Serverless App Engine (SAE) provides a permission assistant to simplify the configuration of RAM policies for SAE. This topic describes how to use the SAE permission assistant to quickly create policy statements and then finalize the policy in the RAM console.
Prerequisites
Background information
The SAE permission assistant is a tool that generates RAM policies. It allows you to visually configure permissions for SAE with granularity down to read and write operations for applications and tasks. The assistant generates the corresponding policy statements in the SAE console to help you avoid errors that can occur when you manually edit policy statements in the RAM console. You can then create a custom policy in the RAM console, replace the policy's content with the generated statement, and grant the policy to the RAM user who requires the SAE permissions.
Both Alibaba Cloud accounts (primary accounts) and RAM users (sub-accounts) can use the permission assistant in the SAE console to create policy drafts. However, you must deploy the policy in the RAM console for it to take effect.
Step 1: Create a policy in the SAE console
-
In the SAE console, choose in the left-side navigation pane. On the Permission Assistant page, click Create Policy.
-
In the Create Policy panel, on the Policy Configuration wizard step, configure the following parameters and click Next.
-
Enter a Policy Name and Note.
Parameter
Description
Policy Name
The custom name of the policy. The name must start with a letter and can be up to 36 characters in length. It can contain letters, digits, underscores (_), and hyphens (-).
Note
Enter a description for the policy.
-
Click Add Statement. In the Add Statement panel, configure the following parameters and click OK.
Parameter
Description
Resource
Select the resource dimensions from the drop-down lists.
-
Region: You can select only one region.
-
Namespace: You can select only one namespace.
-
Application or Task: You can select one or more applications or tasks.
Action
In the Optional Permissions box, select the permissions that you want to grant. The selected permissions appear in the Selected Permissions box. Note the following items:
-
The Search action text box supports fuzzy search and is case-sensitive.
-
By default, System Default Read Permissions is selected in the Selected Permissions box.
-
Read and write actions are linked. When you select a write permission, such as , the system automatically selects the related read permissions.
-
On the Policy Configuration wizard step, you can view the added policy statements and perform operations such as View Permissions, Clone, Edit, or Delete.
The policy statements appear in a table with columns for Resource (including region, namespace, and application), Action, and Operations.
Note-
To set permissions for resources in multiple namespaces, add a separate policy statement for each namespace.
-
To copy an existing policy statement, click Clone. In the Clone panel, you can modify the statement to create a new one.
-
-
On the Preview Policy wizard step, review the generated policy statements, and then click OK.
Click Copy to copy the RAM policy statement. You will use this statement in Step 2: Create a custom RAM policy.
You are returned to the Permission Assistant page. You can view the newly created policy and perform operations such as View Permissions, Copy RAM Authorization Statement, Edit, or Delete.
Important-
Policies generated by the SAE permission assistant apply only to SAE resources and can contain a maximum of 20 statements.
-
When SAE releases new features, you may need to regenerate the RAM policy statements. Otherwise, RAM users with the existing policy might lack permissions for these features.
-
Step 2: Create a custom RAM policy
When you create a custom policy in the RAM console, you must use the policy statement generated in Step 1: Create a policy in the SAE console.
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose > .
-
On the Policies page, click Create Policy.
-
On the Create Policy page, click the JSON tab.
The JSON editor appears with a default policy template that includes
VersionandStatementelements. TheStatementelement contains theEffect,Action,Resource, andConditionelements. You must specify the actions and resources in theActionandResourceelements. -
In the JSON editor, paste the policy statement that you copied from the SAE console.
For more information about the policy syntax and structure, see Policy structure and syntax.
-
Click Next: Edit Basic Information to optimize the policy content.
The advanced policy optimization feature performs the following tasks:
-
Splits resources or conditions that are incompatible with actions.
-
Narrows the scope of resources.
-
Deduplicates or merges statements.
-
-
Click OK.
-
Specify the Policy Name and Note, and then click OK.
Step 3: Grant permissions to a RAM user
After you create the custom policy, you must grant permissions to the RAM user. This section describes how to grant permissions to a RAM user on the user page. For more information about other methods, see Grant permissions to a RAM user.
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, find the RAM user to whom you want to grant permissions and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions at the bottom of the user list to grant permissions in bulk.
-
In the Add Permissions panel, grant permissions to the RAM user.
-
Select an authorization scope.
-
Alibaba Cloud Account: The permissions apply to the current Alibaba Cloud account.
-
Resource Group: The permissions apply only to a specific resource group.
Important
For a resource group-specific authorization to take effect, the cloud service must support resource groups. For more information, see Services that work with Resource Group. For an example of how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
-
-
Select a principal.
The principal is the RAM user to whom you want to grant permissions. The current RAM user is selected by default.
-
Select policies.
A policy defines a set of permissions. You can select multiple policies. Policies are classified into the following types:
-
System policy: A policy created and maintained by Alibaba Cloud. You can use but not modify system policies. For more information, see Services that work with RAM.
Note
The system flags high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. Avoid granting these permissions unless absolutely necessary.
-
Custom policy: A policy that you can create and manage. You are responsible for the versions of the policy and can create, update, or delete the policy. For more information, see Create a custom policy.
-
-
Click OK.
-
-
Click Complete.