You can use Alibaba Cloud Resource Access Management (RAM) to manage permissions for Serverless App Engine (SAE). If multiple users need to use the same resources, you can use RAM to prevent the AccessKey pair of your Alibaba Cloud account from being shared with other users. This reduces security risks. This topic describes how to create a policy and grant permissions in the SAE console based on RAM features.
Prerequisites
You have been familiar with the policy structure and syntax. For more information, see Policy structure and syntax and Policy elements.
RAM policies
Permissions are granted to allow or deny access to specific resources. A policy contains a set of permissions that are defined based on a specific structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and authorization conditions. A policy is a type of simple language specification that describes a set of permissions.
In RAM, a policy is a resource entity. SAE supports the following policies:
System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. System policies apply when you need to implement coarse-grained access control on RAM users.
Custom policy: You can create, update, and delete custom policies and maintain the updates of the policies. Custom policies apply when you need to implement fine-grained access control on RAM users.
System policies
The first time you log on to the SAE console as a RAM user, the Welcome to Serverless App Engine (SAE) dialog box appears on the SAE homepage. You are prompted to attach policies to the RAM user. After you attach policies to the RAM user, you can use the RAM user to access related Alibaba Cloud resources.
The following table describes the system policies that you must attach to the RAM user.
Policy name | Description |
AliyunSAEFullAccess | Grants full access to SAE. You can manage applications only after this policy is attached. |
AliyunSLBReadOnlyAccess | Grants read-only access to Server Load Balancer (SLB). You can use SLB-related features only after this policy is attached. |
AliyunACMFullAccess | Grants full access to Application Configuration Management (ACM). You can use the built-in ACM features of SAE only after this policy is attached. |
AliyunECSReadOnlyAccess | Grants read-only access to Elastic Compute Service (ECS). You can select an existing security group when you create an application only after this policy is attached. |
AliyunOOSReadOnlyAccess | Grants read-only access to CloudOps Orchestration Service (OOS). You can use the scheduled start and stop feature to batch manage applications in SAE only after this policy is attached. |
AliyunBSSReadOnlyAccess | Grants read-only access to Billing System. You can view the balance of the resource plans that you purchased on the Overview page of the SAE console only after this policy is attached. |
AliyunARMSReadOnlyAccess | Grants read-only access to Application Real-Time Monitoring Service (ARMS). You can use the built-in application monitoring management feature of SAE only after this policy is attached. |
AliyunContainerRegistryReadOnlyAccess | Grants read-only access to Container Registry. You can select Container Registry Enterprise Edition when you use images to deploy applications in SAE only after this policy is attached. |
AliyunALBReadOnlyAccess | Grants read-only access to Application Load Balancer (ALB). |
AliyunYundunCertReadOnlyAccess | Grants read-only access to SSL Certificates Service. |
AliyunEventBridgeReadOnlyAccess | Grants read-only access to EventBridge. You can create and update jobs only after this policy is attached. |
The AliyunSAEFullAccess policy grants full access to all SAE resources. You can use custom policies to grant RAM users fine-grained permissions on specific resources, such as namespace-level resources, application-level resources, and associated services. For more information, see Custom policies.
Custom policies
If the system policies do not meet your business requirements, you can create custom policies to implement fine-grained access control.
Authorization rule
The following table describes the resources.
Resource type | ARN format in an authorization policy |
application |
|
The following table describes the parameters in the preceding Alibaba Cloud Resource Name (ARN) format.
Parameter | Description |
$regionid | The ID of the region, which can be replaced by asterisks ( |
$accountid | The ID of the Alibaba Cloud account, which can be replaced by asterisks ( |
$namespaceid | The ID of the namespace. If you use the default namespace whose ID is empty, Note The ID can contain only lowercase letters and digits. |
$appid | The ID of the application, which can be replaced by asterisks ( |
Examples
In this example, the China (Shanghai) region is used.
The following ARN belongs to an application whose ID is 0c815215-46a1-46a2-ba1e-0102a740**** and namespace ID is test:
acs:sae:cn-shanghai:*:application/test/0c815215-46a1-46a2-ba1e-0102a740****The following ARN belongs to the default namespace:
acs:sae:cn-shanghai:*:application/_default/*
Sample policies
Scenario 1: Grant namespace-level permissions
Scenario description: Grant the read permissions on SAE and the write permissions on specific namespaces and the applications that belong to the namespaces.
In this example, a RAM user is granted the permissions to manage the resources that are related to the default namespace, the namespace whose ID is test, and the applications that belong to the namespaces.
Resource
Action
Description
acs:sae:cn-shanghai:*
sae:Query*
API operations whose names start with Query can be called to manage all related resources in the China (Shanghai) region.
sae:List*
API operations whose names start with List can be called to manage all related resources in the China (Shanghai) region.
sae:Describe*
API operations whose names start with Describe can be called to manage all related resources in the China (Shanghai) region.
sae:*Ingress*
API operations whose names contain Ingress can be called to manage all related resources in the China (Shanghai) region.
sae:*ChangeOrder*
API operations whose names contain ChangeOrder can be called to manage all related resources in the China (Shanghai) region.
sae:*Pipeline*
API operations whose names contain Pipeline can be called to manage all related resources in the China (Shanghai) region.
acs:sae:cn-shanghai:*:application/test/*
sae:*
You can manage all resources that are related to the namespace whose ID is test and the applications that belong to the namespace in the China (Shanghai) region.
{ "Version": "1", "Statement": [ { "Action": [ "sae:Query*", "sae:List*", "sae:Describe*", "sae:*Ingress*", "sae:*ChangeOrder*", "sae:*Pipeline*" ], "Resource": "acs:sae:cn-shanghai:*:*", "Effect": "Allow" }, { "Action": [ "sae:*" ], "Resource": [ "acs:sae:cn-shanghai:*:application/test/*" ], "Effect": "Allow" } ] }Scenario 2: Grant application-level permissions
Scenario description: Grant the read permissions on SAE and the write permissions on specific applications.
In this example, a RAM user is granted the permissions to manage the applications that are described in the following table.
Application
Namespace
Application ID
Application 1
test
0c815215-46a1-46a2-ba1e-102a740****
Application 2
default
e468a92b-1529-4d20-8ab1-9d1595dc****
Resource
Action
Description
acs:sae:cn-shanghai:*:*
sae:Query*
API operations whose names start with Query can be called to manage all resources that are related to the namespaces and applications in the China (Shanghai) region.
sae:List*
API operations whose names start with List can be called to manage all resources that are related to the namespaces and applications in the China (Shanghai) region.
sae:Describe*
API operations whose names start with Query can be called to manage all resources that are related to the namespaces and applications in the China (Shanghai) region.
sae:*Ingress*
API operations whose names contain Ingress can manage all resources that are related to the namespaces and applications in the China (Shanghai) region.
sae:*ChangeOrder*
API operations whose names contain ChangeOrder can be called to manage all resources that are related to the namespaces and applications in the China (Shanghai) region.
sae:*Pipeline*
API operations whose names contain Pipeline can be called to manage all resources that are related to the namespaces and applications in the China (Shanghai) region.
acs:sae:cn-shanghai:*:application/test/0c815215-46a1-46a2-ba1e-0102a740****
sae:*
You can manage all resources that are related to the namespace whose ID is test and Application 1 in the China (Shanghai) region.
acs:sae:cn-shanghai:*:application/_default/e468a92b-1529-4d20-8ab1-9d1595dc****
You can manage all resources that are related to the default namespace and Application 2 in the China (Shanghai) region.
{ "Version": "1", "Statement": [ { "Action": [ "sae:Query*", "sae:List*", "sae:Describe*", "sae:*Ingress*", "sae:*ChangeOrder*", "sae:*Pipeline*" ], "Resource": "acs:sae:cn-shanghai:*:*", "Effect": "Allow" }, { "Action": [ "sae:*" ], "Resource": [ "acs:sae:cn-shanghai:*:application/test/0c815215-46a1-46a2-ba1e-0102a740****", "acs:sae:cn-shanghai:*:application/_default/e468a92b-1529-4d20-8ab1-9d1595dc****" ], "Effect": "Allow" } ] }Scenario 3: Grant permissions to access other Alibaba Cloud services that are associated with SAE
To meet specific business requirements, applications that are deployed on SAE need to call API operations of other Alibaba Cloud services, such as ECS, SLB, and ARMS, during runtime. In this case, you must grant a RAM user the permissions to access related Alibaba Cloud services. For example, you can grant the RAM user the following permissions: the read-only permissions on ECS (AliyunECSReadOnlyAccess), read-only permissions on SLB (AliyunSLBReadOnlyAccess), and read-only permissions on ARMS (AliyunARMSReadOnlyAccess).