By default, only Alibaba Cloud accounts can use Cloud Shell. If a Resource Access Management (RAM) user needs to use Cloud Shell, you must authorize the RAM user.
Procedure
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
Select a system policy for Cloud Shell based on your business requirements. If you require the full read and write permissions on Cloud Shell, select the AliyunCloudShellFullAccess policy.
Custom policies
The system policy provided by Cloud Shell is a coarse-grained policy. To achieve fine-grained access control, you can create custom policies.
Before you create custom policies, you must familiarize yourself with the basic structure and syntax of the policies. For more information, see Policy structure and syntax.
Actions of custom policies
Action | Description |
cloudshell:CreateEnvironment | Creates a Cloud Shell instance environment. |
cloudshell:CreateSession | Creates a Cloud Shell session environment. |
cloudshell:UploadFile | Uploads files from a local machine to Cloud Shell. |
cloudshell:DownloadFile | Downloads files from Cloud Shell to a local machine. |
cloudshell:AttachStorage | Binds a storage space to Cloud Shell. |
cloudshell:DetachStorage | Unbinds a storage space from Cloud Shell. |