How to configure service testing permissions for a RAM user - Enterprise Distributed Application Service

To test a service in Enterprise Distributed Application Service (EDAS), a service consumer (client-side application) calls a service provider (server-side application) deployed in your virtual private cloud (VPC). When a Resource Access Management (RAM) user initiates a service test, Alibaba Cloud authenticates the request through RAM. If the RAM user lacks the required permissions, the test request is denied. To enable service testing, create a custom RAM policy with the minimum required permissions and attach it to the RAM user.

Prerequisites

Before you begin, ensure that you have:

An Alibaba Cloud account with RAM administrative privileges
EDAS-defined permissions replaced with RAM policies. For more information, see Replace EDAS-defined permissions with RAM policies

Required permissions

Service testing requires two actions:

Action	Description
`edas:ReadService`	Read service metadata for the target application
`edas:TestService`	Run service tests against the target application

Both actions use the following resource ARN format:

acs:edas:<region-id>:*:namespace/<namespace>/application/<application-id>

Field	Description	Example
`<region-id>`	Region where the application is deployed	`cn-hangzhou`
`<namespace>`	Microservices namespace of the application	`cn-hangzhou:test`
`<application-id>`	ID of the application to test	`a1b2c3d4-xxxx-xxxx`

To grant access to all applications across all microservices namespaces, set both <namespace> and <application-id> to *.

Create and attach a custom policy

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

In the code editor, enter the following policy and click Next to edit policy information. Replace <region-id>, <namespace>, and <application-id> with your values.

Note

To allow testing on all applications, use a wildcard (*) for both <namespace> and <application-id>. Follow the principle of least privilege and scope permissions to specific namespaces and applications whenever possible.

   {
       "Statement": [
           {
               "Action": [
                   "edas:ReadService"
               ],
               "Effect": "Allow",
               "Resource": [
                   "acs:edas:<region-id>:*:namespace/<namespace>/application/<application-id>"
               ]
           },
           {
               "Action": [
                   "edas:TestService"
               ],
               "Effect": "Allow",
               "Resource": [
                   "acs:edas:<region-id>:*:namespace/<namespace>/application/<application-id>"
               ]
           }
       ],
       "Version": "1"
   }

Edit the basic information and click OK. The Created message confirms that the policy was created.
Attach the custom policy to a RAM user. For more information, see Grant permissions to RAM users.

What to do next

After the RAM user has the required permissions, they can create a service consumer and test services in EDAS.