本文介绍如何自定义RAM授权策略。

前提条件

已了解授权策略语言的基本结构和语法。更多信息,请参见权限策略语法和结构

操作步骤

  1. 使用具有RAM权限的账号登录RAM控制台
  2. 在左侧导航栏,选择权限管理 > 权限策略管理
  3. 设置访问ASM实例的权限。
    1. 权限策略管理页面,单击创建授权策略
    2. 新建自定义权限策略页面,填写策略名称(例如ASMPolicy1),并在配置模式区域选择脚本配置
    3. 在策略内容中编写您的授权策略内容,然后单击确定
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "servicemesh:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "ecs:CreateSecurityGroup",
                      "ecs:CreateSecurityGroupPermissions",
                      "ecs:DeleteSecurityGroup",
                      "ecs:DescribeAccountAttributes",
                      "ecs:DescribeSecurityGroups",
                      "ecs:AuthorizeSecurityGroup",
                      "ecs:RevokeSecurityGroup",
                      "ecs:AuthorizeSecurityGroupEgress",
                      "ecs:JoinSecurityGroup",
                      "ecs:LeaveSecurityGroup",
                      "ecs:UnassociateEipAddress",
                      "ecs:ReleaseEipAddress",
                      "ecs:RevokeSecurityGroupEgress",
                      "ecs:DescribeInstances",
                      "ecs:DescribeNetworkInterfaces"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "vpc:DescribeVpcs",
                      "vpc:DescribeVSwitches",
                      "vpc:DescribeEipAddresses",
                      "vpc:DescribeNetworkQuotas",
                      "vpc:AllocateEipAddress",
                      "vpc:AssociateEipAddress",
                      "vpc:UnassociateEipAddress",
                      "vpc:ReleaseEipAddress",
                      "vpc:DeletionProtection",
                      "vpc:DescribeVpcAttribute"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "slb:DescribeLoadBalancerAttribute",
                      "slb:CreateLoadBalancer",
                      "slb:DeleteLoadBalancer",
                      "slb:RemoveBackendServers",
                      "slb:StartLoadBalancerListener",
                      "slb:StopLoadBalancerListener",
                      "slb:CreateLoadBalancerTCPListener",
                      "slb:AddBackendServers",
                      "slb:CreateVServerGroup",
                      "slb:CreateLoadBalancerHTTPSListener",
                      "slb:CreateLoadBalancerUDPListener",
                      "slb:ModifyLoadBalancerInternetSpec",
                      "slb:SetBackendServers",
                      "slb:AddVServerGroupBackendServers",
                      "slb:DeleteVServerGroup",
                      "slb:ModifyVServerGroupBackendServers",
                      "slb:CreateLoadBalancerHTTPListener",
                      "slb:RemoveVServerGroupBackendServers",
                      "slb:DeleteLoadBalancerListener",
                      "slb:AddTags",
                      "slb:RemoveTags",
                      "slb:SetLoadBalancerDeleteProtection"
                  ],
                  "Resource": [
                      "*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": "xtrace:GetToken",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "cen:DescribeCenAttachedChildInstances",
                      "cen:DescribeCens"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "arms:ListClusterFromGrafana",
                      "arms:GetPrometheusApiToken",
                      "arms:Get*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "log:GetProject"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
  4. 设置网格实例中的集群权限。
    1. 权限策略管理页面,再次单击创建授权策略
    2. 新建自定义权限策略页面,填写策略名称(例如ASMPolicy2),并在配置模式区域选择脚本配置
    3. 在策略内容中编写您的授权策略内容。
      注意 因为在网格实例中需要增加或者移除ACK集群,所以需要对这些管理的集群设置相应的权限。在以下示例中,将"Action": "cs:Get*"/"Effect": "Allow"对应的Resource中设置为"acs:cs:*:*:cluster/{某个集群ID}",也可以设置为"acs:cs:*:*:cluster/*"(即代表所有的ACK集群)。
      {
          "Version": "1",
          "Statement": [
              {            
                  "Action": "cs:Get*",            
                  "Effect": "Allow",            
                  "Resource": [                
                      "acs:cs:*:*:cluster/{某个集群ID或者*}"            
                  ]        
              },
          ]
      }
    4. 编写完毕后,单击确定
      返回权限策略管理页面,在搜索框中搜索策略名或备注,可以看到您自定义的授权策略。