The Nacos configuration center in Microservices Engine (MSE) allows you to set access permissions by instance, namespace, group, and data ID to reduce the risk of unauthorized access to or modification of configurations.
Prerequisites
Usage notes
The following procedure configures access permissions for the direct engine connection path shown in the figure, which allows a Nacos client to access MSE Nacos as a RAM user.

To configure and use access authentication for the engine control path (that is, to grant a RAM user permissions to use the MSE console), see Registry and configuration center authorization.
Step 1: Create a fine-grained policy
-
Use an Alibaba Cloud account (root account) or a RAM user with the
AliyunRAMFullAccesspermission to log on to the RAM console. -
In the left-side navigation pane, choose .
-
On the Policies page, click Create Policy.
-
On the Create Policy page, click the JSON Editor tab.
The page displays a JSON editor. The default policy template includes a
Versionelement (set to"1") and aStatementarray. Each statement includesEffect(defaults to"Allow"),Action,Resource, andConditionelements. You must populate theActionandResourceelements. -
Enter the policy document.
-
The following table describes the actions for fine-grained authentication for the configuration center.
Action
Description
mse:QueryNacosConfig
Grants read permission for configurations in the MSE Nacos configuration center, allowing you to get and listen for configurations by using SDKs.
mse:UpdateNacosConfig
Grants update permission for configurations in the MSE Nacos configuration center, allowing you to publish and modify configurations by using SDKs.
-
The resource for fine-grained authentication in the configuration center must use the following format:
acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/config/${dataId}You can also refer to the Examples section to modify the policy document.
-
For more information about policy syntax and structure, see Policy structure and syntax.
-
-
At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.
The advanced policy optimization feature performs the following tasks:
-
Splits resources or conditions for incompatible actions.
-
Narrows the scope of resources.
-
Removes duplicate statements or merges statements.
-
-
On the Create Policy page, click OK.
-
In the Create Policy dialog box, enter a policy name and Description, and then click OK.
Step 2: Grant permissions
Grant permissions to a RAM user
-
In the left-side navigation pane, choose .
-
On the Users page, find the RAM user and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions at the bottom of the user list to grant permissions in batches.
-
In the Grant Permission panel, in the Policies section, click the All Policy Types drop-down list and select Custom Policy. In the search box, enter the name of the policy that you created in Step 1, click the policy that appears in the search results, and then click OK.
-
In the Grant Permission panel, confirm that the authorization is successful and click Close.
Grant permissions to a RAM role
-
In the Policies section of the Grant Permission panel, click the All Policy Types drop-down list and select Custom Policy. In the text box, enter the name of the permission policy that you created in Step 1, click the name of the permission policy from the search results, and then click Confirm Add Permission.
-
In the Grant Permission panel, confirm that the authorization is successful and click Close.
Examples
-
Grants read-only permission on configurations for the specified instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosConfig" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] } -
Grants permission to read and modify configurations for the specified instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosConfig", "mse:UpdateNacosConfig" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Note${instance_id_1} and ${instance_id_2} are placeholders for the IDs of your configuration center instances.
-
Grants read-only permission on configurations in a specific namespace of the instance.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosConfig", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" } -
Grants permission to read and modify configurations in a specific group within a namespace of the instance.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosConfig", "mse:UpdateNacosConfig" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" } -
Grants read-only permission on the configuration specified by a data ID in a specific group.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosConfig", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/config/${dataId}" } ], "Version": "1" } -
Grants permission to read and modify the configuration specified by a data ID in a specific group.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosConfig", "mse:UpdateNacosConfig" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/config/${dataId}" } ], "Version": "1" }
Related documentation
For information about instance-level authentication for the configuration center, see Nacos client authentication.