Grant permissions to RAM users - Image Search - Alibaba Cloud Documentation Center

Before you access Image Search as a RAM user, you must grant permissions to the RAM user. This topic describes how to grant a RAM user the permission to access Image Search.

Background information

Resource Access Management (RAM) is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage permissions of RAM users to control access to Alibaba Cloud resources. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks.

Overview

Before you access Image Search as a RAM user, you must grant permissions to the RAM user. You can grant permissions by using the following policies:

General policies
Custom policies

We recommend that you attach general policies to RAM users. This avoids complex configuration. If general policies cannot meet your business needs, you can create custom policies.

Regions that support RAM user authorization

The following table lists the regions in which you can grant permissions to RAM users of Image Search.

Region	RegionId
China (Shanghai)	cn-shanghai
Singapore (Singapore)	ap-southeast-1
China (Hong Kong)	cn-hongkong
Japan (Tokyo)	ap-northeast-1
Germany (Frankfurt)	eu-central-1

General policies

Image Search provides the following two types of general policies. You can select the general policies based on your business needs.

AliyunImagesearchReadOnlyAccess: the read-only permission to access Image Search. This permission can be granted to read-only users.
AliyunImagesearchFullAccess: the permission to manage Image Search. This permission can be granted to administrators.

The procedure is as follows:

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Grants.
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - Resource Group: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. You can select multiple RAM users at a time.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.

Custom policies

Image Search supports only instances as the resource type. You must specify resources in policies in the following ways:

Resource type: instance
Format in which resources are specified in authorization policies: acs:imagesearch:$regionid:$accountid:instance/$instance
- $regionid: the ID of the region where Image Search resides. If this option is not required, you can use an asterisk (*) as a wildcard character.
- $accountid: the ID of the Alibaba Cloud account, such as 123456789012****. If no ID is required or available, you can use an asterisk (*) instead.
- $instance: the name of the instance, such as demo123. If no instance name is required or available, you can use an asterisk (*) instead.

Table 1. Action permissions on different resources
Resource	Actions
instance/*	The following action permissions are described: ClearInstance: clears all the instances. DescribeInstance: views the details of an instance. IncreaseInstance: increases one instance. InitInstance: initializes an instance. RemoveInstance: deletes an instance. ListInstance: views the instance list. SearchItem: searches for products or images. DeleteItem: deletes products or images. AddItem: adds products or images. ListIncrement: views the increased instance. TagResources: attaches a tag to a specific resource. UntagResources: detaches a tag from a specific resource.
instance/$instance	The following action permissions are described: ClearInstance: clears all the instances. DescribeInstance: views the details of an instance. IncreaseInstance: increases one instance. InitInstance: initializes an instance. RemoveInstance: deletes an instance. SearchItem: searches for products or images. DeleteItem: deletes products or images. AddItem: adds products or images. ListIncrement: views the increased instance. TagResources: attaches a tag to a specific resource. UntagResources: detaches a tag from a specific resource.

The procedure is as follows:

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy content.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.
The system performs the following operations during the advanced optimization:
- Split resources or conditions that are incompatible with actions.
- Narrow down resources.
- Deduplicate or merge policy statements.
On the Create Policy page, click OK.
In the Create Policy dialog box, configure the Name and Description parameters and click OK.

Examples of custom policies

Example 1

In this example, the policy must meet the following requirements:

The ID of the Alibaba Cloud account is 1234.
The region is China (Shanghai).
All the instances can be accessed.
All the permissions except the permissions to clear and delete instances are to be granted in the Image Search console.
The specified IP address can connect to the RAM user.

The following policy content is provided:

{
  "Statement": [
   {
     "Action": [
       "imagesearch:ListInstance",
       "imagesearch:DescribeInstance",
       "imagesearch:IncreaseInstance",
       "imagesearch:InitInstance",
       "imagesearch:ListIncrement"
     ],
     "Condition": {
       "IpAddress": {
         "acs:SourceIp": "xxx.xx.xxx.x/xx"
       }
     },
     "Effect": "Allow",
     "Resource": "acs:imagesearch:cn-shanghai:1234:instance/*"
   }
  ],
  "Version": "1"
}

Example 2
In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- All the regions are supported.
- All the instances can be accessed.
- All the permissions to perform operations in the console or call all the API operations are to be granted.
The following policy content is provided:
```
{
  "Statement": [
   {
     "Action": [
         "imagesearch:*"
           ],
     "Effect": "Allow",
     "Resource": "acs:imagesearch:*:1234:instance/*"
   }
  ],
  "Version": "1"
}
```
Example 3
In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- All the regions are supported.
- The instance name is instance12138.
- All the permissions to perform operations are to be granted.
The following policy content is provided:
```
{
  "Statement": [
   {
     "Action": [
         "imagesearch:*",
           ],
     "Effect": "Allow",
     "Resource": "acs:imagesearch:*:1234:instance/instance12138"
   }
  ],
  "Version": "1"
}
```