If the system policies of Microservices Engine (MSE) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to implement fine-grained control over permissions and improve resource access security. This topic describes how to use custom policies for MSE and provides examples of custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Create a custom policy on the Visual editor tab
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the Visual editor tab.
Configure the policy.
In the Effect section, select Allow or Deny.
In the Service section, select an Alibaba Cloud service.
NoteThe Alibaba Cloud services that you can select are displayed in the Service section.
In the Action section, select All action(s) or Select action(s).
The system displays the actions that can be configured based on the Alibaba Cloud service you select in the Service section. If you select Select action(s), you must select actions.
In the Resource section, select All resource(s) or Specified resource(s).
The system displays the resources that can be configured based on the actions you select in the Action section. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs). You can also click Match all to select all resources for each action that you select.
NoteThe resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.
In the Condition section, click Add condition to configure a condition.
Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and set the Operator and Value parameters.
Click Add statement and repeat the preceding steps to configure multiple custom policy statements.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Delete unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Split resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Configure the Name and Description parameters.
Click OK.
Examples of common custom policies for Microservices Registry
Grant a user the read-only permissions on services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }
Grant a user the permissions to read and modify services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }
Note${instanceId1} and ${instanceId2} indicate the instance IDs.
Grant a user the read-only permissions on services in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" }
Grant a user the permissions to read and modify services of the ${group} group in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" }
Grant a user the read-only permissions on the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
Grant a user the permissions to read and modify the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
Examples of common custom policies for Microservices Governance
Grant read-only permissions on all applications
To allow enterprise employees to view key information of applications, the enterprise can grant read-only permissions on all applications to the employees.
For example, the enterprise uses an Alibaba Cloud account to grant a RAM user read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
The following code shows a sample policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}
Grant all operation permissions on an application to a RAM user
As the owner of an application of the enterprise, you need to be granted all operation permissions on the application. Your permissions are strictly limited to the scope of the application that you manage.
For example, the enterprise uses an Alibaba Cloud account to grant the following permissions to a RAM user:
Read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
Read-only permissions on a specific Microservices Governance-enabled application.
The following code shows a sample policy.
{
"Version": "1",
"Statement": [
// All permissions on a specific Microservices Governance-enabled application
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
},
// Read-only permissions on all Microservices Governance-enabled applications
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
Grant operation permissions on all applications in a namespace
As a test engineer of an enterprise, you need to be granted operation permissions on all applications in a test environment (test namespace). Your permissions are strictly limited to the scope of the test environment (test namespace).
For example, the enterprise uses an Alibaba Cloud account to grant the following permissions to a RAM user:
Read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
Read and write permissions on applications in a specific Microservices Governance namespace.
The following code shows a sample policy.
{
"Version": "1",
"Statement": [
// All permissions on applications in a specific Microservices Governance namespace
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/*"
},
// Read-only permissions on all Microservices Governance-enabled applications
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage"
],
"Resource": "acs:mse:*:*:*"
},
// All permissions on applications in a specific Microservices Governance namespace
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}
Examples of common custom policies for Cloud-native Gateway
Grant a user or role the permissions on all resources
If you want to grant a RAM user or role the operation permissions on all cloud-native gateways, you can attach the following system policies to the RAM user or role:
Read-only permission: AliyunMSEReadOnlyAccess
Read and write permissions: AliyunMSEFullAccess
Grant a user or role the permissions on specific gateway resources
If you want to grant a RAM user or role the operation permissions on a specific gateway, you can grant resource-level permissions to the RAM user or role.
Example 1: Grant a RAM user the read-only permission on the cloud-native gateway named gw-8090caa2a3ab447a8bc5fdf3********.
{ "Version": "1", "Statement": [ { "Action": [ "mse:Query*", "mse:List*", "mse:Get*", "mse:Select*", "mse:Pull*", "mse:GatewayBlackWhite*", "mse:GatewayHealthCheckList", "mse:GatewayQueryMonitor", "mse:UploadWasmFile" ], "Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********", "Effect": "Allow" }, { "Action": [ "mse:QueryDefaultAlertStatus", "mse:ListGatewayZone", "mse:ListUpgradableGatewayVersions", "mse:ListTagResources", "mse:ListGatewayIngressMigrateTask", "mse:ListEventRecords", "mse:GetEventFilterOptions", "mse:GetEventDetail", "mse:GetGatewaySelection", "mse:GetGatewayAlarms", "mse:GetGatewayMigrateNamespacedServices", "mse:GetGatewayIngressMigrateTaskDetail", "mse:GetPluginGuide", "mse:GetRegExpCheck", "mse:GetRegExpTest", "mse:CheckPluginLua" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" }, { "Action": [ "log:DescribeService", "log:ListProject", "log:GetProductDataCollection" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:SearchContactGroup" ], "Resource": "*", "Effect": "Allow" } ] }
Example 2: Grant a RAM user the read and write permissions on a cloud-native gateway named gw-8090caa2a3ab447a8bc5fdf3********.
{ "Version": "1", "Statement": [ { "Action": [ "mse:*" ], "Resource": "acs:mse:*:*:instance/gw-8090caa2a3ab447a8bc5fdf3********", "Effect": "Allow" }, { "Action": [ "mse:QueryDefaultAlertStatus", "mse:CreateDefaultAlert", "mse:ListGatewayZone", "mse:ListUpgradableGatewayVersions", "mse:ListEventRecords", "mse:GetEventFilterOptions", "mse:GetEventDetail", "mse:GetGatewaySelection", "mse:GetGatewayAlarms", "mse:GetGatewayMigrateNamespacedServices", "mse:GetPluginGuide", "mse:GetRegExpCheck", "mse:GetRegExpTest", "mse:CheckPluginLua", "mse:*TagResources", "mse:*CustomPlugin", "mse:*GatewayIngressMigrateTask*" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" }, { "Action": [ "log:DescribeService", "log:ListProject", "log:GetProductDataCollection", "log:OpenProductDataCollection" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:SearchContactGroup" ], "Resource": "*", "Effect": "Allow" } ] }
Usage notes
The preceding permissions can only allow you to perform required operations in the MSE console. Specific capabilities of cloud-native gateways depend on other cloud services. You can configure permissions for your RAM user or role based on the permission configuration documentation of other cloud services. This allows your RAM user or role to use all the features of cloud-native gateways. The following table describes the mappings between the cloud services on which cloud-native gateways depend and related cloud-native gateway modules.
Alibaba Cloud service | Cloud-native gateway module | References |
Simple Log Service |
| |
ARMS |
|