Grant permissions to RAM users - Image Search - Alibaba Cloud Documentation Center

Before you access Image Search as a RAM user, you must grant permissions to the RAM user. This topic describes how to grant a RAM user the permission to access Image Search.

Background information

Resource Access Management (RAM) is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage permissions of RAM users to control access to Alibaba Cloud resources. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks.

Overview

Before you access Image Search as a RAM user, you must grant permissions to the RAM user. You can grant permissions by using the following policies:

General policies
Custom policies

We recommend that you attach general policies to RAM users. This avoids complex configuration. If general policies cannot meet your business needs, you can create custom policies.

Regions that support RAM user authorization

The following table lists the regions in which you can grant permissions to RAM users of Image Search.

Region	RegionId
China (Shanghai)	cn-shanghai
Singapore (Singapore)	ap-southeast-1
China (Hong Kong)	cn-hongkong
Japan (Tokyo)	ap-northeast-1
Germany (Frankfurt)	eu-central-1

General policies

Image Search provides the following two types of general policies. You can select the general policies based on your business needs.

AliyunImagesearchReadOnlyAccess: the read-only permission to access Image Search. This permission can be granted to read-only users.
AliyunImagesearchFullAccess: the permission to manage Image Search. This permission can be granted to administrators.

The procedure is as follows:

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Grants.
On the Grants page, click Grant Permission.
On the Grant Permission page, grant permissions to a RAM user.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect in a specific resource group.
    Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM user to which permissions are to be granted.
3. Select policies.
  Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
Click OK.
Click Complete.

Custom policies

Image Search supports only instances as the resource type. You must specify resources in policies in the following ways:

Resource type: instance
Format in which resources are specified in authorization policies: acs:imagesearch:$regionid:$accountid:instance/$instance
- $regionid: the ID of the region where Image Search resides. If this option is not required, you can use an asterisk (*) as a wildcard character.
- $accountid: the ID of the Alibaba Cloud account, such as 123456789012****. If no ID is required or available, you can use an asterisk (*) instead.
- $instance: the name of the instance, such as demo123. If no instance name is required or available, you can use an asterisk (*) instead.

Table 1. Action permissions on different resources
Resource	Actions
instance/*	The following action permissions are described: ClearInstance: clears all the instances. DescribeInstance: views the details of an instance. IncreaseInstance: increases one instance. InitInstance: initializes an instance. RemoveInstance: deletes an instance. ListInstance: views the instance list. SearchItem: searches for products or images. DeleteItem: deletes products or images. AddItem: adds products or images. ListIncrement: views the increased instance. TagResources: attaches a tag to a specific resource. UntagResources: detaches a tag from a specific resource.
instance/$instance	The following action permissions are described: ClearInstance: clears all the instances. DescribeInstance: views the details of an instance. IncreaseInstance: increases one instance. InitInstance: initializes an instance. RemoveInstance: deletes an instance. SearchItem: searches for products or images. DeleteItem: deletes products or images. AddItem: adds products or images. ListIncrement: views the increased instance. TagResources: attaches a tag to a specific resource. UntagResources: detaches a tag from a specific resource.

The procedure is as follows:

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy document and click Next to edit policy information.
For more information about the syntax and structure of policies, see Policy structure and syntax.
Specify the Name and Description fields.
Check and optimize the document of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- Optional:Advanced optimization
  You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Examples of custom policies

Example 1

In this example, the policy must meet the following requirements:

The ID of the Alibaba Cloud account is 1234.
The region is China (Shanghai).
All the instances can be accessed.
All the permissions except the permissions to clear and delete instances are to be granted in the Image Search console.
The specified IP address can connect to the RAM user.

The following policy content is provided:

{
  "Statement": [
   {
     "Action": [
       "imagesearch:ListInstance",
       "imagesearch:DescribeInstance",
       "imagesearch:IncreaseInstance",
       "imagesearch:InitInstance",
       "imagesearch:ListIncrement"
     ],
     "Condition": {
       "IpAddress": {
         "acs:SourceIp": "xxx.xx.xxx.x/xx"
       }
     },
     "Effect": "Allow",
     "Resource": "acs:imagesearch:cn-shanghai:1234:instance/*"
   }
  ],
  "Version": "1"
}

Example 2
In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- All the regions are supported.
- All the instances can be accessed.
- All the permissions to perform operations in the console or call all the API operations are to be granted.
The following policy content is provided:
```
{
  "Statement": [
   {
     "Action": [
         "imagesearch:*"
           ],
     "Effect": "Allow",
     "Resource": "acs:imagesearch:*:1234:instance/*"
   }
  ],
  "Version": "1"
}
```
Example 3
In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- All the regions are supported.
- The instance name is instance12138.
- All the permissions to perform operations are to be granted.
The following policy content is provided:
```
{
  "Statement": [
   {
     "Action": [
         "imagesearch:*",
           ],
     "Effect": "Allow",
     "Resource": "acs:imagesearch:*:1234:instance/instance12138"
   }
  ],
  "Version": "1"
}
```