You can grant RAM users different RAM policies to increase or decrease their permission levels, achieving more secure and controllable access and effectively reducing the risk of leaking the AccessKey pair of your Alibaba Cloud account. This topic describes the authorization steps and provides sample RAM policies related to Cloud Assistant.
Background information
RAM policies can be user-created custom policies or system policies provided by Alibaba Cloud. Specifically for Cloud Assistant, besides system policies, you can design custom policies from dimensions such as region, ECS instance, Cloud Assistant command, and managed instance activation code, and grant them to RAM users to flexibly control their permissions to use Cloud Assistant.
Procedure
-
Use an Alibaba Cloud account to create a RAM user.
For more information, see Create a RAM user.
-
Create a custom policy using an Alibaba Cloud account. For more information, see Create a custom policy.
The following table describes sample custom policies related to Cloud Assistant features:
Cloud Assistant Features
Sample Custom Policies
Cloud Assistant
Cloud Assistant Agent
Cloud Assistant Commands
Sending Files
Operation Content and Result Delivery
Managed Instances
Session Management
-
Use your Alibaba Cloud account to attach policies to the created RAM user.
For more information, see Grant permissions to a RAM user.
-
Specify the custom policies you created
-
Specify the system policies provided by Alibaba Cloud
-
AliyunECSAssistantFullAccess: grants RAM users the permissions to manage Cloud Assistant.
-
AliyunECSAssistantReadonlyAccess: grants RAM users read-only permissions on Cloud Assistant.
You can view the basic information of system policies in the RAM console. For more information, see View basic information of a policy.
-
-
-
Check whether the RAM user has permissions to log on to the Alibaba Cloud Management Console.
If the Console Access permission is not enabled, the RAM user can only call API operations to use Cloud Assistant. For more information, see Check the permissions of a RAM user.
-
Log on to the Alibaba Cloud Management Console as the RAM user.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
-
Log on to the ECS console Cloud Assistant page as the RAM user to start using Cloud Assistant.
Cloud Assistant custom policy examples
Cloud Assistant administrator permissions (read and write)
After you attach the following permissions, RAM users have all query and management permissions on CloudAssistant API operations.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*",
"acs:ecs:*:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}Cloud Assistant view permissions (read-only)
After you attach the following permissions, RAM users have all query permissions on Cloud Assistant API operations.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}Set region restrictions for Cloud Assistant
You can specify region values in the region field of the policy element to limit the regional permissions of RAM users. For example, RAM users are allowed to use Cloud Assistant only in the China (Hangzhou) region.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:instance/*",
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:activation/*",
"acs:ecs:cn-hangzhou:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:servicesettings/*"
]
}
]
}Cloud Assistant Agent
QueryCloud Assistant AgentInstallation Status
Related API: DescribeCloudAssistantStatus
-
After you attach the following permissions, RAM users can query the installation status of the Cloud Assistant Agent on all ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can only view the installation status of the Cloud Assistant Agent on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
InstallCloud Assistant Agent
Related API: InstallCloudAssistant
-
After you attach the following permissions, RAM users can install the Cloud Assistant Agent on any ECS instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can only install the Cloud Assistant Agent on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Cloud Assistant commands custom policy examples
View Cloud Assistant commands
Related API: DescribeCommands
-
After you attach the following permissions, RAM users can view all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] } -
By specifying command IDs in the Resource list, RAM users can only view specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Delete Cloud Assistant commands
Related API: DeleteCommand
-
After you attach the following permissions, RAM users can delete all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] } -
By specifying command IDs in the Resource list, RAM users can only delete specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Create Cloud Assistant commands
Related API: CreateCommand
RAM users need at least the following permissions to create Cloud Assistant commands.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}Modify Cloud Assistant commands
Related API: ModifyCommand
-
After you attach the following permissions, RAM users can modify any Cloud Assistant command.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can only modify specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Execute commands
Related API: InvokeCommand
-
After you attach the following permissions, RAM users can execute commands on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can only execute Cloud Assistant commands on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] } -
By specifying command IDs in the Resource list, RAM users can only execute specified commands on ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] } -
By specifying both command IDs and instance IDs in the Resource list, RAM users can only execute specified commands on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] } -
By adding tag conditions in the Condition, you can control the range of ECS instances on which commands can be executed. For example, commands can only be executed on ECS instances with the tag
test:tony.NoteWhen using acs:ResourceTag, resources must be tagged to be used. For example, ECS instances can be tagged, but commands cannot.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs:InvokeCommand", "Resource": [ "acs:ecs:*:*:instance/*" ], "Condition": { "StringEquals": { "acs:ResourceTag/Owner": "zxy" } } }, { "Effect": "Allow", "Action": "ecs:InvokeCommand", "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
Run commands immediately
Related API: RunCommand
If you specify the parameter RunCommand when calling Resource, you need to add a line in the Resource list.
-
After you attach the following permissions, RAM users can run commands immediately on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can only run Cloud Assistant commands immediately on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] } -
By adding tag conditions in the Condition, you can control the range of ECS instances on which commands can be run immediately. For example, commands can only be run immediately on ECS instances with the tag
.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunCommand" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "tony" } } } ] }
Query command execution results
Related API: DescribeInvocations
-
After you attach the following permissions, RAM users can query command execution results on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can only query command execution results on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] } -
By specifying command IDs in the Resource list, RAM users can only query the execution results of specified commands on ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] } -
By specifying both command IDs and instance IDs in the Resource list, RAM users can only query the execution results of specified commands on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
Modify scheduled task execution information
Related API: ModifyInvocationAttribute
-
After attaching the following permissions, RAM users can modify the execution information for any scheduled task and add any instance to the task.
When you modify
CommandContentand setKeepCommandtotruewhile calling InvokeCommand or RunCommand, a new command will be created and retained indefinitely. Therefore, you need to include the lineacs:ecs:*:*:command/*in the Resource list before calling ModifyInvocationAttribute.{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] } -
By specifying task IDs in the Resource list, RAM users can only modify the execution information for specific tasks and add any instance to those tasks.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] } -
By specifying instance IDs in the Resource list, RAM users can modify the execution information for any scheduled task and add only specific instances to the task.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] } -
By specifying both instance IDs and task IDs in the Resource list, RAM users can only modify the execution information for specific tasks and add only specific instances to those tasks.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }
Stop task execution
Related API: StopInvocation
-
After attaching the following permissions, RAM users can stop Cloud Assistant command processes on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users are able to stop Cloud Assistant command processes only on the specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Use OSS Common Parameters in Commands
Once the following permissions are attached, RAM users can utilize the Cloud Assistant to execute commands that incorporate OSS common parameters.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:CreateCommand",
"ecs:DescribeCommands",
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"oos:GetParameters",
"oos:GetParameter"
],
"Resource": "*"
}
],
"Version": "1"
}Use OSS Encrypted Parameters in Commands
Once you have attached the necessary permissions, RAM users can utilize Cloud Assistant to execute commands with OSS encrypted parameters.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:CreateCommand",
"ecs:DescribeCommands",
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"oos:GetParameters",
"oos:GetSecretParameters",
"oos:GetParameter",
"oos:GetSecretParameter",
"kms:GetSecretValue"
],
"Resource": "*"
}
],
"Version": "1"
}Sending files custom policy examples
Upload local files
Related API: SendFile
-
After attaching the following permissions, RAM users can upload local files to any ECS instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users are limited to uploading local files to specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] } -
By adding tag conditions in the Condition, you can restrict file uploads to ECS instances with specific tags, such as instances tagged with
test:tony.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "tony" } } } ] }
Query file upload results
Related API: DescribeSendFileResults
-
After attaching the following permissions, RAM users can query the results of file uploads to any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users are limited to querying the results of file uploads to specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Operation content and result delivery custom policy examples
Query and modify operation content and result delivery settings
By attaching the following permissions, RAM users are enabled to query and modify the Operation Content and Result Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}Query operation content and result delivery settings
By attaching the following permissions, RAM users are enabled to query the Operation Content and Result Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}Set region restrictions for operation content and result delivery
You can limit the regional permissions of RAM users by specifying region values in the policy element's region field.
-
By attaching the following permissions, RAM users are authorized to query and modify the Operation Content and Result Delivery settings exclusively in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] } -
By attaching the following permissions, RAM users are authorized to query the Operation Content and Result Delivery settings exclusively in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
Query and modify session record delivery settings
By attaching the following permissions, RAM users are enabled to query and modify the Session Record Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}Query session record delivery settings
By attaching the following permissions, RAM users are enabled to query the Session Record Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}Set region restrictions for session record delivery
You can limit the regional permissions of RAM users by specifying region values in the policy element's region field.
-
By attaching the following permissions, RAM users are authorized to query and modify the Session Record Delivery settings exclusively in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] } -
By attaching the following permissions, RAM users are authorized to query the Session Record Delivery settings exclusively in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }
Query OSS Buckets
To deliver to OSS using the Operation Content and Result Delivery or Session Record Delivery feature, attach the following permissions to enable RAM users to query OSS buckets.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}
]
}After delivering O&M task execution records or session records to OSS, it is important to understand RAM policies on OSS for query and analysis. For more information, see Overview of OSS RAM Policy and Common Examples of OSS RAM Policy.
Query SLS projects and logstores
To deliver to SLS using the Operation Content and Result Delivery or Session Record Delivery feature, attach the following permissions to enable RAM users to query SLS projects and corresponding logstores.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"log:ListProject",
"log:ListLogStores"
],
"Resource": "*"
}
]
}After delivering O&M task execution records or session records to SLS, it is important to understand RAM policies on SLS for query and analysis. For more information, see Overview of SLS Authentication Rules.
Managed instances custom policy examples
Deregister managed instances
Related API: DeregisterManagedInstance
-
After attaching the following permissions, RAM users can deregister any managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can deregister only the specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Query managed instances
Related API: DescribeManagedInstances
-
After attaching the following permissions, RAM users can query information about any managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can query information only about the specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Create Activation Codes for Managed Instances
Related API: CreateActivation
RAM users require at least the following permissions to create activation codes for Alibaba Cloud managed instances, which are used to register non-Alibaba Cloud servers as Alibaba Cloud managed instances.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateActivation"
],
"Resource": [
"acs:ecs:*:*:activation/*"
]
}
]
}Disable activation codes for managed instances
Related API: DisableActivation
-
After attaching the following permissions, RAM users can disable any activation code for Alibaba Cloud managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can disable only the specified activation codes for Alibaba Cloud managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Query activation codes for managed instances
Related API: DescribeActivations
-
After attaching the following permissions, RAM users can query the created activation codes and their usage for managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can query only the created specified activation codes and their usage for managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Delete activation codes for managed instances
Related API: DeleteActivation
-
After attaching the following permissions, RAM users can delete any unused activation codes for managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users can delete only the specified unused activation codes for managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Cloud Assistant Agent upgrade configuration custom policy examples
Related API: ModifyCloudAssistantSettings - Modify Cloud Assistant Service Configuration, DescribeCloudAssistantSettings - Query Cloud Assistant Service Configuration.
Query and modify Cloud Assistant Agent upgrade configuration
By attaching the following permissions, RAM users are able to query and modify the Cloud Assistant Agent upgrade configuration.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Query Cloud Assistant Agent upgrade configuration
By attaching the following permissions, RAM users are able to query the Cloud Assistant Agent upgrade configuration.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Session Manager Custom Policy Examples
Related API: StartTerminalSession - Start Terminal Session, DescribeTerminalSessions - View Session Manager Session History.
Create and Query Session Management (Session Manager)
-
RAM users can create and query session management (Session Manager) after attaching the following permissions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } -
By specifying instance IDs in the Resource list, RAM users are limited to creating Session Manager sessions and querying Session Manager records for those specified instances only.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }