本文介绍如何自定义RAM授权策略。

前提条件

已了解授权策略语言的基本结构和语法,相详情请参见权限策略语法和结构

操作步骤

  1. 使用具有RAM权限的账号登录RAM控制台
  2. 在左侧导航栏,选择权限管理 > 权限策略管理
  3. 权限策略管理页面,单击创建授权策略
  4. 新建自定义权限策略页面,填写策略名称,并在配置模式区域选择脚本配置
  5. 在策略内容中编写您的授权策略内容。
    注意 因为在网格实例中需要增加或者移除ACK集群,所以需要对这些管理的集群设置相应的权限。在以下示例中,可以通过在"Action": "cs:Get*"/"Effect": "Allow"对应的Resource中设置为"acs:cs:*:*:cluster/{某个集群ID}",也可以设置为"acs:cs:*:*:cluster/*"(即代表所有的ACK集群)。 
    {
    "Version": "1",
    "Statement": [
        {            
            "Action": "cs:Get*",            
            "Effect": "Allow",            
            "Resource": [                
                "acs:cs:*:*:cluster/{某个集群ID或者*}"            
            ]        
        },
        {
            "Action": [
                "servicemesh:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateSecurityGroup",
                "ecs:CreateSecurityGroupPermissions",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeAccountAttributes",
                "ecs:DescribeSecurityGroups",
                "ecs:AuthorizeSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:UnassociateEipAddress",
                "ecs:ReleaseEipAddress",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:DescribeInstances",
                "ecs:DescribeNetworkInterfaces"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeEipAddresses",
                "vpc:DescribeNetworkQuotas",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:ReleaseEipAddress",
                "vpc:DeletionProtection",
                "vpc:DescribeVpcAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:DescribeLoadBalancerAttribute",
                "slb:CreateLoadBalancer",
                "slb:DeleteLoadBalancer",
                "slb:RemoveBackendServers",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:CreateLoadBalancerTCPListener",
                "slb:AddBackendServers",
                "slb:CreateVServerGroup",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:CreateLoadBalancerUDPListener",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:SetBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:DeleteVServerGroup",
                "slb:ModifyVServerGroupBackendServers",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:RemoveVServerGroupBackendServers",
                "slb:DeleteLoadBalancerListener",
                "slb:AddTags",
                "slb:RemoveTags",
                "slb:SetLoadBalancerDeleteProtection"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "xtrace:GetToken",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:DescribeCenAttachedChildInstances",
                "cen:DescribeCens"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "arms:ListClusterFromGrafana",
                "arms:GetPrometheusApiToken",
                "arms:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:GetProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
  6. 编写完毕后,单击确定
    返回权限策略管理页面,在搜索框中搜索策略名或备注,可以看到您自定义的授权策略。