All Products
Search
Document Center

Microservices Engine:Fine-grained authentication for the configuration center

Last Updated:Jul 17, 2026

The Nacos configuration center in Microservices Engine (MSE) allows you to set access permissions by instance, namespace, group, and data ID to reduce the risk of unauthorized access to or modification of configurations.

Prerequisites

Usage notes

The following procedure configures access permissions for the direct engine connection path shown in the figure, which allows a Nacos client to access MSE Nacos as a RAM user.

幻灯片1.JPG

Note

To configure and use access authentication for the engine control path (that is, to grant a RAM user permissions to use the MSE console), see Registry and configuration center authorization.

Step 1: Create a fine-grained policy

  1. Use an Alibaba Cloud account (root account) or a RAM user with the AliyunRAMFullAccess permission to log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON Editor tab.

    The page displays a JSON editor. The default policy template includes a Version element (set to "1") and a Statement array. Each statement includes Effect (defaults to "Allow"), Action, Resource, and Condition elements. You must populate the Action and Resource elements.

  5. Enter the policy document.

    • The following table describes the actions for fine-grained authentication for the configuration center.

      Action

      Description

      mse:QueryNacosConfig

      Grants read permission for configurations in the MSE Nacos configuration center, allowing you to get and listen for configurations by using SDKs.

      mse:UpdateNacosConfig

      Grants update permission for configurations in the MSE Nacos configuration center, allowing you to publish and modify configurations by using SDKs.

    • The resource for fine-grained authentication in the configuration center must use the following format:

      acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/config/${dataId}

      You can also refer to the Examples section to modify the policy document.

    • For more information about policy syntax and structure, see Policy structure and syntax.

  6. At the top of the page, click Optimize, and then click Perform to perform advanced optimization on the policy.

    The advanced policy optimization feature performs the following tasks:

    • Splits resources or conditions for incompatible actions.

    • Narrows the scope of resources.

    • Removes duplicate statements or merges statements.

  7. On the Create Policy page, click OK.

  8. In the Create Policy dialog box, enter a policy name and Description, and then click OK.

Step 2: Grant permissions

Grant permissions to a RAM user

  1. In the left-side navigation pane, choose Identities > Users.

  2. On the Users page, find the RAM user and click Add Permissions in the Actions column.

    You can also select multiple RAM users and click Add Permissions at the bottom of the user list to grant permissions in batches.

  3. In the Grant Permission panel, in the Policies section, click the All Policy Types drop-down list and select Custom Policy. In the search box, enter the name of the policy that you created in Step 1, click the policy that appears in the search results, and then click OK.

  4. In the Grant Permission panel, confirm that the authorization is successful and click Close.

Grant permissions to a RAM role

  1. In the Policies section of the Grant Permission panel, click the All Policy Types drop-down list and select Custom Policy. In the text box, enter the name of the permission policy that you created in Step 1, click the name of the permission policy from the search results, and then click Confirm Add Permission.

  2. In the Grant Permission panel, confirm that the authorization is successful and click Close.

Examples

  • Grants read-only permission on configurations for the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "mse:QueryNacosConfig"
                ],
                "Resource": [
                    "acs:mse:*:*:instance/${instanceId1}",
                    "acs:mse:*:*:instance/${instanceId2}"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • Grants permission to read and modify configurations for the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "mse:QueryNacosConfig",
                    "mse:UpdateNacosConfig"
                ],
                "Resource": [
                    "acs:mse:*:*:instance/${instanceId1}",
                    "acs:mse:*:*:instance/${instanceId2}"
                ],
                "Effect": "Allow"
            }
        ]
    }
    Note

    ${instance_id_1} and ${instance_id_2} are placeholders for the IDs of your configuration center instances.

  • Grants read-only permission on configurations in a specific namespace of the instance.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "mse:QueryNacosConfig",
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}"
            }
        ],
        "Version": "1"
    }
  • Grants permission to read and modify configurations in a specific group within a namespace of the instance.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mse:QueryNacosConfig",
                    "mse:UpdateNacosConfig"
                ],
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}"
            }
        ],
        "Version": "1"
    }
  • Grants read-only permission on the configuration specified by a data ID in a specific group.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "mse:QueryNacosConfig",
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/config/${dataId}"
            }
        ],
        "Version": "1"
    }
  • Grants permission to read and modify the configuration specified by a data ID in a specific group.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "mse:QueryNacosConfig",
                    "mse:UpdateNacosConfig"
                ],
                "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/config/${dataId}"
            }
        ],
        "Version": "1"
    }

Related documentation

For information about instance-level authentication for the configuration center, see Nacos client authentication.