DocsICP FilingConsole
官方文档
首页

Control access permissions using a RAM policy

更新时间:
复制 MD 格式
产品详情
我的收藏

This tutorial describes how to use a RAM policy to control user access to the IVPD service.

This tutorial describes how to use a RAM policy to control user access to the IVPD service.

Procedure

  1. Go to the Resource Access Management (RAM) console.

  2. Go to Access Policies and create an authorization policy. You can configure granular access control using conditions such as IP CIDR blocks, time, multi-factor authentication (MFA), Secure Transport, and Security Token Service (STS) roles.

  3. Go to Users, create a user, and then attach the access policy.

II. Policy

1. Full permissions

Grants full access permissions to IVPD.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ivpd:*",
            "Resource": "acs:ivpd:*:*:*"
        }
    ],
    "Version": "1"
}

2. Authorization with IP and SSL restrictions

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ivpd:*",
            "Resource": "acs:ivpd:*:*:*",
            "Condition": {
                "IpAddress": {
                  "acs:SourceIp": "42.120.xx.xx/24"
                },
                "Bool": {
                  "acs:SecureTransport": "true"
               }
            }
        }
    ],
    "Version": "1"
}

This policy grants access to all resources only when the following two conditions are met:

  • The RAM user's current IP address is in the 42.120.xx.xx/24 CIDR block.

  • The RAM user is using HTTPS to access the Alibaba Cloud Management Console or an OpenAPI.

3. Time restriction

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ivpd:*",
            "Resource": "acs:ivpd:*:*:*",
            "Condition": {
                "DateLessThan": {
                     "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
                 }
            }
        }
    ],
    "Version": "1"
}

This policy grants full access permissions to IVPD before 12:30 PM on September 25, 2019 (UTC+8).

4. MFA

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ivpd:*",
            "Resource": "acs:ivpd:*:*:*",
            "Condition": {
                "Bool": {
                  "acs:MFAPresent": "true"
               }
            }
        }
    ],
    "Version": "1"
}

If a RAM user is granted only this policy, they have permissions to IVPD only after they enable and log on with MFA. The user's AccessKey (AK) alone does not grant the required permissions. To obtain access, the user must call the STS with their AK and the correct six-digit MFA code. This call returns a temporary AK that expires in 15 minutes. Only this temporary AK has the required permissions.

5. Console role STS

An STS token is a temporary credential used for cross-account and cross-service resource access.

An STS token consists of the following three parts:

  • AccessKeyId

  • AccessKeySecret

  • SecurityToken

Procedure:

  • In the RAM console, create a RAM role for your Alibaba Cloud account. Grant permissions to the role, such as administrative permissions for the product or the AdministratorAccess policy.

  • Create a RAM user and attach the AliyunSTSAssumeRoleAccess policy to the user.

  • The RAM user logs on to the console and switches roles. The user enters the role name from Step 1 and the enterprise alias. If an enterprise alias is not set, the user enters the Alibaba Cloud account ID.

  • After switching to the role, enter the URL of the product console in the browser.

  • Use the product in the console.

Previous:Permission ControlNext:Best Practices