RAM用户相当于虚拟账号,您可以授予RAM用户不同的RAM策略,从而提升或降低RAM用户的权限级别,实现更安全可控的访问,并有效降低阿里云账号AccessKey密钥被泄露的风险。本文介绍了授权步骤,并给出了云助手相关的RAM策略示例。
背景信息
操作步骤
云助手管理员权限(可读可写)
授予以下权限后,RAM用户拥有云助手API的全部查询和操作权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
云助手查看权限(只读)
授予以下权限后,RAM用户拥有云助手API的全部查询权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
设置云助手的地域限制
通过在权限策略元素的地域字段指定地域值,可以限制RAM用户的地域权限。例如只允许RAM用户在华东1(杭州)地域使用云助手。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:instance/*",
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
查询云助手客户端安装状态
相关API:DescribeCloudAssistantStatus
- 授予以下权限后,允许RAM用户查询所有ECS实例的云助手客户端安装状态。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能查看指定的ECS实例的云助手客户端安装状态。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
安装云助手客户端
相关API:InstallCloudAssistant
- 授予以下权限后,允许RAM用户为任意ECS实例安装云助手客户端。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能为指定ECS实例安装云助手客户端。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查看云助手命令
相关API:DescribeCommands
- 授予以下权限后,允许RAM用户查看所有云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
- 通过在Resource列表中设置资源ID,授予以下权限后,RAM用户只能查看指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
删除云助手命令
相关API:DeleteCommand
- 授予以下权限后,允许RAM用户删除所有云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
- 通过在Resource列表中设置命令ID,授予以下权限后,RAM用户只能删除指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
创建云助手命令
相关API:CreateCommand
RAM用户至少需要以下权限,才能创建云助手命令。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}
修改云助手命令
相关API:ModifyCommand
- 授予以下权限后,允许RAM用户修改任意云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能修改指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
执行命令
相关API:InvokeCommand
- 授予以下权限后,允许RAM用户在任意实例上执行命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上执行云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
- 通过在Resource列表中设置命令ID,授予以下权限后,RAM用户只能在ECS实例上执行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置命令ID和实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上执行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
立即执行命令
相关API:RunCommand
KeepCommand=true
,则需要在Resource列表中添加一行 "acs::ecs:*:*:command/*"
。
- 授予以下权限后,允许RAM用户在任意实例上立即执行命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上立即执行云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查询命令执行结果
相关API:DescribeInvocations
- 授予以下权限后,允许RAM用户在任意实例上查询命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上查询命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] }
- 通过在Resource列表中设置命令ID,授予以下权限后,RAM用户只能在ECS实例上查询指定的命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
- 通过在Resource列表中设置命令ID和实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上查询指定的命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
停止执行任务
相关API:StopInvocation
- 授予以下权限后,允许RAM用户在任意实例上停止进行中(Running)的云助手命令进程。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上停止进行中(Running)的云助手命令进程。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
上传本地文件
相关API:SendFile
- 授予以下权限后,允许RAM用户上传本地文件到任意ECS实例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能上传本地文件到指定的ECS实例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查询文件上传结果
相关API:DescribeSendFileResults
- 授予以下权限后,允许RAM用户查询任意实例的文件上传结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能查询指定ECS实例的文件上传结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查询和修改运维任务执行记录投递功能的配置
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
查询运维任务执行记录投递功能的配置
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
设置运维任务执行记录投递功能的地域限制
- 授予以下权限后,只允许RAM用户在华东1(杭州)地域查询和修改运维任务执行记录投递功能的配置。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceSettings", "ecs:UpdateServiceSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
- 授予以下权限后,只允许RAM用户在华东1(杭州)地域查询运维任务执行记录投递功能的配置。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
查询OSS存储空间
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}
]
}
运维任务执行记录投递到OSS后,为了便于进行查询、分析等操作,您还需要了解OSS的权限控制规则。更多信息,请参见OSS RAM Policy概述和OSS RAM Policy常见示例。
查询SLS项目与日志库
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"log:ListProject",
"log:ListLogStores"
],
"Resource": "*"
}
]
}
运维任务执行记录投递到SLS后,为了便于进行查询、分析等操作,您还需要了解SLS的权限控制规则。更多信息,请参见SLS鉴权规则概览。
注销托管实例
- 授予以下权限后,允许RAM用户注销任意托管实例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能注销指定托管实例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查询托管实例
相关API:DescribeManagedInstances
- 授予以下权限后,允许RAM用户查询任意托管实例的信息。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能查询指定托管实例的信息。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
创建托管实例激活码
相关API:CreateActivation
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateActivation"
],
"Resource": [
"acs:ecs:*:*:activation/*"
]
}
]
}
禁用托管实例激活码
相关API:DisableActivation
- 授予以下权限后,允许RAM用户禁用任意阿里云托管实例激活码。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能禁用指定阿里云托管实例激活码。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
查询托管实例激活码
相关API:DescribeActivations
- 授予以下权限后,允许RAM用户查询已创建的托管实例激活码以及激活码的使用情况。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能查询已创建的指定托管实例激活码以及激活码的使用情况。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
删除托管实例激活码
相关API:DeleteActivation
- 授予以下权限后,允许RAM用户删除任意未被使用的托管实例激活码。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }
- 通过在Resource列表中设置实例ID,授予以下权限后,RAM用户只能删除指定的未被使用的托管实例激活码。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }