Resource Access Management (RAM) is a service that Alibaba Cloud provides for you to manage user identities and resource access permissions. You can create RAM users and authorize the RAM users to perform operations on resources. When multiple users in your enterprise need to collaboratively manage resources, you can grant the users the minimum required permissions by using RAM to keep your Alibaba Cloud account and password confidential. This reduces risks in your data security.
Create RAM users and grant permissions to the RAM users
Examples of custom policies
- Example 1: View stacks
The following policy grants RAM users the permissions to view all stacks that are deployed in the China (Beijing) region and the details of the stacks. You can use the wildcard character (∗) to match all stacks that are deployed in the China (Beijing) region.
{ "Statement": [ { "Action": [ "ros:DescribeStacks", "ros:DescribeStackDetail" ], "Effect": "Allow", "Resource": "acs:ros:cn-beijing:*:stack/*" } ], "Version": "1" }
- Example 2: Create and view stacks
The following policy grants RAM users the permissions to create and view stacks in all regions.
{ "Statement": [ { "Action": [ "ros:CreateStack", "ros:DescribeStacks", "ros:DescribeStackDetail", "ros:ValidateTemplate" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
- Example 3: Update a stack
The following policy grants a specified RAM user the permissions to update a specified stack. In this example, the RAM user ID is
12345****
and the stack ID is94dd5431-2df6-4415-81ca-732a7082****
.{ "Statement": [ { "Action": [ "ros:UpdateStack" ], "Effect": "Allow", "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****" } ], "Version": "1" }
- Example 4: Access all features and resources of ROS
The following policy grants RAM users the permissions to access all features and resources of ROS by using the Alibaba Cloud Managemnt Consolee or by calling Alibaba Cloud API operations from the CIDR block 42.120.99.0/24 over HTTPS. This policy applies to the RAM users regardless of whether you use Alibaba Cloud Security Token Service (STS) to grant temporary access permissions on ROS. The following information describes specific parameters in this policy:
acs:SourceIp
is set to 42.120.99.0/24, which specifies that the features and resources are accessed from the CIDR block 42.120.99.0/24.acs:SecureTransport
is set to true, which specifies that the features and resources are accessed over HTTPS.
{ "Statement": [ { "Effect": "Allow", "Action": "ros:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
- Example 5: Access all features and resources of ROS and whether to access ECS
- If you use STS to grant temporary access permissions on ROS, you cannot specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode. In this case, you can attach the following policy to RAM users so that the RAM users can access all features and resources of ROS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.99.0/24 over HTTPS. This policy cannot grant the RAM users permissions to access other services, including Elastic Compute Service (ECS).
- If you do not use STS to grant temporary access permissions on ROS, you can attach
the following policy to RAM users so that the RAM users can access all features and
resources of ROS and ECS by using the Alibaba Cloud Management Console or by calling
Alibaba Cloud API operations from the CIDR block 42.120.99.0/24 over HTTPS. This policy
cannot grant the RAM users permissions to access other services.
Note If you do not use STS to grant temporary access permissions on ROS, you can specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode to access the following services: ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS, ApsaraDB for Redis, Alibaba Cloud DNS PrivateZone, Container Service for Kubernetes (ACK), Function Compute, Object Storage Service (OSS), Log Service, API Gateway, and ActionTrail.
{ "Statement": [ { "Effect": "Allow", "Action": [ "ros:*", "ecs:*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }