All Products
Search
Document Center

:Use tags to control the running of Cloud Assistant commands

Last Updated:May 17, 2023

You can run Cloud Assistant commands only on Elastic Compute Service (ECS) instances with specific tags by using a RAM role or as a RAM user. If you run the commands on ECS instances to which specific tags are not added, the commands fail to run. This topic describes how to run Cloud Assistant commands on ECS instances with specific tags as a RAM user. This topic also provides examples of the custom policies that can be used and common issues and solutions to the issues.

Procedure

  1. Create a RAM user by using an Alibaba Cloud account or a RAM user that has administrative permissions.

    For more information, see Create a RAM user.

  2. Create custom policies by using the Alibaba Cloud account or the RAM user that has administrative permissions.

  3. Attach the custom policies to the created RAM user by using the Alibaba Cloud account or the RAM user that has administrative permissions.

    For more information, see Grant permissions to the RAM user.

  4. Log on to the ECS console as the created RAM user and go to the Cloud Assistant page to test whether the permissions defined in the custom policies are granted to the RAM user.

    • If you run a command on ECS instances to which the user:alice tag is not added, the command fails to run.

    • If you run a command on ECS instances to which the user:alice tag is added, the command is successfully run.

    For information about how to log on to the Alibaba Cloud Management Console as a RAM user, see Log on to the Alibaba Cloud Management Console as a RAM user.

Policy 1: Allow a RAM user to run commands on and transfer files to only ECS instances with specific tags

This policy allows a RAM user to run a Cloud Assistant command on and transfer files to only ECS instances to which the user:alice tag is added.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/user": "alice"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "acs:ecs:*:*:command/*"
        }
    ]
}

Policy 2: Allow a RAM user to query the tags that are added to ECS instances, query ECS instances, and manage Cloud Assistant commands

This policy only allows a RAM user to query the tags that are added to ECS instances, query ECS instances, and manage Cloud Assistant commands.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeTag*",
                "ecs:DescribeInstance*",
                "ecs:DescribeCommands",
                "ecs:CreateCommand",
                "ecs:DeleteCommand",
                "ecs:ModifyCommand",
                "ecs:DescribeInvocationResults",
                "ecs:DescribeSendFileResults",
                "ecs:DescribeInstances",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:DescribeInvocations",
                "ecs:DescribeResourceByTags",
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:ListTagResources",
                "ecs:DescribeManagedInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "oos:ListSecretParameters",
            "Resource": "*"
        }
    ]
}

Common issues and solutions to the issues

If the custom policies do not take effect, you must check whether the Effect element for the following permissions is set to Allow:

["ecs:InvokeCommand","ecs:RunCommand", "ecs:StopInvocation","ecs:SendFile"].

If the Effect element for these permissions is set to Allow, you must remove these permissions from the custom policies.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:StopInvocation",
                "ecs:SendFile"
            ],
            "Resource": "*"
        }
    ]
}