create authorization policies and configure permissions in SAE - Serverless App Engine

Serverless App Engine (SAE) manages permissions through Alibaba Cloud Resource Access Management (RAM), eliminating the need for multiple users to share Alibaba Cloud account passwords or AccessKey pairs (AccessKey ID and AccessKey Secret). This is to reduce security risks. This topic describes how to create authorization policies and configure permissions in SAE using RAM.

Prerequisites

Understanding of basic structure and syntax of the policy language. For more information, see policy syntax and structure and basic elements of a policy.

RAM policy

Permissions are granted to allow or deny access to specific resources. A policy comprises a set of permissions. It specifies authorized resource or operation sets, and authorization conditions. Serves as a simple language specification.

In RAM, a policy is a resource entity. SAE supports:

System policy: Alibaba Cloud creates and maintains system policies. They provide coarse-grained permission control for RAM users. System policies are not modifiable.
Custom policy: Create, modify, and delete custom policies for fine-grained permission control over RAM users. Also include managing custom policy versions.

System policy

Upon your first logon to the SAE console as a RAM user, SAE will display a welcome dialog box. Authorize permissions for the sub-account through the main account in the RAM console:

System policies

Policy name	Description
AliyunSAEFullAccess	Grants full access to Serverless App Engine (SAE). You can manage applications only after this policy is attached.
AliyunSLBReadOnlyAccess	Grants read-only access to Server Load Balancer (SLB). You can use SLB-related features only after this policy is attached.
AliyunACMFullAccess	Grants full access to Application Configuration Management (ACM). You can use the built-in ACM features of SAE only after this policy is attached.
AliyunECSReadOnlyAccess	Grants read-only access to Elastic Compute Service (ECS). You can select an existing security group when you create an application only after this policy is attached.
AliyunOOSReadOnlyAccess	Grants read-only access to Operation Orchestration Service (OOS). You can use the scheduled start and stop feature to batch manage applications in SAE only after this policy is attached.
AliyunBSSReadOnlyAccess	Grants read-only access to Billing Management. You can view the balance of the resource plans that you purchased on the Overview page of the SAE console only after this policy is attached.
AliyunARMSReadOnlyAccess	Grants read-only access to Application Real-Time Monitoring Service (ARMS). You can use the built-in application monitoring feature of SAE only after this policy is attached.
AliyunRAMReadOnlyAccess	Grants read-only access to Resource Access Management (RAM). You can query the permissions of a RAM user and can be prompted to grant required permissions only after this policy is attached.
AliyunCloudMonitorReadOnlyAccess	Grants read-only access to CloudMonitor. You can use the built-in basic monitoring feature of SAE only after this policy is attached.
AliyunContainerRegistryReadOnlyAccess	Grants read-only access to Container Registry. You can select Container Registry Enterprise Edition when you use images to deploy applications in SAE only after this policy is attached.
AliyunALBReadOnlyAccess	Grants read-only access to Application Load Balancer (ALB).
AliyunYundunCertReadOnlyAccess	Grants read-only access to Certificate Management Service.
AliyunEventBridgeReadOnlyAccess	Grants read-only access to EventBridge. You can create and update jobs only after this policy is attached.

Note

AliyunSAEFullAccess grants full permissions on all SAE resources. For more granular permissions, such as at the namespace or application level, or for associated products, see custom policy.

Custom policy

If system policies do not meet your specific business needs, you can create custom policies for detailed access control.

The SAE Permission Assistant facilitates the visual configuration of SAE permissions, generates policy statements without manual script editing, and helps create and assign custom policies to RAM users in the RAM console.

Authorization rules

The following table describes the resources.

Resource type	Resource description in the authorization policy
application	`acs:sae:${regionid}:${accountid}:application/${namespaceid}/${appid}}`

The following table describes the parameters.

Parameter	Description
$regionid	Region ID. You can use `*` instead.
$accountid	Alibaba Cloud account ID. You can use `*` instead.
$namespaceid	Namespace ID. The default namespace ID is empty, it is escaped as `_default`. Note The namespace ID can contain only lowercase letters or digits.
$appid	Application ID. You can use `*` instead.

The following examples illustrate resource descriptions.

Take the China (Shanghai) region as an example.

The following ARN pertains to an application with the ID 0c815215-46a1-46a2-ba1e-0102a740**** and namespace ID test.
```
acs:sae:cn-shanghai:*:application/test/0c815215-46a1-46a2-ba1e-0102a740****
```
The following ARN is for the default namespace.
```
acs:sae:cn-shanghai:*:application/_default/*
```

Policy examples

Scenario 1: Grant namespace-level permissions

Scenario description: Grant read permissions for SAE and write permissions for specific namespaces and their applications.

A RAM user is authorized to manage resources related to the default namespace, the namespace with the ID test, and the applications within namespaces.

Resource	Action	Description
acs:sae:cn-shanghai:*	sae:Query*	APIs starting with Query can manage all resources related to the China (Shanghai) region.
	sae:List*	APIs starting with List can manage all resources related to the China (Shanghai) region.
	sae:Describe*	APIs starting with Describe can manage all resources related to the China (Shanghai) region.
	sae:Ingress	APIs containing Ingress can manage all resources related to the China (Shanghai) region.
	sae:ChangeOrder	APIs containing ChangeOrder can manage all resources related to the China (Shanghai) region.
	sae:Pipeline	APIs containing Pipeline can manage all resources related to the China (Shanghai) region.
acs:sae:cn-shanghai::application/test/	sae:*	You can manage all resources related to the namespace whose ID is test, and the applications in the namespace in the China (Shanghai) region.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "sae:Query*",
                "sae:List*",
                "sae:Describe*",
                "sae:*Ingress*",
                "sae:*ChangeOrder*",
                "sae:*Pipeline*"
            ],
            "Resource": "acs:sae:cn-shanghai:*:*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sae:*"
            ],
            "Resource": [
                "acs:sae:cn-shanghai:*:application/test/*"
            ],
            "Effect": "Allow"
        }
    ]
}

Scenario 2: Grant application-level permissions

Scenario description: Grant read permissions for SAE and write permissions for specific applications.

A RAM user is authorized to manage the applications.

Application	Namespace	Application ID
Application 1	test	0c815215-46a1-46a2-ba1e-102a740****
Application 2	default	e468a92b-1529-4d20-8ab1-9d1595dc****

Resource	Action	Description
acs:sae:cn-shanghai::	sae:Query*	APIs starting with Query can manage all namespaces and application resources related to the China (Shanghai) region.
	sae:List*	APIs starting with List can manage all namespaces and application resources related to the China (Shanghai) region.
	sae:Describe*	APIs starting with Describe can manage all namespaces and application resources related to the China (Shanghai) region.
	sae:Ingress	APIs containing Ingress can manage all namespaces and application resources related to the China (Shanghai) region.
	sae:ChangeOrder	APIs containing ChangeOrder can manage all namespaces and application resources related to the China (Shanghai) region.
	sae:Pipeline	APIs containing Pipeline can manage all namespaces and application resources related to the China (Shanghai) region.
acs:sae:cn-shanghai::application/test/0c815215-46a1-46a2-ba1e-0102a740***	sae:*	You can manage all resources related to the namespace whose ID is test, and Application 1 in the China (Shanghai) region.
acs:sae:cn-shanghai::application/_default/e468a92b-1529-4d20-8ab1-9d1595dc***	sae:*	You can manage all resources related to the default namespace, and Application 2 in the China (Shanghai) region.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "sae:Query*",
                "sae:List*",
                "sae:Describe*",
                "sae:*Ingress*",
                "sae:*ChangeOrder*",
                "sae:*Pipeline*"
            ],
            "Resource": "acs:sae:cn-shanghai:*:*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sae:*"
            ],
            "Resource": [
                "acs:sae:cn-shanghai:*:application/test/0c815215-46a1-46a2-ba1e-0102a740****",
                "acs:sae:cn-shanghai:*:application/_default/e468a92b-1529-4d20-8ab1-9d1595dc****"
            ],
            "Effect": "Allow"
        }
    ]
}

Scenario 3: Grant permissions for accessing associated Alibaba Cloud services
To support specific needs, applications on SAE may need to invoke API of other Alibaba Cloud services, such as ECS, SLB, and ARMS, during runtime. Authorize a RAM user to access relevant services. For instance, you could grant the RAM user read-only access to ECS (AliyunECSReadOnlyAccess), SLB (AliyunSLBReadOnlyAccess), and ARMS (AliyunARMSReadOnlyAccess).