All Products
Search
Document Center

:Authorization rules

最終更新日:Mar 18, 2024

You can create custom policies to implement fine-grained permission control to meet your business requirements. The policies can ensure that only authorized team or department members can access and perform specific operations and implement fine-grained permission control in cross-cloud service scenarios. This topic provides actions and resources that are involved when you use Resource Access Management (RAM) to authorize team or department members, grant permissions to RAM users or roles, and implement tag-based authentication and cross-cloud service authorization in Elastic Compute Service (ECS). This helps you better understand how to configure these permissions.

Background information

Note

If you already have permissions to access resources, skip this topic.

By default, Alibaba Cloud accounts and RAM users can manage ECS resources in the ECS console or by calling API operations. Specific permissions are required in the following scenarios:

  • A new RAM user does not have the required permissions to manage resources in your Alibaba Cloud account.

  • You want to access ECS resources from other Alibaba Cloud services or access other Alibaba Cloud services from ECS.

  • Before you can manage a resource that is under access control, you must be granted the required permissions on the resource and on the relevant API operations by the resource owner.

  • Before you can manage a resource that uses tag-based authentication, you must be granted the required permissions on the resource and on the relevant API operations by the resource owner.

When an Alibaba Cloud account requests access to ECS resources in your Alibaba Cloud account by calling ECS API operations, ECS instructs RAM to perform a permission check to ensure that the requester account has the required permissions. The required permissions vary based on the requested ECS resources and API operations. For more information, see What is RAM? and List of operations by function.

Custom policies

RAM allows you to manage user identities and resource access and operation permissions based on policies. A policy is a set of access permissions. Each policy includes a version number and one or more individual statements. Each statement includes the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.

Tags can be used to identify, group, or classify resources for easy management.

You can use tags as conditions in RAM policies for fine-grained resource permission management. The following table describes the tag-based conditions in RAM policies.

Tag-based authentication condition

Description

acs:RequestTag

Specifies that a specific tag must be included in each API request.

If an API request does not include tag-related parameters, the acs:RequestTag condition cannot be used. Otherwise, authentication fails.

acs:ResourceTag

Specifies that a specific tag must be added to the specified resource.

If an API request does not include a resource ID, the acs:ResourceTag condition cannot be used. Otherwise, authentication fails.

You can create a custom policy in the RAM console or by calling the CreatePolicy operation of RAM. The following code provides a sample custom policy. When you create a custom policy, edit the policy based on the JSON template. In the policy statements, set Action and Resource to API operations and Alibaba Cloud Resource Name (ARN) values in the ARNs for API operations section and set parameters in the Condition element as described in the Tag-based authentication of requests to different API operations section. For more information, see Control access to resources by using RAM users and Policy elements.

For more information about how to use tags for authentication, see Implement fine-grained access control by using tags.

{
    "Version": "1",
    "Statement": [
        {
        "Effect": "Allow"
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
        "Condition": {
                "StringEquals": {
                    "acs:RequestTag/${key}":"${value}"
                }
        }, 
        {
        "Effect": "Allow"
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
        "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/${key}":"${value}"
                }
        }
    ]
}

ARNs for API operations

Note

The following table describes ECS API operations (Action) and the ARNs that correspond to them. For more information about the format of ARN, see Terms.

Instance

Action

Resource

Description

CreateInstance

  • acs:ecs:$regionid:$accountid:instance/*

  • acs:ecs:$regionid:$accountid:image/$imageNo

  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo

  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId

  • (Optional) acs:ecs:$regionid:$accountid:keypair/$keyPairName

  • acs:vpc:$regionid:$accountid:vswitch/$vswitchId

  • acs:vpc:$regionid:$accountid:vpc/$vpcId

Creates a subscription or pay-as-you-go ECS instance.

DeleteInstance

acs:ecs:$regionid:$accountid:instance/$instanceId

Releases a pay-as-you-go instance or an expired subscription instance.

DescribeInstances

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:instance/*

Queries the details of one or more ECS instances.

DescribeInstanceStatus

acs:ecs:$regionid:$accountid:instance/*

Queries the status information of one or more ECS instances.

DescribeInstanceVncUrl

acs:ecs:$regionid:$accountid:instance/$instanceId

Queries the Virtual Network Computing (VNC) URL of an ECS instance.

ModifyInstanceAttribute

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Modifies the attributes of an ECS instance, such as the password, name, description, hostname, user data, and security groups. For a burstable instance, you can also change the performance mode.

ModifyInstanceAutoReleaseTime

acs:ecs:$regionid:$accountid:instance/$instanceId

Specifies or cancels the automatic release time for a pay-as-you-go ECS instance. If you set the automatic release time for an instance, the instance is automatically released at the specified time. Proceed with caution.

ModifyInstanceChargeType

acs:ecs:$regionid:$accountid:instance/$instanceId

Changes the billing method for one or more instances. You can change the billing methods of instances between pay-as-you-go and subscription, or change the billing method of all data disks that are attached to an instance from pay-as-you-go to subscription.

ModifyInstanceVncPasswd

acs:ecs:$regionid:$accountid:instance/$instanceId

Changes the web management terminal password of an ECS instance.

ModifyPrepayInstanceSpec

acs:ecs:$regionid:$accountid:

Changes the instance type of your subscription instance. The new instance type takes effect for the remaining lifecycle of the instance.

RebootInstance

acs:ecs:$regionid:$accountid:instance/$instanceId

Restarts an ECS instance that is in the Running state.

RenewInstance

acs:ecs:$regionid:$accountid:instance/$instanceId

Renews a subscription ECS instance.

RunInstances

  • acs:ecs:$regionid:$accountid:instance/*

  • acs:ecs:$regionid:$accountid:image/$imageNo

  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo

  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId

  • acs:ecs:$regionid:$accountid:keypair/$keyPairName

Creates one or more pay-as-you-go or subscription ECS instances.

StartInstance

acs:ecs:$regionid:$accountid:instance/$instanceId

Starts an instance.

StopInstance

acs:ecs:$regionid:$accountid:instance/$instanceId

Stops an instance.

Elastic Block Storage (EBS) device

Action

Resource

Description

CreateDisk

  • acs:ecs:$regionid:$accountid:disk/*

  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId

Creates one or more pay-as-you-go or subscription data disks.

AttachDisk

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:instance/$diskId

Attaches a pay-as-you-go data disk to an ECS instance.

DescribeDisks

  • acs:ecs:$regionid:$accountid:disk/$diskId

  • acs:ecs:$regionid:$accountid:disk/*

Queries one or more EBS devices that you have created, including cloud disks and local disks.

ModifyDiskAttribute

acs:ecs:$regionid:$accountid:disk/$diskId

Modifies the attributes of one or more disks.

ResetDisk

acs:ecs:$regionid:$accountid:disk/$diskId

Rolls back a disk to a specific state by using a disk snapshot.

ResizeDisk

acs:ecs:$regionid:$accountid:disk/$diskId

Resizes a cloud disk. You can resize a system disk or a data disk.

ReplaceSystemDisk

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:image/$imageNo

Replaces the system disk or operating system of an ECS instance.

DetachDisk

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:disk/$diskId

Detaches a pay-as-you-go disk from an ECS instance.

DeleteDisk

acs:ecs:$regionid:$accountid:disk/$diskId

Releases a pay-as-you-go data disk.

Reserved instance

Action

Resource

Description

PurchaseReservedInstancesOffering

acs:ecs:$regionid:$accountid:reservedinstance

Purchases a reserved instance.

DescribeReservedInstances

acs:ecs:$regionid:$accountid:reservedinstance

Queries purchased reserved instances.

ModifyReservedInstances

acs:ecs:$regionid:$accountid:reservedinstance

Splits, merges, or modifies reserved instances.

Image

Action

Resource

Description

CreateImage

  • acs:ecs:$regionid:$accountid:image/*

  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId

  • acs:ecs:$regionid:$accountid:instance/$instanceId

Creates a custom image.

ImportImage

acs:ecs:$regionid:$accountid:image/*

Imports an existing image to ECS. The imported image appears as a custom image in the destination region.

CopyImage

  • acs:ecs:$fromRegionid:$accountid:image/$imageNo

  • acs:ecs:$toRegionid:$accountid:image/*

Copies a custom image from one region to another region.

CancelCopyImage

acs:ecs:$regionid:$accountid:image/$imageNo

Cancels an ongoing image copy task.

ExportImage

acs:ecs:$regionid:$accountid:image/$imageNo

Exports a custom image to an Object Storage Service (OSS) bucket in the same region.

DescribeImages

  • acs:ecs:$regionid:$accountid:image/$imageNo

  • acs:ecs:$regionid:$accountid:image/*

Queries available images.

ModifyImageAttribute

acs:ecs:$regionid:$accountid:image/$imageNo

Changes the name or modifies the description of a custom image.

DeleteImage

acs:ecs:$regionid:$accountid:image/$imageNo

Deletes a custom image.

Snapshot

Action

Resource

Description

CreateSnapshot

  • acs:ecs:$regionid:$accountid:snapshot/*

  • acs:ecs:$regionid:$accountid:disk/$diskId

  • acs:ecs:$regionid:$accountid:volume/$volumeId

Creates a snapshot for a cloud disk.

DescribeSnapshots

  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId

  • acs:ecs:$regionid:$accountid:snapshot/*

Queries all snapshots of an ECS instance or a cloud disk.

ModifySnapshotAttribute

acs:ecs:$regionid:$accountid:snapshot/$snapshotId

Modifies the name or description of a snapshot.

DeleteSnapshot

acs:ecs:$regionid:$accountid:snapshot/$snapshotId

Deletes a snapshot.

CreateAutoSnapshotPolicy

acs:ecs:*:$accountid:snapshot/*

Creates an automatic snapshot policy.

CancelAutoSnapshotPolicy

acs:ecs:*:$accountid:snapshot/*

Disables an automatic snapshot policy for one or more cloud disks.

DescribeSnapshotLinks

  • acs:ecs:$regionid:$accountid:disk/$diskId

  • acs:ecs:$regionid:$accountid:disk/*

Queries the snapshot chains of one or more cloud disks.

DeleteAutoSnapshotPolicy

acs:ecs:*:$accountid:snapshot/*

Deletes an automatic snapshot policy.

ApplyAutoSnapshotPolicy

acs:ecs:*:$accountid:snapshot/*

Applies an automatic snapshot policy to one or more cloud disks or changes the existing automatic snapshot policy of the disks.

Security group

Action

Resource

Description

CreateSecurityGroup

acs:ecs:$regionid:$accountid:securitygroup/*

Creates a security group. By default, a new security group allows mutual access between instances within the security group. Access requests to the security group from outside the group are denied. If you want to allow requests from the Internet or requests from instances within other security groups, you can call the AuthorizeSecurityGroup operation.

AuthorizeSecurityGroup

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Adds an inbound rule to a security group.

AuthorizeSecurityGroupEgress

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Adds an outbound rule to a security group.

RevokeSecurityGroup

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Deletes an inbound security group rule. After the rule is deleted, the access control implemented by the rule is removed.

RevokeSecurityGroupEgress

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Deletes an outbound security group rule. After the rule is deleted, the access control implemented by the rule is removed.

JoinSecurityGroup

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Adds an ECS instance to a security group.

LeaveSecurityGroup

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Removes an ECS instance from a security group.

DescribeSecurityGroupAttribute

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Queries the rules of a security group.

DescribeSecurityGroups

  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo

  • acs:ecs:$regionid:$accountid:securitygroup/*

Queries the basic information about security groups.

ModifySecurityGroupAttribute

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Changes the name or modifies the description of a security group.

ModifySecurityGroupRule

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Modifies the inbound rules of a security group.

ModifySecurityGroupEgressRule

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Modifies the outbound rules of a security group.

DeleteSecurityGroup

acs:ecs:$regionid:$accountid:securitygroup/$groupNo

Deletes a security group.

Deployment set

Action

Resource

Description

CreateDeploymentSet

acs:ecs:{#regionId}:{#accountId}:deploymentset/*

Creates a deployment set.

ModifyDeploymentSetAttribute

acs:ecs:{#regionId}:{#accountId}:deploymentset/{#deploymentSetId}

Changes the name or modifies the description of a deployment set.

DeleteDeploymentSet

acs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId}

Deletes a deployment set.

DescribeDeploymentSets

acs:ecs:{#regionId}:{#accountId}:deploymentset/{#deploymentSetId}

Queries the attributes of one or more deployment sets.

SSH key pair

Action

Resource

Description

CreateKeyPair

acs:ecs:$regionid:$accountid:keypair/*

Creates an SSH key pair.

ImportKeyPair

acs:ecs:$regionid:$accountid:keypair/*

Imports the public key of an RSA-encrypted key pair that is created by using a third-party tool. After the key pair is imported, Alibaba Cloud stores the public key. You must store the private key in a secure location.

DescribeKeyPairs

  • acs:ecs:$regionid:$accountid:keypair/$keyPairName

  • acs:ecs:$regionid:$accountid:keypair/*

Queries one or more SSH key pairs.

AttachKeyPair

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:keypair/$keypairName

Binds an SSH key pair to one or more Linux ECS instances.

DetachKeyPair

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:keypair/$keypairName

Unbinds an SSH key pair from one or more Linux instances.

DeleteKeyPairs

acs:ecs:$regionid:$accountid:keypair/$keyPairName

Deletes one or more SSH key pairs.

Network

Action

Resource

Description

ModifyInstanceVpcAttribute

  • acs:ecs:$regionid:$accountid:instance/$instanceId

  • acs:ecs:$regionid:$accountid:vswitch/$vSwitchId

Modifies the virtual private cloud (VPC) attributes of an ECS instance.

AllocatePublicIpAddress

acs:ecs:$regionid:$accountid:instance/$instanceId

Assigns a public IP address to an ECS instance.

ConvertNatPublicIpToEip

acs:ecs:$regionid:$accountid:instance/$instanceId

Converts the public IP address of an ECS instance that resides in a VPC into an elastic IP address (EIP).

AttachClassicLinkVpc

acs:ecs:$regionid:$accountid:instance/$instanceId

Establishes a ClassicLink connection between an ECS instance of the classic network type and a VPC to allow the instance to communicate with resources in the VPC over the internal network.

DetachClassicLinkVpc

acs:ecs:$regionid:$accountid:instance/$instanceId

Removes the ClassicLink connection between an ECS instance of the classic network type and a VPC.

DescribeClassicLinkInstances

acs:ecs:$regionid:$accountid:instance/*

Queries one or more instances of the classic network type that have established ClassicLink connections to VPCs.

ModifyInstanceNetworkSpec

acs:ecs:$regionid:$accountid:instance/$instanceId

Modifies the bandwidth configurations of an ECS instance.

O&M and monitoring

Action

Resource

Description

DescribeSnapshotMonitorData

acs:ecs:*:$accountid:snapshot/*

Queries the monitoring data of changes in snapshot sizes in a region over the last 30 days.

DescribeInstanceMonitorData

acs:ecs:$regionid:$accountid:instance/$instanceId

Queries the monitoring information of an ECS instance.

Tag

Action

Resource

Description

TagResources

acs:ecs:$regionid:$accountid:$resourceType/$resourceId

Creates and adds tags to ECS resources.

ListTagResources

acs:ecs:$regionid:$accountid:$resourceType/$resourceId

Queries tags that are added to one or more ECS resources.

UntagResources

acs:ecs:$regionid:$accountid:$resourceType/$resourceId

Removes tags from a group of ECS instances and deletes the tags.

Price inquiry

Action

Resource

Description

DescribePrice

acs:ecs:*:$accountid:*

Queries the most recent prices of ECS resources.

DescribeRenewalPrice

acs:ecs:$regionid:$accountid:instance/$instanceId

Queries the renewal prices of ECS resources. Only the renewal prices of subscription resources can be queried.

UntagResources

acs:ecs:$regionid:$accountid:$resourceType/$resourceId

Removes tags from a group of ECS instances and deletes the tags.

Tag-based authentication of requests to different API operations

After policies that contain tag-based conditions are attached to a RAM user, requests made by the RAM user to API operations are authenticated based on the tags specified in the policy conditions. The following table describes various cases in which requests to different API operations are authenticated based on tags.

API operation

Description

Operations used to create resources, such as RunInstances and CreateDisk

You do not need to specify resource IDs in API requests. If no resource IDs are specified in API requests, the requests are matched against the acs:RequestTag policy condition.

  • If a request contains no tags specified in the policy condition, authentication fails.

  • If the tags contained in a request match or include the tags specified in the policy condition, authentication succeeds.

Operations used to query resources, such as DescribeInstances and DescribeDisks

You can specify resource IDs in API requests based on your business requirements. API requests are matched against the acs:ResourceTag or acs:RequestTag policy condition.

  • If a request contains tags and resource IDs, authentication succeeds only if the tags and the tags of the resources match the tags specified in the acs:ResourceTag policy condition.

  • If a request contains resource IDs but no tags, authentication succeeds only if the tags of the resources match the tags specified in the acs:ResourceTag policy condition.

  • If a request contains tags but no resource IDs, authentication succeeds only if the tags match the tags specified in the acs:RequestTag policy condition.

  • If a request contains no tags and no resource IDs, authentication fails.

Note

For API operations that are used to query resources, the system returns an empty result and does not report an error if authentication fails.

Operations used to modify resources, such as ModifyInstanceAttribute and ModifyDiskAttribute

You must specify resource IDs in requests. Then, the requests are matched against the acs:ResourceTag policy condition.

  • If a request contains no tags and the tags of the specified resource match the tags specified in the policy condition, authentication succeeds.

  • If a request contains tags on which the RAM user has permissions, authentication succeeds only if these tags and the tags of the specified resource match the tags specified in the policy condition.

Operations used to manage resources, such as StartInstance, RebootInstance, and StopInstance

You must specify resource IDs in requests. Then, the requests are matched against the acs:ResourceTag policy condition.

  • If the tags of the specified resource do not match the tags specified in the policy condition, authentication fails.

  • If the tags of the specified resource match the tags specified in the policy condition, authentication succeeds.