Before you access Image Search as a RAM user, you must grant permissions to the RAM user. This topic describes how to grant a RAM user the permission to access Image Search.
Background information
Resource Access Management (RAM) is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage permissions of RAM users to control access to Alibaba Cloud resources. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks.
Overview
- General policies
- Custom policies
Regions that support RAM user authorization
Region | RegionId |
China (Shanghai) | cn-shanghai |
Singapore (Singapore) | ap-southeast-1 |
China (Hong Kong) | cn-hongkong |
Japan (Tokyo) | ap-northeast-1 |
Germany (Frankfurt) | eu-central-1 |
General policies
- AliyunImagesearchReadOnlyAccess: the read-only permission to access Image Search. This permission can be granted to read-only users.
- AliyunImagesearchFullAccess: the permission to manage Image Search. This permission can be granted to administrators.
The procedure is as follows:
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Grants page, click Grant Permission.
- On the Grant Permission page, grant permissions to a RAM user.
- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group. Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
- Specify the principal. The principal is the RAM user to which permissions are to be granted.
- Select policies. Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
- Select the authorization scope.
- Click OK.
- Click Complete.
Custom policies
- Resource type: instance
- Format in which resources are specified in authorization policies:
acs:imagesearch:$regionid:$accountid:instance/$instance
$regionid
: the ID of the region where Image Search resides. If this option is not required, you can use an asterisk (*
) as a wildcard character.$accountid
: the ID of the Alibaba Cloud account, such as123456789012****
. If no ID is required or available, you can use an asterisk (*
) instead.$instance
: the name of the instance, such as demo123. If no instance name is required or available, you can use an asterisk (*
) instead.
Resource | Actions |
instance/* | The following action permissions are described:
|
instance/$instance | The following action permissions are described:
|
The procedure is as follows:
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab.
- Enter the policy document and click Next to edit policy information. For more information about the syntax and structure of policies, see Policy structure and syntax.
- Specify the Name and Description fields.
- Check and optimize the document of the custom policy.
- Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
- Deletes unnecessary conditions.
- Deletes unnecessary arrays.
- Optional:Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
- Splits resources or conditions that are incompatible with actions.
- Narrows down resources.
- Deduplicates or merges policy statements.
- Basic optimization
- Click OK.
Examples of custom policies
- Example 1In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- The region is China (Shanghai).
- All the instances can be accessed.
- All the permissions except the permissions to clear and delete instances are to be granted in the Image Search console.
- The specified IP address can connect to the RAM user.
The following policy content is provided:{ "Statement": [ { "Action": [ "imagesearch:ListInstance", "imagesearch:DescribeInstance", "imagesearch:IncreaseInstance", "imagesearch:InitInstance", "imagesearch:ListIncrement" ], "Condition": { "IpAddress": { "acs:SourceIp": "xxx.xx.xxx.x/xx" } }, "Effect": "Allow", "Resource": "acs:imagesearch:cn-shanghai:1234:instance/*" } ], "Version": "1" }
- Example 2In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- All the regions are supported.
- All the instances can be accessed.
- All the permissions to perform operations in the console or call all the API operations are to be granted.
The following policy content is provided:{ "Statement": [ { "Action": [ "imagesearch:*" ], "Effect": "Allow", "Resource": "acs:imagesearch:*:1234:instance/*" } ], "Version": "1" }
- Example 3In this example, the policy must meet the following requirements:
- The ID of the Alibaba Cloud account is 1234.
- All the regions are supported.
- The instance name is instance12138.
- All the permissions to perform operations are to be granted.
The following policy content is provided:{ "Statement": [ { "Action": [ "imagesearch:*", ], "Effect": "Allow", "Resource": "acs:imagesearch:*:1234:instance/instance12138" } ], "Version": "1" }