All Products
Search
Document Center

Elastic GPU Service:Use RAM to implement access control for Elastic GPU Service

Last Updated:Sep 29, 2024

To ensure the security of your accounts and cloud resources in Alibaba Cloud, we recommend that you do not use your Alibaba Cloud account to access Elastic GPU Service unless necessary. You can use Resource Access Management (RAM) identities, including RAM users and RAM roles, and attach policies to manage the permissions of the identities. This way, you can effectively control the access security of resources.

When you use RAM to implement access control, Elastic GPU Service supports the same identities, policies, and service-linked roles as Elastic Compute Service (ECS). This topic describes the identities, policies, and service-linked roles.

  • Identities

    You can grant RAM users and RAM roles the permissions to access and manage the resources within your Alibaba Cloud account. For more information, see Identities.

  • Policies

    The following types of identity-based policies are supported: system policy and custom policy. You can attach a policy to a RAM identity to grant the access permissions specified in the policy.

    • System policy: System policies are created, updated, and managed by Alibaba Cloud. You can use system policies but cannot modify them. For more information, see System policies for ECS.

    • Custom policy: You can create, update, and delete custom policies based on your business requirements. For more information, see Custom policies for ECS.

  • Service-linked roles

    A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. Elastic GPU Service uses service-linked roles to access other cloud services or resources. For more information, see Service-linked roles.

  • RAM role-based authorization of access to KMS keys

    If you want to use Key Management Service (KMS) keys to encrypt ECS resources, such as disks, snapshots, or images, you need to use a RAM role to authorize ECS to access KMS keys. If you want to share encrypted snapshots or images with other Alibaba Cloud accounts, you need to first grant the shared accounts the permissions to access KMS keys. For more information, see Grant access to KMS keys through RAM roles.