Grant a RAM user access to a specific ECS instance using a resource group - Resource Access Management

This topic describes how to use Alibaba Cloud RAM and resource groups to grant a RAM user permission to view and manage only specific ECS instances.

Procedure

This example shows how to grant a RAM user, Alice, permission to manage a specific ECS instance (i-001) while restricting access to all other instances. To do this, add the ECS instance to a resource group and then grant permissions based on that group.

Note

The ECS instance continues to operate normally during the authorization process.

An account administrator must perform the following steps.

In the RAM console, create a RAM user named Alice.
For more information, see Create a RAM user.
In the Resource Management console, create a resource group named ECS-Admin.
For more information, see Create a resource group.
In the Resource Management console, add the ECS instance i-001 to the resource group ECS-Admin.
You can add an ECS instance to a resource group in one of the following ways:
- When you create a new ECS instance, you can add it to the resource group ECS-Admin. For more information, see Create an instance by using the wizard.
- For an existing ECS instance, you can move it to the resource group ECS-Admin. For more information, see Transfer resources across resource groups.
In the RAM console, grant permissions to the RAM user Alice.
Set the Authorized Scope to Resource Group and select ECS-Admin. Set the Principal to RAM User and select Alice. For the policy, select the AliyunECSFullAccess system policy. For more information, see Grant permissions to a RAM user.
Note
Best practice: In your production environment, follow the principle of least privilege. Create a custom policy that grants only the permissions required for the task. This minimizes security risks from excessive permissions.

Verify the result

Log on to the ECS console as the RAM user Alice.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
In the navigation pane on the left, choose Instances & Images > Instances.
In the upper-left corner of the top navigation bar, select the region where the instance is located.
In the top navigation bar, select ECS-Admin from the resource group drop-down list.
Important
The RAM user must select the correct resource group to view the instances within it. If no resource group or a different one is selected, the instance list appears empty.
On the Instances page, verify that you can see and manage the target instance i-001.

References

You can move resources associated with an ECS instance to the same resource group as the instance. You can do this manually or automatically by using the resource transfer feature of Resource Management. The automatic transfer currently supports only cloud disks, elastic network interfaces (ENIs), and elastic IP addresses (EIPs). For more information, see Transfer associated resources with a primary resource.
You can use Terraform to provision the resources and configure the permissions described in this tutorial by running the sample code in Terraform Explorer. Terraform Explorer