All Products
Search
Document Center

Auto Scaling:Manage Auto Scaling resources by resource authentication

Last Updated:Mar 28, 2024

In scenarios in which multiple users simultaneously access resources, you can create multiple Resource Access Management (RAM) users and grant the RAM users permissions based on their roles. This way, different RAM users can access and manage different resources. This can improve management efficiency and reduce the risk of information leaks. This topic describes how to grant different RAM users different permissions on Auto Scaling resources based on resource authentication.

Background information

  • Alibaba Cloud provides policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple resource-level permissions in each policy and attach one or more policies to RAM users or RAM user groups. For more information about policies, see Policy overview.

  • RAM does not support resource-level authentication, which may cause inconvenience when you manage Auto Scaling resources. For example, managing the permissions on Auto Scaling resources in a region at a coarse granularity may be inefficient. Auto Scaling allows you to configure policies that include resource-level permissions and attach the policies to RAM users. This facilitates flexible management of Auto Scaling resources.

    Note

    For more information about RAM, see What is RAM?

Scenarios

The following table describes the scenarios in which you can configure policies that include resource-level permissions.

Scenario

Policy

Scenario 1: Create scaling groups and then configure a policy that includes resource-level permissions

Examples:

  • Scaling Group 1: The scaling group name is asg-001 and the scaling group ID is asg-bp17np35ywjwh2cx****.

  • Scaling Group 2: The scaling group name is asg-002 and the scaling group ID is asg-bp1c5pl2qc6ozgbl**** .

RAM users have only the permissions on specific resources in Scaling Group 1. RAM users do not have the permissions on resources in Scaling Group 2.

Scenario 2: Configure policy that includes resource-level permissions and then create scaling groups

RAM users have the permissions to create scaling groups only in specific regions, such as the China (Hangzhou) region. RAM users do not have the permissions to create scaling groups in other regions, such as the China (Beijing) region.

API operations that do not support resource-level authentication

After you attach a policy that includes resource-level permissions to RAM users, the RAM users cannot call the API operations described in the following table.

Operation

Unsupported for resource authentication

DescribeRegions

Yes

Operations that are related to scheduled tasks:

  • CreateScheduledTask

  • ModifyScheduledTask

  • DescribeScheduledTasks

  • DeleteScheduledTask

Yes

Operations that are related to event-triggered tasks:

  • CreateAlarm

  • DescribeAlarms

  • ModifyAlarm

  • EnableAlarm

  • DeleteAlarm

Yes

Procedure

Note

A RAM user is created. For more information about how to create RAM users, see Create a RAM user.

Scenario 1: Create scaling groups and then configure a policy that includes resource-level permissions

  1. Create two scaling groups.

    For more information, see Manage scaling groups.

    • Scaling Group 1: The scaling group name is asg-001 and the scaling group ID is asg-bp17np35ywjwh2cx****.

    • Scaling Group 2: The scaling group name is asg-002 and the scaling group ID is asg-bp1c5pl2qc6ozgbl****.

  2. Log on to the RAM console.

  3. Create a custom policy.

    For more information, see Create custom policies.

    The custom policy that you created in this step allows RAM users to view, modify, and delete the asg-001 scaling group by using the Auto Scaling console or calling an API operation. However, RAM users cannot perform operations on the asg-002 scaling group.

    Sample custom policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ess:*",
                "Resource": "acs:ess:cn-hangzhou:160998252992****:scalinggroup/asg-bp17np35ywjwh2cx****"
            },
            {
                "Effect": "Deny",
                "Action": "ess:*",
                "Resource": "acs:ess:cn-hangzhou:160998252992***8:scalinggroup/asg-bp1c5pl2qc6ozgbl****"
            },
            {
               "Effect": "Allow",
               "Action": [
                       "ess:DescribeRegions",
                       "ess:CreateScheduledTask",
                       "ess:ModifyScheduledTask",
                       "ess:DescribeScheduledTasks",
                       "ess:DeleteScheduledTask",
                       "ess:CreateAlarm",
                       "ess:DescribeAlarms",
                       "ess:ModifyAlarm",
                       "ess:EnableAlarm",
                       "ess:DeleteAlarm"
                    ],
                "Resource": "*"
            }
        ]
    }
  4. Attach the custom policy to the RAM users whose access permissions on Auto Scaling resources you want to manage.

    For more information, see Grant permissions to a RAM user.

  5. View, modify, and delete the asg-001 and asg-002 scaling groups by using the Auto Scaling console or calling an API operation as a RAM user.

    You can view, modify, and delete the asg-001 scaling group, but you cannot view, modify, or delete the asg-002 scaling group. If an error message that is shown in the following figure appears, the policy takes effect.

    资源级别鉴权执行结果

Scenario 2: Configure policy that includes resource-level permissions and then create scaling groups

  1. Log on to the RAM console.

  2. Create a custom policy.

    For more information, see Create custom policies.

    The custom policy that you created in this step allows RAM users to create scaling groups in the China (Hangzhou) region by using the Auto Scaling console or calling an API operation. However, RAM users do not have the permissions to create scaling groups in the China (Beijing) region.

    Sample custom policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ess:*",
                "Resource": "acs:ess:cn-hangzhou:160998252992****:*"
            },
            {
                "Effect": "Deny",
                "Action": "ess:*",
                "Resource": "acs:ess:cn-beijing:160998252992****:*"
            },
            {  
               "Effect": "Allow",
               "Action": [
                       "ess:DescribeRegions",
                       "ess:CreateScheduledTask",
                       "ess:ModifyScheduledTask",
                       "ess:DescribeScheduledTasks",
                       "ess:DeleteScheduledTask",
                       "ess:CreateAlarm",
                       "ess:DescribeAlarms",
                       "ess:ModifyAlarm",
                       "ess:EnableAlarm",
                       "ess:DeleteAlarm"
                    ],
                "Resource": "*"                       
            }
        ]
    }
  3. Attach the custom policy to the RAM users whose access permissions on Auto Scaling resources you want to manage.

    For more information, see Grant permissions to a RAM user.

  4. Create scaling groups by using the Auto Scaling console or calling an API operation as a RAM user.

    You can create scaling groups in the China (Hangzhou) region, but you cannot create scaling groups in the China (Beijing) region. If an error message that is shown in the following figure appears, the policy takes effect.

    资源级别鉴权执行结果

References