This topic describes how to manage Elastic Compute Service (ECS) permissions of Resource Access Management (RAM) users.
Background information
RAM provides the following ECS system policies:
AliyunECSFullAccess: grants a RAM user the permissions to manage ECS instances.
AliyunECSReadOnlyAccess: grants a RAM user the read-only permission on ECS instances.
If system policies cannot meet your specific requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security. For more information, see Authorization rules.
Procedure
Create a RAM user.
For more information, see Create a RAM user.
Create a custom policy.
For more information, see Create custom policies and Policy examples.
Attach the custom policy to the RAM user.
For more information, see Grant permissions to a RAM role.
When you attach the custom policy to the RAM user, you can specify one of the following authorization scopes:
Alibaba Cloud Account: The permissions take effect on all resources of the current Alibaba Cloud account. In this example, Alibaba Cloud Account is selected.
Specific Resource Group: The authorization takes effect on a specific resource group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.
Policy examples
Example 1: Authorize a RAM user to manage two specified ECS instances.
To authorize a RAM user to manage the ECS instances i-001 and i-002 in your Alibaba Cloud account, use the following sample script:
{ "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:instance/i-001", "acs:ecs:*:*:instance/i-002" ] }, { "Action": "ecs:Describe*", "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
NoteThe authorized RAM user can view all ECS instances but can manage only the specified two ECS instances. If you want the authorized RAM user to view and manage only the specified two ECS instances, you can add the ECS instances to a resource group and authorize the RAM user to view and manage the ECS instances in the resource group. For more information, see Use a resource group to manage an ECS instance.
Describe*
is required in the policy. Otherwise, the authorized RAM user cannot view ECS instances in the ECS console. However, the RAM user can manage the two specified ECS instances by calling API operations or using a CLI or SDK.
Example 2: Authorize a RAM user to view ECS instances in the China (Qingdao) region, but do not allow the RAM user to view information about disks and snapshots.
{ "Statement": [ { "Effect": "Allow", "Action": "ecs:Describe*", "Resource": "acs:ecs:cn-qingdao:*:instance/*" } ], "Version": "1" }
NoteIf you want to authorize a RAM user to view ECS instances in a different region, you can replace
cn-qingdao
in theResource
element with the ID of the region. For more information about region IDs, see Regions and zones.Example 3: Authorize a RAM user to create snapshots.
If a RAM user cannot create disk snapshots after the RAM user is granted administrative rights on the ECS instance, you must grant disk permissions to the RAM user. In this example, the ECS instance ID is
i-001
and the disk ID isd-001
.{ "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:instance/i-001" ] }, { "Action": "ecs:CreateSnapshot", "Effect": "Allow", "Resource": [ "acs:ecs:*:*:disk/d-001", "acs:ecs:*:*:snapshot/*" ] }, { "Action": [ "ecs:Describe*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }