionid:$accountid:disk/$diskId	Modifies the attributes of one or more disks.
ModifyImageAttribute	acs:ecs:$regionid:$accountid:image/$imageNo	Modifies the name and description of a custom image.
ModifyInstanceAttribute	acs:ecs:$regionid:$accountid:instance/$instanceId	Modifies the information of an ECS instance, such as the password, name, description, hostname, and user data. For a burstable instance, you can also change its performance mode.
ModifyInstanceAutoReleaseTime	acs:ecs:$regionid:$accountid:instance/$instanceId	Sets or cancels the automatic release time for a pay-as-you-go ECS instance. If you set the automatic release time for an instance, the instance is automatically released at the specified time. Proceed with caution when you call this operation.
ModifyInstanceChargeType	acs:ecs:$regionid:$accountid:instance/$instanceId	Changes the billing method for one or more instances. You can change the billing methods of instances between pay-as-you-go and subscription, or change the billing method of all data disks attached to an instance from pay-as-you-go to subscription.
PurchaseReservedInstancesOffering	acs:ecs:$regionid:$accountid:reservedinstance	Purchases a reserved instance.
DescribeReservedInstances	acs:ecs:$regionid:$accountid:reservedinstance	Queries purchased reserved instances.
ModifyReservedInstances	acs:ecs:$regionid:$accountid:reservedinstance	Splits, merges, or modifies reserved instances.
ModifyInstanceNetworkSpec	acs:ecs:$regionid:$accountid:instance/$instanceId	Modifies the bandwidth configurations of an ECS instance.
ModifyInstanceVncPasswd	acs:ecs:$regionid:$accountid:instance/$instanceId	Modifies the VNC password of an ECS instance.
ModifyInstanceVpcAttribute	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:vswitch/$vSwitchId	Modifies the VPC attributes of an ECS instance.
ModifySecurityGroupAttribute	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Modifies the name or description of a security group.
ModifySecurityGroupEgressRule	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Modifies the description of an outbound rule in a security group.
ModifySecurityGroupRule	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Modifies the description of an inbound rule in a security group.
ModifyPrepayInstanceSpec	acs:ecs:$regionid:$accountid:	Upgrades or downgrades the instance type of a subscription instance. The new instance type takes effect for the remaining lifecycle of the instance.
ModifySnapshotAttribute	acs:ecs:$regionid:$accountid:snapshot/$snapshotId	Modifies the name or description of a snapshot.
RebootInstance	acs:ecs:$regionid:$accountid:instance/$instanceId	Restarts an ECS instance that is in the Running state.
ReInitDisk	acs:ecs:$regionid:$accountid:disk/$diskId	Re-initializes a disk to the state that it was in when it was created.
RenewInstance	acs:ecs:$regionid:$accountid:instance/$instanceId	Renews a subscription ECS instance.
ReplaceSystemDisk	acs:ecs:$regionid:$accountid:instance/$instanceId acs:ecs:$regionid:$accountid:image/$imageNo	Replaces the system disk or the operating system of an ECS instance.
ResetDisk	acs:ecs:$regionid:$accountid:disk/$diskId	Rolls back a disk to a specific point in time based on a snapshot of the disk.
ResizeDisk	acs:ecs:$regionid:$accountid:disk/$diskId	Resizes a cloud disk. You can resize a system disk or a data disk.
RevokeSecurityGroup	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Deletes an inbound security group rule. After the rule is deleted, the access control implemented by it is removed.
RevokeSecurityGroupEgress	acs:ecs:$regionid:$accountid:securitygroup/$groupNo	Deletes an outbound security group rule. After the rule is deleted, the access control implemented by it is removed.
RunInstances	acs:ecs:$regionid:$accountid:instance/* acs:ecs:$regionid:$accountid:image/$imageNo acs:ecs:$regionid:$accountid:securitygroup/$groupNo acs:ecs:$regionid:$accountid:snapshot/$snapshotId acs:ecs:$regionid:$accountid:keypair/$keyPairName	Creates one or more pay-as-you-go or subscription ECS instances.
StartInstance	acs:ecs:$regionid:$accountid:instance/$instanceId	Starts an instance.
StopInstance	acs:ecs:$regionid:$accountid:instance/$instanceId	Stops an instance.
TagResources	acs:ecs:$regionid:$accountid:$resourceType/$resourceId	Creates and adds tags to specified ECS resources.
UntagResources	acs:ecs:$regionid:$accountid:$resourceType/$resourceId	Removes tags from specified ECS resources. After a tag is removed from a resource, it is automatically deleted if it is not added to other resources.

Tag-based authentication of requests to different API operations

After policies that contain tag-based conditions are attached to a RAM user, requests made by the RAM user to API operations are authenticated based on the tags specified in the policy conditions. The following table describes various cases in which requests to different API operations are authenticated based on tags.


API operation	Description
Operations used to create resources, such as RunInstances and CreateDisk	You do not need to specify resource IDs in API requests. When no resource IDs are specified in API requests, the requests are matched against the `acs:RequestTag` policy condition. If a request contains no tags from the policy condition, authentication fails. If the tags contained in a request match or include the tags from the policy condition, authentication succeeds.
Operations used to query resources, such as DescribeInstances and DescribeDisks	You can optionally specify resource IDs in API requests. API requests are matched against the `acs:ResourceTag` or `acs:RequestTag` policy condition. If a request contains tags and resource IDs, authentication succeeds only when these tags and the tags of the resources both match the tags specified in the `acs:ResourceTag` policy condition. If a request contains resource IDs but no tags, authentication succeeds only when the tags of the resources match the tags specified in the `acs:ResourceTag` policy condition. If a request contains tags but no resource IDs, authentication succeeds only when these tags match those specified in the `acs:RequestTag` policy condition. If a request contains no tags and no resource IDs, authentication fails. Note For API operations that are used to query resources, the system returns an empty result and does not report an error if the authentication fails.
Operations used to modify resources, such as ModifyInstanceAttribute and ModifyDiskAttribute	You must specify resource IDs in API requests, and the requests are matched against the `acs:ResourceTag` policy condition. If a request contains no tags and the tags of the specified resource match the tags specified in the policy condition, authentication succeeds. If a request contains tags on which the RAM user has permissions, authentication succeeds only when these tags and the tags of the specified resource both match the tags specified in the policy condition.
Operations used to manage resources, such as StartInstance, RebootInstance, and StopInstance	You must specify resource IDs in requests, and the requests are matched against the `acs:ResourceTag` policy condition. If the tags of the specified resource do not match the tags specified in the policy condition, authentication fails. If the tags of the specified resource match the tags specified in the policy condition, authentication succeeds.