Resource Access Management (RAM) is a service that Alibaba Cloud provides for you to manage user identities and control access to resources. You can create RAM users and authorize the RAM users to perform operations on resources. When multiple users in your enterprise need to collaboratively manage resources, you can grant the users the minimum required permissions by using RAM. This keeps your Alibaba Cloud account and password confidential and mitigates data risk.
Create a RAM user and grant permissions to the RAM user
Attach a system policy to a RAM user
Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, click Settings to configure basic settings.
You can configure security settings for RAM users. For more information, see Manage the security settings of RAM users.
In the left-side navigation pane, choose Identities > Users. On the Users page, click Create User. On the Create User page, create a RAM user and configure a logon password and an AccessKey pair for the RAM user.
For more information, see Create a RAM user.
On the Users page, find the desired RAM user and attach a system policy to the RAM user.
NoteIf you want to grant the read-only permissions on Resource Orchestration Service (ROS) to the RAM user, attach the
AliyunROSReadOnlyAccess
policy to the RAM user.If you want to grant all permissions on ROS to the RAM user, attach the
AliyunROSFullAccess
policy to the RAM user.
Attach a custom policy to a RAM user
In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy to create a custom policy.
You can attach a custom policy to a RAM user to allow the RAM user to perform operations on stacks. For more information, see Create custom policies.
A policy can contain multiple statements. You must specify the action and resource elements for each statement. For more information about the action and resource elements that you can specify for ROS, see Types of ROS resources that can be authorized.
In the left-side navigation pane, choose Identities > Users. On the page that appears, find the desired RAM user and attach the custom policy to the RAM user.
NoteYou can also attach the custom policy to RAM user groups. If you grant permissions to a RAM user group, all RAM users in the group have the permissions.
Examples of custom policies for ROS
Example 1: View stacks
The following policy allows RAM users to view all stacks that are deployed in the China (Beijing) region and the details of the stacks. The wildcard character (*) matches all stacks that are deployed in the China (Beijing) region.
{ "Statement": [ { "Action": [ "ros:DescribeStacks", "ros:DescribeStackDetail" ], "Effect": "Allow", "Resource": "acs:ros:cn-beijing:*:stack/*" } ], "Version": "1" }
Example 2: Create and view stacks
The following policy allows RAM users to create and view stacks in all regions:
{ "Statement": [ { "Action": [ "ros:CreateStack", "ros:DescribeStacks", "ros:DescribeStackDetail", "ros:ValidateTemplate" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
Example 3: Update a stack
The following policy allows a RAM user whose ID is
12345****
to update a stack whose ID is94dd5431-2df6-4415-81ca-732a7082****
:{ "Statement": [ { "Action": [ "ros:UpdateStack" ], "Effect": "Allow", "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****" } ], "Version": "1" }
Example 4: Access all features and resources only of ROS
The following policy allows RAM users to access all features and resources only of ROS by using the Alibaba Cloud Management Console or API from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy takes effect regardless of whether you use Alibaba Cloud Security Token Service (STS) to grant temporary access permissions on ROS. The policy includes the following parameters:
acs:SourceIp
: The value is set to 42.120.XX.XX/24. A value of 42.120.XX.XX/24 indicates that the features and resources are accessed from the CIDR block 42.120.XX.XX/24.acs:SecureTransport
: The value is set to true. A value of true indicates that the features and resources are accessed over HTTPS.
{ "Statement": [ { "Effect": "Allow", "Action": "ros:*", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.XX.XX/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
Example 5: Access all features and resources of ROS and whether to access ECS
If you use STS to grant temporary access permissions on ROS, you cannot specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode. In this case, you can attach the following policy to RAM users so that the RAM users can access all features and resources of ROS by using the Alibaba Cloud Management Console or by calling Alibaba Cloud API operations from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy cannot allow the RAM users to access other services, including Elastic Compute Service (ECS).
If you do not use STS to grant temporary access permissions on ROS, you can attach the following policy to RAM users. This way, the RAM users can access all features and resources of ROS and ECS by using the Alibaba Cloud Management Console or API from the CIDR block 42.120.XX.XX/24 over HTTPS. This policy does not allow RAM users to access other services.
NoteIf you do not use STS to grant temporary access permissions on ROS, you can specify the acs:SourceIp and acs:SecureTransport parameters in pass-through mode to allow access to the following services: ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS, Tair (Redis OSS-compatible), Alibaba Cloud DNS PrivateZone, Container Service for Kubernetes (ACK), Function Compute, Object Storage Service (OSS), Simple Log Service (SLS), API Gateway, and ActionTrail.
{ "Statement": [ { "Effect": "Allow", "Action": [ "ros:*", "ecs:*" ], "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.XX.XX/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }
Example 6: Access and manage ROS resources by using tag-based authentication
The following policy allows RAM users to manage ROS resources to which the
{"Enviroment": "TEST"}
tag is added:{ "Statement": [ { "Action": "ros:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/Enviroment": "TEST" } } } ], "Version": "1" }