Resource Access Management (RAM) is an Alibaba Cloud service that lets you manage user identities and resource access permissions. If multiple users in your organization need to collaborate on resources, use RAM to avoid sharing your Alibaba Cloud account keys. You can assign permissions to users based on the principle of least privilege. This practice helps reduce security risks for your business.
Create a RAM user and grant permissions
Grant a system policy to a RAM user
-
Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account.
-
In the navigation pane on the left, click Settings to configure initial settings for RAM.
You can configure security settings for RAM users. For more information, see Set security policies for RAM users.
-
In the navigation pane on the left, choose Identity Management > Users. Create a RAM user and set a logon password and an AccessKey for the user.
For more information, see Create a RAM user.
-
On the Users page, grant a system policy to the target RAM user.
Note-
If you want the RAM user to have read-only permissions for Resource Orchestration Service (ROS) resources, attach the
AliyunROSReadOnlyAccesspolicy to the RAM user. -
If you want the RAM user to have permissions to manage all ROS operations, attach the
AliyunROSFullAccesspolicy to the RAM user.
-
Grant a custom policy to a RAM user
-
In the navigation pane on the left, choose Permission Management > Policies to create a custom policy.
A custom policy is an authorization policy that defines the operations a RAM user can perform on a stack. For more information, see Create a custom policy.
An access policy can contain multiple statements. Each statement must include an Action and a Resource. For more information about the Actions and Resources that ROS supports, see Authorizable resource types of ROS.
-
In the navigation pane on the left, choose Identity Management > Users to grant the custom policy to the target RAM user.
NoteYou can grant a custom policy to a user group. After you grant the policy to the group, all RAM users in that group inherit the permissions.
Examples of ROS custom policies
-
Example 1: View a list of stacks
The following policy allows a RAM user to view the list and details of all stacks in the China (Beijing) region. The asterisk (*) is a wildcard character that represents all stacks in the China (Beijing) region.
{ "Statement": [ { "Action": [ "ros:DescribeStacks", "ros:DescribeStackDetail" ], "Effect": "Allow", "Resource": "acs:ros:cn-beijing:*:stack/*" } ], "Version": "1" } -
Example 2: Create and view stacks
The following policy allows a RAM user to create and view stacks in all regions.
{ "Statement": [ { "Action": [ "ros:CreateStack", "ros:DescribeStacks", "ros:DescribeStackDetail", "ros:ValidateTemplate" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" } -
Example 3: Update a stack
The following policy allows the RAM user
12345****to update the stack94dd5431-2df6-4415-81ca-732a7082****.{ "Statement": [ { "Action": [ "ros:UpdateStack" ], "Effect": "Allow", "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****" } ], "Version": "1" } -
Example 4: Access all ROS features and resources
This policy applies regardless of whether ROS uses Alibaba Cloud Security Token Service (STS) for temporary authorization. The policy allows a RAM user to access all ROS features and resources, but not other Alibaba Cloud services. This is only allowed if the user accesses the Alibaba Cloud Management Console or an API over HTTPS from the 42.120.XX.XX/24 CIDR block. Note:
-
acs:SourceIpis set to 42.120.XX.XX/24. This means access to Alibaba Cloud must originate from the specified CIDR block (42.120.XX.XX/24). -
acs:SecureTransportis set to true. This means access to Alibaba Cloud must use HTTPS.
{ "Statement": [ { "Effect": "Allow", "Action": "ros:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.XX.XX/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" } -
-
Example 5: Access all ROS features and resources and configure access to Elastic Compute Service (ECS)
-
If ROS uses STS for temporary authorization: The `acs:SourceIp` and `acs:SecureTransport` conditions cannot be passed through in STS scenarios. Therefore, this policy allows a RAM user to access all ROS features and resources, but not other services, including ECS. This is only allowed if the user accesses the Alibaba Cloud Management Console or an API over HTTPS from the 42.120.XX.XX/24 CIDR block.
-
If ROS does not use STS for temporary authorization: This policy allows a RAM user to access all features and resources of ROS and ECS, but not other services. This is only allowed if the user accesses the Alibaba Cloud Management Console or an API over HTTPS from the 42.120.XX.XX/24 CIDR block.
NoteIf ROS does not use STS for temporary authorization, the services that support `acs:SourceIp` and `acs:SecureTransport` pass-through are: Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS (RDS), Tair (Redis OSS-compatible), PrivateZone, Container Service for Kubernetes (ACK), Function Compute (FC), Object Storage Service (OSS), Simple Log Service (SLS), API Gateway, and ActionTrail.
{ "Statement": [ { "Effect": "Allow", "Action": [ "ros:*", "ecs:*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.XX.XX/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
-
-
Example 6: Use tag-based authentication to access and operate ROS resources
The following policy allows a RAM user to manage ROS resources that have the tag key-value pair
{"Environment": "TEST"}.{ "Statement": [ { "Action": "ros:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/Enviroment": "TEST" } } } ], "Version": "1" }