本文介绍如何自定义RAM授权策略。

前提条件

已了解授权策略语言的基本结构和语法,详情请参见权限策略语法和结构

操作步骤

  1. 使用具有RAM权限的账号登录RAM控制台
  2. 在左侧导航栏,选择权限管理 > 权限策略管理
  3. 权限策略管理页面,单击创建授权策略
  4. 新建自定义权限策略页面,填写策略名称,并在配置模式区域选择脚本配置
  5. 在策略内容中编写您的授权策略内容。
    注意 因为在网格实例中需要增加或者移除ACK集群,所以需要对这些管理的集群设置相应的权限。在以下示例中,可以通过在"Action": "cs:Get*"/"Effect": "Allow"对应的Resource中设置为"acs:cs:*:*:cluster/{某个集群ID}",也可以设置为"acs:cs:*:*:cluster/*"(即代表所有的ACK集群)。
    {
        "Version": "1",
        "Statement": [
            {            
                "Action": "cs:Get*",            
                "Effect": "Allow",            
                "Resource": [                
                    "acs:cs:*:*:cluster/{某个集群ID或者*}"            
                ]        
            },
            {
                "Action": [
                    "servicemesh:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ecs:CreateSecurityGroup",
                    "ecs:CreateSecurityGroupPermissions",
                    "ecs:DeleteSecurityGroup",
                    "ecs:DescribeAccountAttributes",
                    "ecs:DescribeSecurityGroups",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:RevokeSecurityGroup",
                    "ecs:AuthorizeSecurityGroupEgress",
                    "ecs:JoinSecurityGroup",
                    "ecs:LeaveSecurityGroup",
                    "ecs:UnassociateEipAddress",
                    "ecs:ReleaseEipAddress",
                    "ecs:RevokeSecurityGroupEgress",
                    "ecs:DescribeInstances",
                    "ecs:DescribeNetworkInterfaces"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeEipAddresses",
                    "vpc:DescribeNetworkQuotas",
                    "vpc:AllocateEipAddress",
                    "vpc:AssociateEipAddress",
                    "vpc:UnassociateEipAddress",
                    "vpc:ReleaseEipAddress",
                    "vpc:DeletionProtection",
                    "vpc:DescribeVpcAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "slb:DescribeLoadBalancerAttribute",
                    "slb:CreateLoadBalancer",
                    "slb:DeleteLoadBalancer",
                    "slb:RemoveBackendServers",
                    "slb:StartLoadBalancerListener",
                    "slb:StopLoadBalancerListener",
                    "slb:CreateLoadBalancerTCPListener",
                    "slb:AddBackendServers",
                    "slb:CreateVServerGroup",
                    "slb:CreateLoadBalancerHTTPSListener",
                    "slb:CreateLoadBalancerUDPListener",
                    "slb:ModifyLoadBalancerInternetSpec",
                    "slb:SetBackendServers",
                    "slb:AddVServerGroupBackendServers",
                    "slb:DeleteVServerGroup",
                    "slb:ModifyVServerGroupBackendServers",
                    "slb:CreateLoadBalancerHTTPListener",
                    "slb:RemoveVServerGroupBackendServers",
                    "slb:DeleteLoadBalancerListener",
                    "slb:AddTags",
                    "slb:RemoveTags",
                    "slb:SetLoadBalancerDeleteProtection"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "xtrace:GetToken",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cen:DescribeCenAttachedChildInstances",
                    "cen:DescribeCens"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:ListClusterFromGrafana",
                    "arms:GetPrometheusApiToken",
                    "arms:Get*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:GetProject"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  6. 编写完毕后,单击确定
    返回权限策略管理页面,在搜索框中搜索策略名或备注,可以看到您自定义的授权策略。