Use tags to implement fine-grained access control - Server Migration Center

After you attach tags to your Server Migration Center (SMC) resources, you can use the tags to categorize and control access to the resources. This topic describes how to use tags to control the permissions of Resource Access Management (RAM) users and Security Token Service (STS) roles so that different users can be granted different access and operation permissions on cloud resources.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify and categorize cloud resources. RAM manages the access and operation permissions of RAM users on cloud resources based on permission policies. You can use tags as conditions in RAM policies to implement fine-grained access control on resources.

The following figure shows how to use tags to manage the access and operation permissions of RAM users on cloud resources. The process is called tag-based authentication. 786

Note You can attach tags to SMC resources such as migration sources and migration tasks. You can attach tags to migration sources only after they are created. For more information, see Use tags to manage migration sources and migration tasks.

Scenarios

The scenarios in this topic are used to describe how to perform tag-based authentication.

For example, you need to grant a RAM user the permissions only on the SMC resources to which the smc:test tag is bound, as shown in the following figure. saasd

Scenarios:

Scenario 1: You can create migration tasks only if the smc:test tag is attached to the tasks.
Scenario 2: You can modify, delete, and attach tags only to the resources to which the smc:test tag is attached.

Step 1: Create a custom policy and attach the policy to the RAM user

In this step, a custom policy is created in the RAM console. You can also call the CreatePolicy operation to create a custom policy. For more information, see Configure the policy.

Use your Alibaba Cloud account to log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

Configure the policy.

A policy contains a set of permissions. Each policy includes a version number and one or more individual statements. Each statement includes the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see Policy elements and Policy structure and syntax.

Modify the policy as needed and click Next: Edit Basic Information.

You can configure multiple tag-based conditions for cloud resources in the Condition element of the custom policy to restrict operation permissions. The following table describes supported tag-based authentication conditions.


Tag-based authentication condition	Description
`acs:RequestTag`	Specifies that a specific tag must be included in each API request. If an API request does not include tag-related parameters, the acs:RequestTag condition cannot be used. Otherwise, the authentication fails.
`acs:ResourceTag`	Specifies that a specific tag must be attached to the specified resource. If an API request does not include a resource ID, you cannot use the acs:ResourceTag condition. Otherwise, the authentication fails.

Note When you configure a policy, you can use the acs:RequestTag or acs:ResourceTag condition based on whether you need to specify the resource ID and whether tags can be included in the API request. For more information, see Tag-based authentication of requests to different API operations.

{
    "Statement": [
        {
            "Action": "smc:CreateReplicationJob",
            "Condition": {
                "StringEquals": {
                    "acs:RequestTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "smc:*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
          "Action": [
                "*:TagResources",
                "*:UntagResources"  
             ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "*:List*",
                "*:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

The preceding policy can provide access control for the following scenarios.

Scenario Policy

Scenario	Policy
Scenario 1: You can create migration tasks only if the `smc:test` tag is attached to the tasks.	`{ "Statement": [ { "Action": "smc:CreateReplicationJob", "Condition": { "StringEquals": { "acs:RequestTag/smc": "test" } }, "Effect": "Allow", "Resource": "" }, { "Action": [ ":List", ":Describe" ], "Effect": "Allow", "Resource": "" } ], "Version": "1" }`
Scenario 2: You can modify and delete only the resources to which the `smc:test` tag is attached.	`{ "Statement": [ { "Action": "smc:", "Condition": { "StringEquals": { "acs:ResourceTag/smc": "test" } }, "Effect": "Allow", "Resource": "" }, { "Action": [ ":TagResources", ":UntagResources" ], "Effect": "Deny", "Resource": "" }, { "Action": [ ":List", ":Describe" ], "Effect": "Allow", "Resource": "" } ], "Version": "1" }`

Scenario 1: You can create migration tasks only if the smc:test tag is attached to the tasks.

{
    "Statement": [
        {
            "Action": "smc:CreateReplicationJob",
            "Condition": {
                "StringEquals": {
                    "acs:RequestTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*:List*",
                "*:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Scenario 2: You can modify and delete only the resources to which the smc:test tag is attached.

{
    "Statement": [
        {
            "Action": "smc:*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/smc": "test"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
          "Action": [
                "*:TagResources",
                "*:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "*:List*",
                "*:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

In the Basic Information section, enter a policy name in the Name field, and then click OK.

Attach the policy to the RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. Attach the policy to the RAM user.
  For more information, see Grant permissions to a RAM user.

Step 2: Check whether the policy is in effect

Log on to the SMC console or OpenAPI Explorer as a RAM user.
In this step, the SMC console is used.
Check whether the policy is in effect.
Perform the following operations:
- Create a migration task:
  - You can create a migration task for a migration source to which you attach the smc:test tag.
  - You cannot create a migration task for a migration source to which you do not attach the smc:test tag. You are prompted that you do not have the permission to create the migration task.
- Delete a migration source:
  - You can delete a migration source to which you attach the smc:test tag.
  - You cannot delete a migration source to which you do not attach the smc:test tag. You are prompted that you do not have the permission to create the migration task.

Tag-based authentication of requests to different API operations

After policies that contain tag-based conditions are attached to a RAM user, requests made by the RAM user to API operations are authenticated based on the tags specified in the policy conditions. The following table describes various cases in which requests to different API operations are authenticated based on tags.


API operation	Authentication description
CreateReplicationJob	You do not need to specify the resource ID in a request. The request is matched against the `acs:RequestTag` policy condition. If the request contains no tags from the policy condition, the authentication fails. If the request contains tags that match or include the tags from the policy condition, the authentication succeeds.
ModifyReplicationJobAttribute	You must specify the resource ID in a request. The request is matched against the `acs:ResourceTag` policy condition. If the tags attached to the resource do not match the tags specified in the policy condition, the authentication fails. If the tags attached to the resource match the tags specified in the policy condition, the authentication succeeds. If you update tags for the resource and the request contains the new tag of the resource, the authentication succeeds only when the tag matches the tags specified in the policy condition. Otherwise, the authentication fails.
StartReplicationJob, StopReplicationJob, and DeleteSourceServer	You must specify the resource ID in a request. The request is matched against the `acs:ResourceTag` policy condition. If the tags of the resource do not match the tags specified in the policy condition, the authentication fails. If the tags of the resource match the tags specified in the policy condition, the authentication succeeds.