When multiple users simultaneously access resources, you can create multiple Resource Access Management (RAM) users for the users and grant the RAM users different permissions based on the roles and demands of the users. This way, you can control access to various resources, improve management efficiency, and reduce the risk of information leaks. This topic describes how to create a RAM user and attach specific policies to the RAM user to control access to Elastic Compute Service (ECS) resources.
Procedure
Create a RAM user.
For more information, see Create a RAM user.
(Optional) Create a custom policy.
Alibaba Cloud provides system policies that grant permissions to access ECS resources. For more information, see Example system policies. If system policies do not meet your business requirements, create a custom policy. For more information, see Create custom policies.
To create a custom policy by using a script in the RAM console, choose Permissions > Policies in the left-side navigation pane, click Create Policy, click the JSON tab, and then enter policy content in the code editor. You must configure the Action and Resource parameters in Statement. For more information, see Authentication rules. For information about the values of other parameters, see Policy syntax and structure.
Example 1: Custom policy that is created by using a script and allows RAM users to create pay-as-you-go ECS instances
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeImages", "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "ecs:DescribeSecurityGroups", "ecs:DescribeKeyPairs", "ecs:DescribeTags", "ecs:RunInstances" ], "Resource": "*" } ], "Version": "1" }Example 2: Custom policy that is created by using a script and allows RAM users to create subscription ECS instances bss-related API operations can be called to query and pay for subscription orders, and the corresponding system policy is
AliyunBSSOrderAccess.ImportantIf you set autoPay to true when you call the RunInstances operation to create subscription ECS instances, you do not need the permissions to call bss-related API operations.
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeImages", "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "ecs:DescribeSecurityGroups", "ecs:DescribeKeyPairs", "ecs:DescribeTags", "ecs:RunInstances", "bss:DescribeOrderList", "bss:DescribeOrderDetail", "bss:PayOrder", "bss:CancelOrder" ], "Resource": "*" } ], "Version": "1" }Example 3: Custom policy that is created by using a script and allows RAM users to query instance and disk information after the RAM users create ECS instances
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeDisks" ], "Resource": "*" } ], "Version": "1" }
Attach the custom policy to the RAM user to grant the RAM user permissions to access ECS resources. For more information, see Grant permissions to a RAM user.
NoteAfter the policy is attached to the RAM user, the permissions immediately take effect. The RAM user can log on to the RAM console to manage specific resources. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
References
You can view the permissions that are granted to a RAM user and the permissions that the RAM user inherits from RAM user groups. For more information, see View the permissions of a RAM user.
If a RAM user no longer requires specific permissions or the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.
You can view the multi-factor authentication (MFA) methods that are supported by RAM users, MFA usage notes, and MFA limits. For more information, see What is multi-factor authentication?
You can manage ActionTrail permissions of RAM users. You can create custom policies and attach the policies to the RAM users to allow the RAM users to log on to the ActionTrail console and perform related operations. For more information, see Use RAM to manage ActionTrail permissions.