Resource Access Management (RAM) users are virtual accounts to which RAM policies can be attached to grant different levels of permissions. This ensures more secure and controllable access and reduces the risk of disclosing the AccessKey pair of your Alibaba Cloud account. This topic describes how to grant permissions to a RAM user and provides sample policies on Cloud Assistant.
Background information
RAM policies can be user-created custom policies or Alibaba Cloud provided system policies. You can use an Alibaba Cloud account to create custom policies that define region-specific permissions and permissions on Elastic Compute Service (ECS) instances, Cloud Assistant commands, or managed instance activation codes, and attach the policies to RAM users.
Procedure
Use an Alibaba Cloud account to create a RAM user.
For more information, see Create a RAM user.
Use the Alibaba Cloud account to create a custom policy. For more information, see Create custom policies.
The following table describes sample Cloud Assistant-related custom policies.
Policy type
Sample custom policy
Policies that include the permissions on Cloud Assistant
Policies that include permissions on Cloud Assistant Agent
Policies that include permissions on Cloud Assistant commands
Policies that include permissions on file transfer
Policies that include permissions on Operation Content and Result Delivery
Permissions to query and modify the Operation Content and Result Delivery settings
Permissions to query the Operation Content and Result Delivery settings
Region-specific permissions on Operation Content and Result Delivery
Permissions to query and modify the Session Record Delivery settings
Permissions to query Simple Log Service projects and Logstores
Policies that include permissions on managed instances
Policies that include permissions on Session Manager
Permissions to create and query Session Manager session records
Use your Alibaba Cloud account to attach policies to the created RAM user.
For more information, see Grant permissions to a RAM user.
Attach a created custom policy.
Attach the following system policies provided by Alibaba Cloud:
AliyunECSAssistantFullAccess: grants RAM users the permissions to manage Cloud Assistant.
AliyunECSAssistantReadonlyAccess: grants RAM users read-only permissions on Cloud Assistant.
You can log on to the RAM console to view the system policies and the details of the policies. For more information, see View the basic information about a policy.
Check whether the RAM user has permissions to log on to the Alibaba Cloud Management Console.
If a RAM user does not have the Console Access permission, the RAM user can use Cloud Assistant only by calling API operations. For more information, see View the permissions of a RAM user.
Log on to the Alibaba Cloud Management Console as the RAM user.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Log on to the ECS console as the RAM user, go to the ECS Cloud Assistant page, and then use Cloud Assistant.
Cloud Assistant-specific sample custom policies
Administrator (read and write) permissions on Cloud Assistant
After you attach the following sample policy to RAM users, the RAM users have all query and management permissions on Cloud Assistant API operations:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*",
"acs:ecs:*:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}Read-only permissions on Cloud Assistant
After you attach the following sample policy to RAM users, the RAM users have all query permissions on Cloud Assistant API operations:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}Region-specific permissions on Cloud Assistant
You can specify region fields in the Resource element to limit the permissions of RAM users on a specific region. After you attach the following sample policy to RAM users, the RAM users have permissions to use Cloud Assistant only in the China (Hangzhou) region:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:instance/*",
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:activation/*",
"acs:ecs:cn-hangzhou:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:servicesettings/*"
]
}
]
}Cloud Assistant Agent-specific sample custom policies
Permissions to query the installation status of Cloud Assistant Agent
API operation: DescribeCloudAssistantStatus
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the installation status of Cloud Assistant Agent on all ECS instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to query the installation status of Cloud Assistant Agent only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
Permissions to install Cloud Assistant Agent
API operation: InstallCloudAssistant
After you attach the following sample policy to RAM users, the RAM users have the permissions to install Cloud Assistant Agent on all ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to install Cloud Assistant Agent only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Cloud Assistant command-specific sample custom policies
Permissions to view Cloud Assistant commands
API operation: DescribeCommands
After you attach the following sample policy to RAM users, the RAM users have the permissions to query all Cloud Assistant commands:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }You can specify command IDs in the Resource element to limit the permissions to specific commands. The following sample policy allows the RAM users to query only the specified commands:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Permissions to delete Cloud Assistant commands
API operation: DeleteCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to delete all Cloud Assistant commands:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }You can specify command IDs in the Resource element to limit the permissions to specific commands. The following sample policy allows the RAM users to delete only the specified commands:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Permissions to create Cloud Assistant commands
API operation: CreateCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to create Cloud Assistant commands:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}Permissions to modify Cloud Assistant commands
API operation: ModifyCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to modify all Cloud Assistant commands:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }You can specify command IDs in the Resource element to limit the permissions to specific commands. The following sample policy allows the RAM users to modify only the specified commands:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Permissions to run Cloud Assistant commands
API operation: InvokeCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to run Cloud Assistant commands on all instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to run Cloud Assistant commands only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }You can specify command IDs in the Resource element to limit the permissions to specific commands. The following sample policy allows the RAM users to run only the specified commands on instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] }You can specify both command IDs and instance IDs in the Resource element to limit the permissions to specific instances and specific commands. The following sample policy allows the RAM users to run only the specified commands on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
Permissions to simultaneously create and run Cloud Assistant commands
API operation: RunCommand
If you set the KeepCommand parameter to true when you call the RunCommand operation, you must add the "acs::ecs:*:*:command/*" line to the Resource element.
After you attach the following sample policy to RAM users, the RAM users have the permissions to simultaneously create and run Cloud Assistant commands on all instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to simultaneously create and run Cloud Assistant commands only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to query command execution results
API operation: DescribeInvocations
After you attach the following sample policy to RAM users, the RAM users have the permissions to query command execution results on all instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to query the execution results of commands only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] }You can specify command IDs in the Resource element to limit the permissions to specific commands. The following sample policy allows the RAM users to query the execution results of only the specified commands on instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }You can specify both command IDs and instance IDs in the Resource element to limit the permissions to specific instances and specific commands. The following sample policy allows the RAM users to query the execution results of only the specified commands on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
Permissions to modify the execution information of scheduled tasks
API operation: ModifyInvocationAttribute
After you attach the following sample policy to RAM users, the RAM users have the permissions to modify the execution information of all scheduled tasks and add all instances to scheduled tasks:
If you change the value of the
CommandContentparameter and set theKeepCommandparameter totruewhen you call the InvokeCommand or RunCommand operation, a command is added and retained. In this case, you must add theacs:ecs:*:*:command/*line to the Resource element before you call the ModifyInvocationAttribute operation:{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }You can specify task IDs in the Resource element to limit the permissions to specific tasks. The following sample policy allows the RAM users to modify the execution information of only the specified tasks and add instances to the specified tasks:
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to modify the execution information of all scheduled tasks and add only the specified instances to scheduled tasks:
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }You can specify instance IDs and task IDs in the Resource element to limit the permissions to specific instances and tasks. The following sample policy allows the RAM users to modify the execution information of only the specified tasks and add only the specified instances to the scheduled tasks:
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }
Permissions to stop running Cloud Assistant commands
API operation: StopInvocation
After you attach the following sample policy to RAM users, the RAM users have the permissions to stop running Cloud Assistant commands on all instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to stop running Cloud Assistant commands only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
File uploading-specific sample custom policies
Permissions to upload on-premises files
API operation: SendFile
After you attach the following sample policy to RAM users, the RAM users have the permissions to upload on-premises files to all instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to upload on-premises files only to the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to query the results of file upload operations
API operation: DescribeSendFileResults
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the results of file upload operations to all instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to query the results of file upload operations only to the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Operation Content and Result Delivery-specific sample custom policies
Permissions to query and modify the Operation Content and Result Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Operation Content and Result Delivery settings:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}Permissions to query the Operation Content and Result Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Operation Content and Result Delivery settings:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}Region-specific permissions on Operation Content and Result Delivery
You can specify region IDs in the Resource element to limit the regional permissions of RAM users.
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Operation Content and Result Delivery settings only in the China (Hangzhou) region:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Operation Content and Result Delivery settings only in the China (Hangzhou) region:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
Permissions to query and modify the Session Record Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Session Record Delivery settings:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}Permissions to query the Session Record Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Session Record Delivery settings:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}Region-specific permissions on Session Record Delivery
You can specify region IDs in the Resource element to limit the regional permissions of RAM users.
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Session Record Delivery settings only in the China (Hangzhou) region:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Session Record Delivery settings only in the China (Hangzhou) region:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }
Permissions to query OSS buckets
When you deliver O&M task execution records or session records to Object Storage Service (OSS) as a RAM user, you must grant the RAM user the permissions to query OSS buckets.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}
]
}After you deliver O&M task execution records or session records to OSS, you must learn about RAM policies on OSS for query and analysis purposes. For more information, see RAM policies and Common examples of RAM policies.
Permissions to query Simple Log Service projects and Logstores
When you deliver O&M task execution records or session records to Simple Log Service as a RAM user, you must grant the RAM user the permissions to query Simple Log Service projects and Logstores.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"log:ListProject",
"log:ListLogStores"
],
"Resource": "*"
}
]
}After you deliver O&M task execution records or session records to Simple Log Service, you must learn about RAM policies on Simple Log Service for query and analysis purposes. For more information, see Overview of RAM authentication rules.
Managed instance-specific sample custom policies
Permissions to deregister managed instances
API operation: DeregisterManagedInstance
After you attach the following sample policy to RAM users, the RAM users have the permissions to deregister all managed instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to deregister only the specified managed instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to query managed instances
API operation: DescribeManagedInstances
After you attach the following sample policy to RAM users, the RAM users have the permissions to query all managed instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to query only the specified managed instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to create activation codes
API operation: CreateActivation
After you attach the following sample policy to RAM users, the RAM users have the permissions to create activation codes and use the activation codes to register servers that are not provided by Alibaba Cloud as Alibaba Cloud managed instances:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateActivation"
],
"Resource": [
"acs:ecs:*:*:activation/*"
]
}
]
}Permissions to disable activation codes
API operation: DisableActivation
After you attach the following sample policy to RAM users, the RAM users have the permissions to disable all activation codes that are used to register Alibaba Cloud managed instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to disable the activation codes of only the specified managed instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Permissions to query activation codes
API operation: DescribeActivations
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the created activation codes and the usage of the activation codes:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to query the activation codes of only the specified managed instances and the usage of the activation codes:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Permissions to delete activation codes
API operation: DeleteActivation
After you attach the following sample policy to RAM users, the RAM users have the permissions to delete all activation codes that are not used:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific activation codes. The following sample policy allows the RAM users to delete only the specified activation codes that are not used:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Sample custom policies specific to Cloud Assistant Agent upgrades
API operations: ModifyCloudAssistantSettings and DescribeCloudAssistantSettings
Permissions to query and modify the Cloud Assistant Agent upgrade settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Cloud Assistant Agent upgrade settings:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Permissions to query the Cloud Assistant Agent upgrade settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Cloud Assistant Agent upgrade settings:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Session Manager-specific sample custom policies
API operations: StartTerminalSession and DescribeTerminalSessions
Permissions to create and query Session Manager session records
After you attach the following sample policy to RAM users, the RAM users have the permissions to create and query Session Manager session records:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }You can specify instance IDs in the Resource element to limit the permissions to specific instances. The following sample policy allows the RAM users to create and query Session Manager session records only on the specified instances:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }