Resource Access Management (RAM) is a service that Alibaba Cloud provides for you to manage user identities and resource access permissions. You can create RAM users and authorize the RAM users to perform operations on resources. When multiple users in your enterprise need to collaboratively manage resources, you can grant the users the minimum required permissions by using RAM to keep your Alibaba Cloud account and password confidential. This reduces risks in your data security.

Create RAM users and grant permissions to the RAM users

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Settings. You can configure basic permission settings.
    On the Security Settings tab, you can configure security policies for RAM users. For more information, see Configure security policies for RAM users.
  3. In the left-side navigation pane, choose Identities > Users. On the Users page, click Create User. On the Create User page, create RAM users and configure the logon password and AccessKey pair for the RAM users.
    For more information, see Create a RAM user.
  4. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy to create a custom policy.

    You can attach a custom policy to RAM users so that the RAM users can perform operations on stacks. For more information, see Create a custom policy.

    A policy can contain multiple statements. You must specify the action and resource elements for each statement. For more information about the action and resource elements that you can specify for Resource Orchestration Service (ROS), see Types of ROS resources that can be authorized.

  5. In the left-side navigation pane, choose Identities > Users. On the page that appears, attach the custom policy to the RAM users.
    Note You can also attach the custom policy to RAM user groups. If you grant permissions to a RAM user group, all RAM users in the group are granted the permissions.

Examples of custom policies

  • Example 1: View stacks

    The following policy grants RAM users the permissions to view all stacks that are deployed in the China (Beijing) region and the details of the stacks. You can use the wildcard character (∗) to match all stacks that are deployed in the China (Beijing) region.

    {
      "Statement": [
        {
          "Action": [
            "ros:DescribeStacks",
            "ros:DescribeStackDetail"
          ],
          "Effect": "Allow",
          "Resource": "acs:ros:cn-beijing:*:stack/*"
        }
      ],
      "Version": "1"
    }                                    
  • Example 2: Create and view stacks

    The following policy grants RAM users the permissions to create and view stacks in all regions.

    {
      "Statement": [
        {
          "Action": [
            "ros:CreateStack",
            "ros:DescribeStacks",
            "ros:DescribeStackDetail",
            "ros:ValidateTemplate"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }                                   
  • Example 3: Update a stack

    The following policy grants a specified RAM user the permissions to update a specified stack. In this example, the RAM user ID is 12345**** and the stack ID is 94dd5431-2df6-4415-81ca-732a7082****.

    {
      "Statement": [
        {
          "Action": [
            "ros:UpdateStack"
          ],
          "Effect": "Allow",
          "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****"
        }
      ],
      "Version": "1"
    }                                    
  • Example 4: Access all features and resources of ROS

    The following policy grants RAM users the permissions to access all features and resources of ROS by using the Alibaba Cloud Managemnt Consolee or by calling Alibaba Cloud API operations from the CIDR block 42.120.99.0/24 over HTTPS. This policy applies to the RAM users regardless of whether you use Alibaba Cloud Security Token Service (STS) to grant temporary access permissions on ROS. The following information describes specific parameters in this policy:

    • acs:SourceIp is set to 42.120.99.0/24, which specifies that the features and resources are accessed from the CIDR block 42.120.99.0/24.
    • acs:SecureTransport is set to true, which specifies that the features and resources are accessed over HTTPS.
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "ros:*",
          "Resource": "*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ],
      "Version": "1"
    }
  • Example 5: Access all features and resources of ROS and whether to access ECS
    • If you use STS to grant temporary access permissions on ROS, you cannot specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode. In this case, you can attach the following policy to RAM users so that the RAM users can access all features and resources of ROS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.99.0/24 over HTTPS. This policy cannot grant the RAM users permissions to access other services, including Elastic Compute Service (ECS).
    • If you do not use STS to grant temporary access permissions on ROS, you can attach the following policy to RAM users so that the RAM users can access all features and resources of ROS and ECS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.99.0/24 over HTTPS. This policy cannot grant the RAM users permissions to access other services.
      Note If you do not use STS to grant temporary access permissions on ROS, you can specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode to access the following services: ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS, ApsaraDB for Redis, Alibaba Cloud DNS PrivateZone, Container Service for Kubernetes (ACK), Function Compute, Object Storage Service (OSS), Log Service, API Gateway, and ActionTrail.
      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ros:*",
              "ecs:*"
            ],
            "Resource": "*",
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": "42.120.99.0/24"
              },
              "Bool": {
                "acs:SecureTransport": "true"
              }
            }
          }
        ],
        "Version": "1"
      }