Control the executions of Cloud Assistant commands based on tags - Elastic Compute Service

You can add tags to Elastic Compute Service (ECS) resources and attach policies in which the tags are used as authentication conditions to Resource Access Management (RAM) users. Then, the RAM users can run Cloud Assistant commands to manage ECS instances that have the tags added and control access to the ECS instances. This topic describes how to use tags to control the executions of Cloud Assistant commands.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.
A Cloud Assistant command is created. For more information, see Create a command.

Background information

Each tag consists of a key and a value. You can use tags to mark ECS instances as well as categorize and manage resources. For more information, see Overview.
RAM allows you to manage user identities and cloud resource access and operation permissions based on policies. You can define custom policies based on regions and operations that you want to perform on ECS instances and Cloud Assistant commands. You can attach custom policies to RAM users to control their permissions to use Cloud Assistant commands. For more information, see Overview of RAM users and Policy overview.
You can use tags as match conditions in RAM policies for fine-grained resource permission management.
The following figure shows how to use tags to manage resource access and operation permissions of RAM users, which is called tag-based authentication.

Scenarios

This topic describes how to implement tag-based authentication to control Cloud Assistant commands in the following scenarios:

RAM users can run commands only on ECS instances that have specified tags added. Example tag: test:tony.
RAM users can transfer files only to ECS instances that have specified tags added. Example tag: test:tony.
RAM users can query tags, instances, and Cloud Assistant commands and their execution results.

Procedure

In this procedure, an Alibaba Cloud account is used to create a custom policy named UseTagAccessResoures and attach the custom policy to a RAM user. Then, the RAM user can run commands on or upload files to only ECS instances that have the test:tony tag added.

Create ECS instances that have a specified tag added.
In this example, ECS instances that have the test:tony tag added are created. For more information, see Create a resource with a specific tag.
Log on to the RAM console by using your Alibaba Cloud account.

Create a custom policy named UseTagAccessResoures.

For more information, see Create a custom policy.

You can configure multiple tag-based authentication conditions in the Condition element of the custom policy to limit permissions on ECS resources. The following table describes supported tag-based authentication conditions.


Tag-based authentication condition	Description
`acs:RequestTag`	Indicates that a specific tag must be included in each API request. If an API request does not include tag-related parameters, the `acs:RequestTag` condition cannot be used. Otherwise, authentication fails.
`acs:ResourceTag`	Indicates that a specific tag must be added to a specified resource. If an API request does not include a resource ID, the `acs:ResourceTag` condition cannot be used. Otherwise, authentication fails.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/test": "tony"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "acs:ecs:*:*:command/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeTag*",
                "ecs:DescribeInstance*",
                "ecs:DescribeCommands",
                "ecs:CreateCommand",
                "ecs:DeleteCommand",
                "ecs:ModifyCommand",
                "ecs:DescribeInvocationResults",
                "ecs:DescribeSendFileResults",
                "ecs:DescribeInstances",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:DescribeInvocations",
                "ecs:DescribeResourceByTags",
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:ListTagResources",
                "ecs:DescribeManagedInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "oos:ListSecretParameters",
            "Resource": "*"
        }
    ]
}

The preceding policy grants the following permissions to RAM users:

Run Cloud Assistant commands on or send files to ECS instances that have the test:tony tag added. Sample sub-policies:

 {
       "Effect": "Allow",
       "Action": [
          "ecs:InvokeCommand",
          "ecs:RunCommand",
          "ecs:StopInvocation",
          "ecs:SendFile"
       ],
       "Resource": "acs:ecs:*:*:instance/*",
       "Condition": {
           "StringEquals": {
               "acs:ResourceTag/test": "tony"
          }
      }
 },
 {
      "Effect": "Allow",
      "Action": [
          "ecs:InvokeCommand",
          "ecs:RunCommand",
          "ecs:StopInvocation",
          "ecs:SendFile"
      ],
      "Resource": "acs:ecs:*:*:command/*"
}

Query resources such as tags, instances, and Cloud Assistant commands. Sample sub-policies:

{
     "Effect": "Allow",
     "Action": [
           "ecs:DescribeTag*",
           "ecs:DescribeInstance*",
           "ecs:DescribeCommands",
           "ecs:CreateCommand",
           "ecs:DeleteCommand",
           "ecs:ModifyCommand",
           "ecs:DescribeInvocationResults",
           "ecs:DescribeSendFileResults",
           "ecs:DescribeInstances",
           "ecs:DescribeCloudAssistantStatus",
           "ecs:DescribeInvocations",
           "ecs:DescribeResourceByTags",
           "ecs:DescribeTagKeys",
           "ecs:DescribeTags",
           "ecs:ListTagResources",
           "ecs:DescribeManagedInstances"
        ],
        "Resource": "*"
 },
{
     "Effect": "Allow",
     "Action": "oos:ListSecretParameters",
     "Resource": "*"
}

Attach the UseTagAccessResoures custom policy to a RAM user that you want to control access.
For more information, see Grant permissions to a RAM role.
Check whether the custom policy takes effect.
Log on to the ECS console and perform the following operations on ECS instances:

Note When the system runs Cloud Assistant commands on or sends files to ECS instances, the system can query the specified tag, instances that have the specified tag, and Cloud Assistant commands with which the specified tag is associated at the same time.
- Run Cloud Assistant commands on ECS instances that have the test:tony tag and that have tags other than test:tony.
  On the Commands tab of the Cloud Assistant page, find a Cloud Assistant command and click Create Task in the Actions column to run the command on the ECS instances. In this example, the Cloud Assistant command whose ID is c-hz02jt1ncrf**** is used. For more information, see Run a command.
  
  Note If no Cloud Assistant commands are present on the Commands tab, create a Cloud Assistant command and perform the preceding step. For more information, see Create a command.
- Send files to ECS instances that have the test:tony tag and that have tags other than test:tony.
  In the upper-right corner of the Cloud Assistant page, click Send File to send a file to ECS instances that have the test:tony tag and that have tags other than test:tony. For more information, see Upload files to ECS instances.
If your execution results match the execution results described in the Execution results section, the custom policy is in effect. If your execution results do not match the execution results described in the "Execution results" section, the custom policy is not in effect. To troubleshoot the issue, see the FAQ section.

Execution results

The following section describes execution results of running a Cloud Assistant command on ECS instances if the custom policy is in effect:
- After the command is run on ECS instances that have the test:tony tag, Successful is displayed in the Status column corresponding to the command execution task.
- After the command is run on ECS instances that do not have the test:tony tag, you are prompted that the command failed to run.
The following section describes execution results of sending a file to ECS instances if the custom policy is in effect:
- After the file is sent to ECS instances that have the test:tony tag added, Successful is displayed in the Status column corresponding to the file sending task.
- After the file is sent to ECS instances that do not have the test:tony tag added, you are prompted that the file failed to send.

FAQ

What do I do if a custom policy is not in effect?

If a custom policy is not in effect, check whether the Effect element is set to Allow for the following parameters in the Action element of the custom policy attached to a RAM user. If so, remove the sub-policy from the policy that is attached to the RAM user.

ecs:InvokeCommand
ecs:RunCommand
ecs:StopInvocation
ecs:SendFile

For example, if a custom policy that is attached to a RAM user contains the following sub-policy, remove the sub-policy from the custom policy.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "*"
        }
    ]
}