全部产品
Search
文档中心

访问控制:使用标签限制RAM用户管理指定的ECS实例

更新时间:May 15, 2024

您可以为ECS实例绑定标签,然后通过RAM的自定义策略指定授权的标签,利用标签限制RAM用户只能查看和管理指定的ECS实例。

背景信息

基于标签限制RAM用户权限(即标签鉴权)的逻辑如下图所示。

image

自定义策略中是通过条件(Condition)指定授权的标签。标签支持的Condition如下:

  • acs:RequestTag/<tag-key>:请求中传递的标签信息。即用户在调用API的时候,请求参数里面必须携带的标签。

  • acs:ResourceTag/<tag-key>:请求访问的资源上绑定的标签信息。即用户在操作某个资源的时候,资源上必须具备的标签。

操作步骤

以下将提供一个示例,仅允许RAM用户(Alice)查看和管理绑定了标签owner:aliceenvironment:production的ECS实例,无权查看和管理其他ECS实例。

说明

在以下整个授权过程中,ECS实例可以正常工作,不会产生任何影响。

以下操作使用账号管理员完成。

  1. RAM控制台,创建RAM用户(Alice)。

    具体操作,请参见创建RAM用户

  2. 为ECS实例绑定标签。

    本示例中,需要为ECS实例绑定标签owner:aliceenvironment:production

    以下两种绑定标签的方法您可以任选其一:

  3. RAM控制台,创建自定义策略(UseTagAccessRes)。

    自定义策略内容如下所示。具体操作,请参见创建自定义权限策略

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "acs:ResourceTag/owner": [
                            "alice"
                        ],
                        "acs:ResourceTag/environment": [
                            "production"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "acs:RequestTag/owner": [
                            "alice"
                        ],
                        "acs:RequestTag/environment": [
                            "production"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:List*",
                    "ecs:DescribeInstanceStatus",
                    "ecs:DescribeInstanceVncUrl",
                    "ecs:DescribeInstanceAutoRenewAttribute",
                    "ecs:DescribeInstanceRamRole",
                    "ecs:DescribeInstanceTypeFamilies",
                    "ecs:DescribeInstanceTypes",
                    "ecs:DescribeInstanceAttachmentAttributes",
                    "ecs:DescribeInstancesFullStatus",
                    "ecs:DescribeInstanceHistoryEvents",
                    "ecs:DescribeInstanceMonitorData",
                    "ecs:DescribeInstanceMaintenanceAttributes",
                    "ecs:DescribeInstanceModificationPrice",
                    "ecs:DescribeA*",
                    "ecs:DescribeC*",
                    "ecs:DescribeD*",
                    "ecs:DescribeE*",
                    "ecs:DescribeH*",
                    "ecs:DescribeIm*",
                    "ecs:DescribeInv*",
                    "ecs:DescribeK*",
                    "ecs:DescribeL*",
                    "ecs:DescribeM*",
                    "ecs:DescribeN*",
                    "ecs:DescribeP*",
                    "ecs:DescribeR*",
                    "ecs:DescribeS*",
                    "ecs:DescribeT*",
                    "ecs:DescribeZ*",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:DeleteTags",
                    "ecs:UntagResources",
                    "ecs:CreateTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ]
    }

    策略说明:

    策略内容

    策略说明

    {
    	"Effect": "Allow",
    	"Action": "ecs:*",
    	"Resource": "*",
    	"Condition": {
    		"StringEquals": {
    			"acs:RequestTag/owner": "alice",
    			"acs:RequestTag/environment": "production"
    		}
    	}
    }

    允许通过标签owner:aliceenvironment:production筛选对应的ECS实例。

    {
    	"Effect": "Allow",
    	"Action": "ecs:*",
    	"Resource": "*",
    	"Condition": {
    		"StringEquals": {
    			"acs:ResourceTag/owner": [
    				"alice"
    			],
    			"acs:ResourceTag/environment": [
    				"production"
    			]
    		}
    	}
    }

    允许对绑定了标签owner:aliceenvironment:production的ECS实例进行管理操作。

    {
                "Effect": "Allow",
                "Action": [
                    "ecs:List*",
                    "ecs:DescribeInstanceStatus",
                    "ecs:DescribeInstanceVncUrl",
                    "ecs:DescribeInstanceAutoRenewAttribute",
                    "ecs:DescribeInstanceRamRole",
                    "ecs:DescribeInstanceTypeFamilies",
                    "ecs:DescribeInstanceTypes",
                    "ecs:DescribeInstanceAttachmentAttributes",
                    "ecs:DescribeInstancesFullStatus",
                    "ecs:DescribeInstanceHistoryEvents",
                    "ecs:DescribeInstanceMonitorData",
                    "ecs:DescribeInstanceMaintenanceAttributes",
                    "ecs:DescribeInstanceModificationPrice",
                    "ecs:DescribeA*",
                    "ecs:DescribeC*",
                    "ecs:DescribeD*",
                    "ecs:DescribeE*",
                    "ecs:DescribeH*",
                    "ecs:DescribeIm*",
                    "ecs:DescribeInv*",
                    "ecs:DescribeK*",
                    "ecs:DescribeL*",
                    "ecs:DescribeM*",
                    "ecs:DescribeN*",
                    "ecs:DescribeP*",
                    "ecs:DescribeR*",
                    "ecs:DescribeS*",
                    "ecs:DescribeT*",
                    "ecs:DescribeZ*",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches"
                ],
                "Resource": "*"
            }

    允许查看ECS实例的相关信息。

    {
    	"Effect": "Deny",
    	"Action": [
    		"ecs:DeleteTags",
    		"ecs:UntagResources",
    		"ecs:CreateTags",
    		"ecs:TagResources"
    	],
    	"Resource": "*"
    }

    不允许删除、解绑、创建、绑定标签。

    避免RAM用户因修改标签导致没有权限。

  4. RAM控制台,为RAM用户(Alice)授权。

    其中,授权范围选择整个云账号,授权主体选择RAM用户(Alice),权限策略选择自定义策略(UseTagAccessRes)。具体操作,请参见为RAM用户授权

结果验证

  1. 使用RAM用户(Alice)登录ECS控制台

    具体操作,请参见RAM用户登录阿里云控制台

  2. 在左侧导航栏,选择实例与镜像 > 实例

  3. 在顶部菜单栏左上角处,选择地域。

  4. 实例页面,单击搜索栏旁边的标签筛选,选择owner:aliceenvironment:production标签。

    image.png

    重要

    只有RAM用户选择了对应标签后,RAM用户才能看到绑定了该标签的ECS实例。否则,RAM用户无法看到任何ECS实例。

  5. 查看和管理仅绑定了owner:aliceenvironment:production标签的ECS实例。

相关文档

ECS的RAM鉴权规则详情,请参见鉴权规则