After you add tags to applications and clusters in Enterprise Distributed Application Service (EDAS), you can use the tags to implement access control on these applications and clusters. This topic provides an example on how to attach a Resource Access Management (RAM) policy to RAM users and then use tags to limit their permissions on resources.

Prerequisites

  • Applications are deployed in EDAS. For more information, see the following topics:
    • Kubernetes clusters: Overview
    • Elastic Compute Service (ECS) clusters: Overview
  • Tags are added to the applications. For more information, see Filter resources by tag.

Background information

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups. If you want to determine the resources that a RAM user can access, you can create a custom policy and specify tags in the policy.

You must use RAM instead of the permission control system of EDAS if you want to use tags to implement access control. For more information about permission control, see Overview.

In this example, three applications are deployed in EDAS. The applications are deployed in different environments and are intended for different projects. Therefore, the following tags are added to these applications:
app-001:
    Enviroment=TEST  #Test environment
    Team=team1       #Project 1
app-002:
    Enviroment=DEV   #Development environment
    Team=team1       #Project 1
app-003:
    Enviroment=PROD  #Production environment
    Team=team2       #Project 2
You have created three RAM users: User 1, User 2, and User 3. Based on the principle of least privilege, you can grant the RAM users permissions in the following ways:
  • Grant User 1 the permissions to manage all applications in the development and test environments.
  • Grant User 2 the permissions to manage all applications for Project 1 in the test environment.
  • Grant User 3 the permissions to manage all applications except for those in the production environment.

To meet the preceding requirements, you can create a custom policy and specify tags in the policy.

Create a custom policy that contains tags

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, set the Policy Name and Note parameters, and select Script for the Configuration Mode parameter. Then, enter the content of the custom policy in the Policy Document field and click OK.
    Parameter Description
    Policy Name Enter a name for the custom policy.
    Note Specify the purpose and scope of the custom policy.
    Configuration Mode In this example, select Script.
    Policy Document Enter the content of the custom policy.
    The following example shows three pieces of code for the policy that meets the preceding requirements:
    • Grant User 1 the permissions to manage all applications in the development and test environments.
      {
        "Statement": [
          {
            "Action": "edas:ManageApplication",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Enviroment": ["DEV", "TEST"]
              }
            }
          }
        ],
        "Version": "1"
      }
    • Grant User 2 the permissions to manage all applications for Project 1 in the test environment.
      {
        "Statement": [
          {
            "Action": "edas:ManageApplication",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Team": ["team1"],
                "edas:tag/Enviroment": ["TEST"]
              }
            }
          }
        ],
        "Version": "1"
      }
    • Grant User 3 the permissions to manage all applications except for those in the production environment.
      {
        "Statement": [
          {
            "Action": "edas:ReadApplication",
            "Effect": "Allow",
            "Resource": "*"
          },
          {
            "Action": "edas:ReadApplication",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Enviroment": ["PROD"]
              }
            }
          }
        ],
        "Version": "1"
      }
    After the custom policy is created, it is displayed in the policy list.

Attach the custom policy to RAM users

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
  5. In the Add Permissions panel, click Custom Policy in the Select Policy section. Then, search for the custom policy that you created, select it, and then click OK.
  6. In the Add Permissions pane, confirm the authorization information and click Complete.

Access resources as a RAM user

Log on to the EDAS console as a RAM user and check whether you can access the required resources.