By integrating resource groups with Resource Access Management (RAM), you can enforce resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes how Application Load Balancer supports resource groups and how to grant resource group-level permissions.
-
Resource group-level authorization applies only to resource types that support resource groups and actions that support resource group-level authorization.
-
For resource types that do not support resource groups, granting permissions at the resource group scope is ineffective. You must grant permissions at the account-level. For more information, see Actions that do not support resource group-level authorization.
How resource group-based authorization works
You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create separate resource groups for different projects and move resources into their corresponding groups for centralized management. For more information, see What is a resource group?.
After you group your resources, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, scoped to a specific resource group. This ensures that a principal can manage only the resources within that group. For more information, see Resource grouping and authorization.
This authorization model offers several advantages:
-
Fine-grained permissions: Ensures each identity has precisely the permissions it needs, preventing resources from different projects from being managed together.
-
Scalability: When you add new resources to a resource group, RAM principals with permissions for that group can automatically access the new resources without requiring additional authorization.
Grant permissions to a RAM user
This section describes how to grant a RAM user permissions to manage Application Load Balancer resources in a specific resource group.
Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and move existing resources to it. For more information, see Create a resource group, Automatic resource transfer, and Manual resource transfer.
Grant resource group-level authorization
You can grant resource group-level authorization by using either of the following methods.
Resource Management console
Grant permissions to a RAM user by using the permission management feature of resource groups. For detailed steps, see Grant permissions to a RAM identity for a resource group.
-
Log on to the Resource Management console.
-
On the Resource Groups page, click Permission Management in the Actions column for the target resource group.
-
On the Permission Management tab, click Add Authorization.
-
In the Add Authorization panel, configure the principal and permission policy.
-
Principal: Select an existing RAM user.
-
Permission Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom permission policy.
-
-
Click OK.
RAM console
Grant resource group-level permissions to a RAM user in the RAM console. For detailed steps, see Manage permissions for a RAM user.
-
Log on to the RAM console with an Alibaba Cloud account or as a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Add Permissions panel, grant permissions to the RAM user.
-
Resource Scope: Select Resource Group.
-
Principal: Select an existing RAM user or the one you created.
-
Permission Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom permission policy.
-
-
Click OK.
Supported resource types
Application Load Balancer supports resource groups for the following resource types:
|
Cloud service |
Cloud service code |
Resource type |
|
Application Load Balancer |
alb |
acl: access control list |
|
Application Load Balancer |
alb |
loadbalancer: load balancer |
|
Application Load Balancer |
alb |
securitypolicy: security policy |
|
Application Load Balancer |
alb |
servergroup: server group |
For resource types that do not yet support resource groups, you can submit feedback in the Resource Management console.
Unsupported actions
The following Application Load Balancer actions do not support resource group-level authorization:
|
Action |
Description |
|
alb:AssociateResources |
- |
|
alb:DeleteIdentity |
- |
|
alb:DescribeLoadBalancers |
- |
|
alb:DescribeZones |
- |
|
alb:GetGlobalLoadBalancerSummary |
- |
|
alb:GetIdentityAttribute |
- |
|
alb:InitializeServiceLinkedRole |
- |
|
alb:ListBackupVersions |
- |
|
alb:ListComponents |
- |
|
alb:ListIdentities |
- |
|
alb:ListTagKeys |
Queries the keys of specified tags. |
|
alb:ListTagValues |
Queries the values of specified tags. |
|
alb:UpdateIdentityAttribute |
- |
For actions that do not support resource group-level authorization, selecting Resource Group as the resource scope is ineffective. If a RAM user still requires permissions for these actions, you must create a custom policy and select Account as the resource scope during authorization.
The following examples show two custom permission policies. You can modify them to meet your needs.
-
Allows all read-only operations that do not support resource group-level authorization: The
Actionelement lists all of these operations.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "alb:DescribeLoadBalancers", "alb:DescribeZones", "alb:GetGlobalLoadBalancerSummary", "alb:GetIdentityAttribute", "alb:ListBackupVersions", "alb:ListComponents", "alb:ListIdentities", "alb:ListTagKeys", "alb:ListTagValues" ], "Resource": "*" } ] } -
Allows all actions that do not support resource group-level authorization. The
Actionelement lists all of these actions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "alb:AssociateResources", "alb:DeleteIdentity", "alb:DescribeLoadBalancers", "alb:DescribeZones", "alb:GetGlobalLoadBalancerSummary", "alb:GetIdentityAttribute", "alb:InitializeServiceLinkedRole", "alb:ListBackupVersions", "alb:ListComponents", "alb:ListIdentities", "alb:ListTagKeys", "alb:ListTagValues", "alb:UpdateIdentityAttribute" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can access all relevant resources in the account. Always follow the principle of least privilege and grant only required permissions.
FAQ
View a resource's group
-
Method 1: Click the resource name to open its details page, which displays the resource group.
-
Method 2: Log on to the Resource Management console and choose . In the left-side pane, select the account that owns the resource (Current Account is selected by default). Use the filters to find the target resource and view its resource group.
View product resources in a group
-
Method 1: Log on to the Resource Management console and choose . In the left-side pane, under the account to which the resource belongs (Current Account is selected by default), click the name of the target resource group. Then, in the Select Resource Type filter on the right, select the product to view all of its resources in the resource group.
-
Method 2: Log on to the Resource Management console, click , and then find the target resource group. In the Actions column for the resource group, click Resource Management. On the Resource Management page, select the current product from the Product drop-down list at the top of the page to view all resources of the product in the resource group.
Bulk move resources to a different group
Log on to the Resource Management console and choose . In the row of the target resource group, click Manage Resources in the Actions column. On the resource management page, use the filters to find the resources that you want to move. Select the resources, click Transfer Resource Group at the bottom of the list, and follow the on-screen instructions.