ECS dynamically manages resource permissions based on tags

Introduction:

This article introduces how to implement dynamic rights management. When cloud-based enterprises want to manage permissions dynamically, but do not want to change policies frequently. Authorization can be based on tags. When a tag is added, there is permission, and when the tag is deleted, there is no permission.

Scenes

A company wants to manage resources according to different roles.

• Datacenter member: authorize access to all ECS resources with project:datacenter.
• Bizcenter member: authorized to access all ECS resources with project:bizcenter.
• Resource Producer: Resource production.
• Resource authorization manager: Resource authorization: tag resources, add the tag if the resource has permission, and delete the tag if the resource does not have permission, no permission modification is required.

Permissions are designed as follows

Datacenter member

• Direct use of sub-accounts, specific to access control operations.
• Sub-accounts used by members belonging to the project can access datacenter resources by authorizing the following permissions.
Note: When filtering resources in the ecs console, you need to use the label project:datacenter to see resources. By default, you cannot see resources without filtering labels.

The authorization policy is designed as follows:

{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "datacenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "datacenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"tag:List*",
"ecs:DescribeTags",
"ecs:DescribeResourceByTags",
"ecs:DescribeTagKeys",
"ecs:ListTagResources",
"ecs:DescribeRegions",
"ecs:DescribeZones",
"ecs:DescribeDisk*",
"ecs:DescribeSecurityGroup*",
"ecs:DescribeInstanceTypes",
"ecs:DescribeSnapshot*",
"ecs:DescribeNetworkInterface*",
"actiontrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "datacenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:command/*"
}
]
}

Member of bizcenter

• The sub-account uses this permission through a fixed role
• Access Control Console - Identity Management - Roles - Create a role named bizcenter-member
• Note: When filtering resources in the ecs console, you need to use the label project:bizcenter to see resources. By default, you cannot see resources without filtering labels.

The authorization policy is designed as follows:

{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "bizcenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "bizcenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"tag:List*",
"ecs:DescribeTags",
"ecs:DescribeResourceByTags",
"ecs:DescribeTagKeys",
"ecs:ListTagResources",
"ecs:DescribeRegions",
"ecs:DescribeZones",
"ecs:DescribeDisk*",
"ecs:DescribeSecurityGroup*",
"ecs:DescribeInstanceTypes",
"ecs:DescribeSnapshot*",
"ecs:DescribeNetworkInterface*",
"actiontrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "bizcenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:command/*"
}
]
}

• Sub-accounts used by bizcenter members need to use bizcenter resources through role-playing bizcenter-member.

The authorization policy is designed as follows:

{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "acs:ram:*:*:role/bizcenter-member"
}
],
"Version": "1"
}

resource producer

• If the resource producer is a resource manager, just use the Alibaba Cloud ECS FullAccess permission.
• If the resource produced by the resource producer must have the tag project:anyValue, the permissions are as follows.

The authorization policy is designed as follows:

{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Run*",
"ecs:Create*",
"ecs:Purchase*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*",
"vpc:DescribeVpcs",
"vpc:Describe VSwitches",
"bss:PayOrder"
],
"Resource": "*"
}
]
}

Resource Authorization Manager

• If the resource authorization manager must tag the resource with the project:anyValue tag, the permissions are as follows.
• How to identify resource labeling specifications A labeling policy can be used to ensure that resources are properly labeled.

The authorization policy is designed as follows:

{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Tag*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"tag:*",
"ecs:Untag*",
"ecs:List*",
"ecs:Describe*"
],
"Resource": "*"
}
]
}