If the system policies of Microservices Engine (MSE) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to implement fine-grained control over permissions and improve resource access security. This topic describes how to use custom policies for MSE and provides examples of custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Create a custom policy on the Visual editor tab
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the Visual editor tab.
Configure the policy and click Next to edit policy information.
In the Effect section, select Allow or Deny.
In the Service section, select an Alibaba Cloud service.
NoteThe Alibaba Cloud services that you can select are displayed in the Service section.
In the Action section, select All action(s) or Select action(s).
The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.
In the Resource section, select All resource(s) or Specified resource(s).
The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.
NoteThe resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.
In the Condition section, click Add condition to configure a condition.
Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.
Click Add statement and repeat the preceding steps to configure multiple custom policy statements.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Examples of common custom policies for Microservices Registry
Grant a user the read-only permissions on services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Grant a user the permissions to read and modify services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Grant a user the read-only permissions on services in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" }Grant a user the permissions to read and modify services of the ${group} group in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" }Grant a user the read-only permissions on the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }Grant a user the permissions to read and modify the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
Examples of common custom policies for Microservices Governance
Grant read-only permissions on all applications
To allow enterprise employees to view key information of applications, the enterprise can grant read-only permissions on all applications to the employees.
For example, the enterprise uses an Alibaba Cloud account to grant a RAM user read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
The following code shows a sample policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}Grant all operation permissions on an application to a RAM user
As the owner of an application of the enterprise, you need to be granted all operation permissions on the application. Your permissions are strictly limited to the scope of the application that you manage.
For example, the enterprise uses an Alibaba Cloud account to grant the following permissions to a RAM user:
Read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
Read-only permissions on a specific Microservices Governance-enabled application.
The following code shows a sample policy.
{
"Version": "1",
"Statement": [
// All permissions on a specific Microservices Governance-enabled application
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
},
// Read-only permissions on all Microservices Governance-enabled applications
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
Grant operation permissions on all applications in a namespace
As a test engineer of an enterprise, you need to be granted operation permissions on all applications in a test environment (test namespace). Your permissions are strictly limited to the scope of the test environment (test namespace).
For example, the enterprise uses an Alibaba Cloud account to grant the following permissions to a RAM user:
Read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
Read and write permissions on applications in a specific Microservices Governance namespace.
The following code shows a sample policy.
{
"Version": "1",
"Statement": [
// All permissions on applications in a specific Microservices Governance namespace
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/*"
},
// Read-only permissions on all Microservices Governance-enabled applications
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList",
"mse:QueryAllSwimmingLaneGroup",
"mse:QueryAllSwimmingLane",
"mse:ListAppBySwimmingLaneGroupTags",
"mse:ListAppBySwimmingLaneGroupTag",
"mse:QuerySwimmingLaneById",
"mse:GetTagsBySwimmingLaneGroupId",
"mse:ListSwimmingLaneGateway",
"mse:ListSwimmingLaneGatewayRoute",
"mse:ListAuthPolicy",
"mse:GetServiceList",
"mse:GetServiceListPage"
],
"Resource": "acs:mse:*:*:*"
},
// All permissions on applications in a specific Microservices Governance namespace
{
"Effect": "Allow",
"Action": [
"mse:GetApplicationList",
"mse:CreateOrUpdateSwimmingLaneGroup",
"mse:CreateOrUpdateSwimmingLane",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLaneGroup",
"mse:DeleteSwimmingLane"
],
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}Examples of common custom policies for Cloud-native Gateway
Example 1: Grant a RAM user the read and write permissions on the cloud-native gateway named gw-f23fcdca44c84769a6652245ecc****.
{ "Statement": [ { "Action": [ "mse:*" ], "Resource": "acs:mse:*:*:instance/gw-f23fcdca44c84769a6652245ecc****", "Effect": "Allow" } ], "Version": "1" }Example 2: Grant a RAM user the read-only permissions on all cloud-native gateways.
{ "Statement": [ { "Action": [ "mse:List*", "mse:Query*", "mse:Get*", "mse:Pull*" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" } ], "Version": "1" }Example 3: Grant a RAM user the operation permissions on the resources that are prompted by the MSE console.
{ "Statement": [ { "Action": [ "mse:UpdateGatewayName" ], "Resource": "acs:mse:cn-hangzhou:{ID of an Alibaba Cloud account}:instance/{ID of a cloud-native gateway} ", "Effect": "Allow" } ], "Version": "1" }