Microservices Engine (MSE) allows you to use an Alibaba Cloud account to grant a RAM user the operation permissions on resources in MSE cloud-native gateways. This prevents security risks that are caused if the AccessKey pair of your Alibaba Cloud account is disclosed. This topic describes how to create a RAM user and how to grant the RAM user the operation permissions on resources in MSE cloud-native gateways.
Scenarios
An enterprise creates a cloud-native gateway in the MSE console. The enterprise needs to grant different permissions on resources to employees based on their roles. The enterprise has the following requirements:
To ensure data security, the AccessKey pair of the Alibaba Cloud account of the enterprise must be kept confidential. The enterprise wants to grant permissions to the account of each user.
Only RAM users who are granted permissions can manage resources. Resource usage and costs are not calculated separately for each RAM user. Bills are generated on the Alibaba Cloud account of the enterprise.
The owner of the Alibaba Cloud account can revoke the permissions that are granted to users and delete the accounts that are created for users.
A cloud-native gateway of MSE is a fully managed service that provides two roles: developer and O&M. Developers are responsible for configuration and service management. O&M personnel are responsible for cluster and permission management.
Usage notes
You can grant permissions to a RAM user by using the Resource Access Management (RAM) console or calling an API operation.
Step 1: Create a RAM user
Log on to the RAM console and create a RAM user by using your Alibaba Cloud account.
Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the
icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select Console Access or Using permanent AccessKey to access.
Console Access: If you select this access mode, you must configure the basic settings for logon security. These settings specify whether to use a system-generated logon password or a custom logon password, whether to reset the password on the next logon, and whether to enable multi-factor authentication (MFA).
NoteIf you set Set Logon Password to Reset Custom Password in the Console Password Logon section, you must specify a password. The password must meet the complexity requirements that you specified on the page. For more information about the password complexity requirements, see Configure a password policy for RAM users.
Using permanent AccessKey to access: If you select Using permanent AccessKey to access, an AccessKey pair is automatically created for the RAM user that you create. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
NoteTo ensure account security, we recommend that you select only one access mode for the RAM user. This way, the employee who uses the RAM user can no longer use an AccessKey pair to access Alibaba Cloud resources after the employee leaves your organization.
Click OK.
Step 2: Grant permissions to the RAM user
Before you use the RAM user, perform the following steps to grant permissions to the RAM user:
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user and click Grant permissions.
In the Policy section, select a policy type, and enter a keyword in the field to search for the policies that you want to add. Then, click one or more policies to add the policies to the Selected Policy list.
Policies are classified into system policies and custom policies.
System policies for coarse-grained authorization
MSE supports two system policies for coarse-grained authorization.
Policy
Description
AliyunMSEFullAccess
The permissions to manage MSE. You can use a RAM user to which this policy is attached to manage all features in the MSE console in the same way as you use an Alibaba Cloud account to manage MSE.
AliyunMSEReadOnlyAccess
The read-only permissions of MSE. A RAM user to whom this policy is attached can read all resources of the Alibaba Cloud account.
NoteWe recommend that you attach the AliyunMSEFullAccess policy to O&M personnel. This way, O&M personnel can create and delete resources. We recommend that you attach the AliyunMSEReadOnlyAccess policy to developers. This way, developers can view resources but cannot delete or create resources. If you want to manage the permissions of developers in a fine-grained manner, you can use custom policies.
Custom policies (fine-grained authorization)
If you want to perform fine-grained authorization, you can create custom policies for access control. For more information about how to create a custom policy, see Create a custom policy.
Example 1: Grant a RAM user the read-only permission on the cloud-native gateway named gw-8090caa2a3ab447a8bc5fdf3********.
{ "Version": "1", "Statement": [ { "Action": [ "mse:Query*", "mse:List*", "mse:Get*", "mse:Select*", "mse:Pull*", "mse:GatewayBlackWhite*", "mse:GatewayHealthCheckList", "mse:GatewayQueryMonitor", "mse:UploadWasmFile" ], "Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********", "Effect": "Allow" }, { "Action": [ "mse:QueryDefaultAlertStatus", "mse:ListGatewayZone", "mse:ListUpgradableGatewayVersions", "mse:ListTagResources", "mse:ListGatewayIngressMigrateTask", "mse:ListEventRecords", "mse:GetEventFilterOptions", "mse:GetEventDetail", "mse:GetGatewaySelection", "mse:GetGatewayAlarms", "mse:GetGatewayMigrateNamespacedServices", "mse:GetGatewayIngressMigrateTaskDetail", "mse:GetPluginGuide", "mse:GetRegExpCheck", "mse:GetRegExpTest", "mse:CheckPluginLua" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" }, { "Action": [ "log:DescribeService", "log:ListProject", "log:GetProductDataCollection" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:SearchContactGroup" ], "Resource": "*", "Effect": "Allow" } ] }Example 2: Grant a RAM user the read and write permissions on a cloud-native gateway named gw-8090caa2a3ab447a8bc5fdf3********.
{ "Version": "1", "Statement": [ { "Action": [ "mse:*" ], "Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********", "Effect": "Allow" }, { "Action": [ "mse:QueryDefaultAlertStatus", "mse:CreateDefaultAlert", "mse:ListGatewayZone", "mse:ListUpgradableGatewayVersions", "mse:ListEventRecords", "mse:GetEventFilterOptions", "mse:GetEventDetail", "mse:GetGatewaySelection", "mse:GetGatewayAlarms", "mse:GetGatewayMigrateNamespacedServices", "mse:GetPluginGuide", "mse:GetRegExpCheck", "mse:GetRegExpTest", "mse:CheckPluginLua", "mse:*TagResources", "mse:*CustomPlugin", "mse:*GatewayIngressMigrateTask*" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" }, { "Action": [ "log:DescribeService", "log:ListProject", "log:GetProductDataCollection", "log:OpenProductDataCollection" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:SearchContactGroup" ], "Resource": "*", "Effect": "Allow" } ] }
In the Grant Permission panel, confirm that authorization is successful and click Close.
What to do next
After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or AccessKey pair of the RAM user with other employees. The users can perform the following steps to log on to the service console or call an API operation as the RAM user.
Log on to the Alibaba Cloud Management Console.
Go to the RAM User Logon page.
On the RAM User Logon page, enter the name of the RAM user, and click Next. Then, enter the password and click Log On.
NoteThe logon name of the RAM user is in the
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.comformat. <$AccountAlias> specifies the alias of the RAM user. If you do not specify an alias, the ID of the Alibaba Cloud account is used by default.On the RAM user center page, click the name of the service on which the RAM user has permissions to access the console of the service.
Call an API operation.
Use the AccessKey pair of the RAM user to call an API operation. Use the AccessKey ID and AccessKey secret of the RAM user in the code.
Mapping between API operations supported by MSE cloud-native gateways and custom policies
The following table describes the API operations that are supported by MSE cloud-native gateways to help you configure custom policies for RAM users.
API operations to manage cloud-native gateways
Action | Description | Read-only |
AddGateway | Creates a pay-as-you-go cloud-native gateway. | No |
ListGateway | Queries gateway clusters. | Yes |
GetGatewayDetail | Queries the details of a cloud-native gateway. | Yes |
GetGateway | Queries the information about a cloud-native gateway. | Yes |
ListGatewaySlb | Queries the Server Load Balancer (SLB) instances of a cloud-native gateway. | Yes |
SelectGatewaySlb | Queries existing SLB instances. | No |
AddGatewaySlb | Associates an SLB instance with a cloud-native gateway. | No |
DeleteGatewaySlb | Disassociates an SLB instance from a cloud-native gateway. | No |
DeleteGateway | Deletes a pay-as-you-go cloud-native gateway. | No |
API operations to manage service sources
Action | Description | Read-only |
ListServiceSource | Queries service sources. | Yes |
GetKubernetesSource | Queries existing Container Service for Kubernetes (ACK) clusters. | Yes |
GetMseSource | Queries existing MSE registries. | Yes |
AddServiceSource | Adds a service source. | No |
DeleteServiceSource | Removes a service source. | No |
PullServices | Queries existing services. | Yes |
ImportServices | Creates or imports services. | No |
ListGatewayService | Queries the services to which you subscribe. | Yes |
GetGatewayServiceDetail | Queries the details of a service. | Yes |
AddGatewayServiceVersion | Adds a service version. | No |
UpdateGatewayServiceVersion | Updates a service version. | No |
DeleteGatewayServiceVersion | Removes a service version. | No |
UpdateGatewayServiceTrafficPolicy | Modifies the load balancing policy of a service. | No |
API operations to manage routes
Action | Description | Read-only |
ListGatewayRoute | Queries the routes of a cloud-native gateway. | Yes |
AddGatewayRoute | Creates a route for a cloud-native gateway. | No |
ApplyGatewayRoute | Publishes a route for a cloud-native gateway. | No |
OfflineGatewayRoute | Disables a route for a cloud-native gateway. | No |
DeleteGatewayRoute | Deletes a route from a cloud-native gateway. | No |
GetGatewayRouteDetail | Queries the details of routes for a cloud-native gateway. | Yes |
GetRateLimit | Queries the throttling rules of a route. | Yes |
AddRateLimit | Adds a throttling rule to a route. | No |
UpdateRateLimit | Deletes a throttling rule from a route. | No |
UpdateGatewayRouteHTTPRewrite | Updates the rewrite policy of a route. | No |
UpdateGatewayRouteHeaderOp | Updates the header settings of a route. | No |
UpdateGatewayRouteCORS | Updates the cross-origin resource sharing (CORS) policy of a route. | No |
UpdateGatewayRouteTimeout | Updates the timeout policy of a route. | No |
UpdateGatewayRouteRetry | Updates the retry policy of a route. | No |
API operations to manage certificates and domain names
Action | Description | Read-only |
ListGatewayDomain | Queries associated domain names. | Yes |
AddGatewayDomain | Associates a domain name. | No |
GetGatewayDomainDetail | Queries the details of associated domain names. | Yes |
UpdateGatewayDomain | Updates the information about an associated domain name. | No |
DeleteGatewayDomain | Disassociates a domain name. | No |
ListSSLCert | Queries existing certificates. | Yes |
AddSSLCert | Associates a certificate with a domain name. | No |
UpdateSSLCert | Updates the certificate of a domain name. | Yes |
Other API operations
Action | Description | Read-only |
GetBlackWhiteList | Queries the IP addresses in the blacklist and whitelist. | Yes |
AddBlackWhiteList | Adds an IP address to the blacklist or whitelist. | No |
UpdateBlackWhiteList | Updates the blacklist and whitelist. | No |
AddGatewayAuth | Adds an authentication method. | No |
ListGatewayAuth | Queries authentication methods. | Yes |
UpdateGatewayAuth | Updates an authentication method. | No |
DeleteGatewayAuth | Removes an authentication method. | No |
AddAuthResource | Adds an authentication URL. | No |
DeleteAuthResource | Deletes an authentication URL. | No |