All Products
Search
Document Center

:Authorize RAM users

Last Updated:Sep 13, 2024

By default, only Alibaba Cloud accounts can use Cloud Shell. If a Resource Access Management (RAM) user needs to use Cloud Shell, you must authorize the RAM user.

Procedure

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, grant permissions to the RAM user.

    1. Configure the Resource Scope parameter.

    2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

    3. Configure the Policy parameter.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

    4. Click Grant permissions.

  5. Click Close.

Note

Select a system policy for Cloud Shell based on your business requirements. If you require the full read and write permissions on Cloud Shell, select the AliyunCloudShellFullAccess policy.

Custom policies

The system policy provided by Cloud Shell is a coarse-grained policy. To achieve fine-grained access control, you can create custom policies.

Before you create custom policies, you must familiarize yourself with the basic structure and syntax of the policies. For more information, see Policy structure and syntax.

Actions of custom policies

Action

Description

cloudshell:CreateEnvironment

Creates a Cloud Shell instance environment.

cloudshell:CreateSession

Creates a Cloud Shell session environment.

cloudshell:UploadFile

Uploads files from a local machine to Cloud Shell.

cloudshell:DownloadFile

Downloads files from Cloud Shell to a local machine.

cloudshell:AttachStorage

Binds a storage space to Cloud Shell.

cloudshell:DetachStorage

Unbinds a storage space from Cloud Shell.