您可以为RAM用户进行授权,按需为RAM用户赋予不同的权限,仅具有权限的RAM用户才可以在ASM控制台上进行创建网格实例、更新服务网格功能配置等操作,避免因暴露阿里云账号密钥而造成安全风险。本文介绍如何为RAM用户进行RAM授权。

前提条件

  • 已创建RAM用户。具体操作,请参见创建RAM用户。本文以名为test的RAM用户为例。
  • 已了解授权策略语言的基本结构和语法。更多信息,请参见权限策略语法和结构

背景信息

RAM用户的使用场景不同,授予的权限也不同,具体区别如下:

授予RAM用户服务网格权限

  1. 使用具有RAM权限的账号登录RAM控制台
  2. 创建授予访问ASM实例的权限策略。
    1. 在左侧导航栏,选择权限管理 > 权限策略
    2. 权限策略页面,单击创建权限策略
    3. 新建自定义权限策略页面,填写策略名称,本文为ASMPolicy1,并设置配置模式脚本配置
    4. 在策略内容中编写您的授权策略内容,然后单击确定
      通过改变Statement中的Action字段,可以实现API的细粒度鉴权。本文以授予完全访问权限策略为例,完全访问权限策略包括服务网格的所有RAM权限,是服务网格的最高权限(等同于阿里云账号权限)。
      说明 除了完全访问权限策略,本文还列举了受限访问权限策略和只读权限策略,具体示例,请参见策略示例一:受限访问权限策略策略示例二:只读权限策略
      {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "servicemesh:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ims:ListUserBasicInfos",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:ListLogStores",
                "log:ListDashboard",
                "log:GetDashboard",
                "log:ListSavedSearch",
                "log:ListProject"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/audit-*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/istio-*"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "servicemesh.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}
  3. 授予RAM用户权限策略。
    1. 在左侧导航栏选择身份管理 > 用户
    2. 用户页面单击test用户右侧操作列下的添加权限
    3. 添加权限对话框设置授权范围整个云账号,系统会自动填入当前的RAM用户为授权主体,在选择权限下单击自定义策略,然后输入创建的权限策略名称ASMPolicy1,单击ASMPolicy1,然后单击确定

策略示例一:受限访问权限策略

受限访问权限策略包括除RBAC授权之外的服务网格的所有RAM权限,拥有该权限的RAM用户不可以对其他用户进行RBAC授权,但拥有除此之外的其他所有权限。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "servicemesh:Add*",
                "servicemesh:CRBatchDeletion",
                "servicemesh:Create*",
                "servicemesh:Delete*",
                "servicemesh:Describe*",
                "servicemesh:Enable*",
                "servicemesh:Disable*",
                "servicemesh:Get*",
                "servicemesh:InvokeApiServer",
                "servicemesh:List*",
                "servicemesh:Modify*",
                "servicemesh:Re*",
                "servicemesh:Run*",
                "servicemesh:Set*",
                "servicemesh:Sync*",
                "servicemesh:Update*",
                "servicemesh:Upgrade*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:ListLogStores",
                "log:ListDashboard",
                "log:GetDashboard",
                "log:ListSavedSearch",  
                "log:ListProject"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/audit-*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/istio-*"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "servicemesh.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

策略示例二:只读权限策略

只读权限策略仅包含查看服务网格状态等只读接口权限,无法对服务网格进行变更操作。
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "servicemesh:List*",
                "servicemesh:Describe*",
                "servicemesh:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:ListLogStores",
                "log:ListDashboard",
                "log:GetDashboard",
                "log:ListSavedSearch"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/audit-*"
        },
        {
            "Effect": "Allow",
            "Action": "log:GetLogStoreLogs",
            "Resource": "acs:log:*:*:project/*/logstore/istio-*"
        }
    ],
    "Version": "1"
}