If the system policies of Microservices Engine (MSE) cannot meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to implement fine-grained control over permissions and improve resource access security. This topic describes how to use custom policies for MSE and provides examples of custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Examples of common custom policies for Microservices Registry
Grant a user the read-only permission on services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Grant a user the permission to read and modify services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }Grant a user the read-only permission on services in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" }Grant a user the permission to read and modify services of the ${group} group in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" }Grant a user the read-only permission on the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }Grant a user the permission to read and modify the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
Examples of common custom policies for Microservices Governance
Grant read-only permissions on all applications
In this example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
The read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
Attach the following policy to the RAM user:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
}Grant all operation permissions on an application to a RAM user
In this example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
The read-only permissions on all Microservices Governance-enabled applications of the current Alibaba Cloud account.
The read-only permissions on a specific Microservices Governance-enabled application.
Attach the following policy to the RAM user.
{
"Version": "1",
"Statement": [
// All permissions on a specific Microservices Governance-enabled application
{
"Effect": "Allow",
"Action": "mse:*",
"Resource": "acs:mse:*:*:namespace/${ns}/application/${appName}"
},
// Read-only permissions on all Microservices Governance-enabled applications
{
"Effect": "Allow",
"Action": [
"mse:QueryNamespace",
"mse:GetApplicationListWithMetircs",
"mse:ListNamespaces",
"mse:GetEventFilterOptions",
"mse:ListEventRecords",
"mse:GetEventDetail",
"mse:FetchLogConfig",
"mse:QueryBusinessLocations",
"mse:GetApplicationInstanceList",
"mse:listGrayTag",
"mse:QueryServiceDetailWithMetrics",
"mse:GetEventDetail",
"mse:ListEventsPage",
"mse:ListEventsByType",
"mse:GetApplicationTagList"
],
"Resource": "acs:mse:*:*:*"
},
{
"Effect": "Allow",
"Action": "mse:GetApplicationList",
"Resource": "acs:mse:*:*:namespace/${ns}"
}
]
Examples of common custom policies for Cloud-native Gateway
Example 1: Grant a RAM user the read and write permissions on the cloud-native gateway named gw-f23fcdca44c84769a6652245ecc****.
{ "Statement": [ { "Action": [ "mse:*" ], "Resource": "acs:mse:*:*:instance/gw-f23fcdca44c84769a6652245ecc****", "Effect": "Allow" } ], "Version": "1" }Example 2: Grant a RAM user the read-only permissions on all cloud-native gateways.
{ "Statement": [ { "Action": [ "mse:List*", "mse:Query*", "mse:Get*", "mse:Pull*" ], "Resource": "acs:mse:*:*:*", "Effect": "Allow" } ], "Version": "1" }Example 3: Grant a RAM user the operation permissions on the resources that are prompted by the MSE console.
{ "Statement": [ { "Action": [ "mse:UpdateGatewayName" ], "Resource": "acs:mse:cn-hangzhou:{ID of an Alibaba Cloud account}:instance/{ID of a cloud-native gateway} ", "Effect": "Allow" } ], "Version": "1" }