Grant permissions to a RAM user to manage ECI-Elastic Container Instance(ECI)-阿里云帮助中心

By default, you can use your Alibaba Cloud account to fully manage its ECI resources. However, you must grant permissions to a RAM user before they can manage ECI resources. This topic describes how to grant these permissions.

Prerequisites

You have created a RAM user. For more information, see Create a RAM user.

Permissions

ECI provides the following policies.

Policy	Description
AliyunECIReadOnlyAccess	Grants read-only access to ECI resources. This system policy includes the following permissions: `eci:Describe`: Lists ECI-related resources. `eci:List`: Lists ECI-related resources. `ecs:DescribeSecurityGroups`: Lists security groups. `vpc:DescribeVSwitches`: Lists vSwitches. `vpc:DescribeVpcs`: Lists Virtual Private Clouds (VPCs).
AliyunECIFullAccess	Grants full access to manage ECI resources. This system policy includes the following permissions: `eci:*`: All operations on ECI-related resources. `ecs:DescribeSecurityGroups`: Lists security groups. `vpc:DescribeVSwitches`: Lists vSwitches. `vpc:DescribeVpcs`: Lists VPCs. `vpc:DescribeEipAddresses`: Lists Elastic IP addresses (EIPs).
Additional permissions for console operations	To use the ECI console, you must also grant the following permissions in addition to the AliyunECIFullAccess policy: `ram:ListRoles`: Lists RAM roles for instances. `nas:DescribeFileSystems`: Lists NAS file systems. `oss:ListBuckets`: Lists OSS buckets. `vpc:DescribeCommonBandwidthPackages`: Lists EIP bandwidth plans. `cr:GetRepoList`: Lists image repositories. `cr:GetRepoTags`: Gets image tags. `cr:GetImageManifest`: Gets image details. `cr:SearchRepo`: Searches for image repositories.

Procedure

Log on to the RAM console by using your Alibaba Cloud account.

To allow a RAM user to manage ECI resources from the console, create a custom policy.

In the left-side navigation pane, choose Permissions > Policies.
Click Create Policy.

On the JSON Editor tab, copy the following policy document into the editor, and then click OK.

{
    "Statement": [
        {
            "Action": "ram:ListRoles",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "nas:DescribeFileSystems",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "oss:ListBuckets",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "vpc:DescribeCommonBandwidthPackages",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cr:GetRepoList",
                "cr:GetRepoTags",
                "cr:GetImageManifest",
                "cr:SearchRepo"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Enter a name for the policy and click OK.

Attach the required policies to the RAM user.

In the left-side navigation pane, choose Identities > Users.
Find the RAM user and click Add Permissions in the Actions column.

In the panel that appears, configure the parameters.

The following table describes the parameters.

Parameter	Description
Resource Scope	Select the permission scope: Entire Account: The permissions apply to the current Alibaba Cloud account. Specific Resource Group: The permissions apply only to a specific resource group.
Principal	The RAM user to be authorized. This field is pre-filled with the user you selected. You can add other users.
Policy	Select the policies based on your use case. To view ECI resources only: In the System Policies section, select AliyunECIReadOnlyAccess. To manage ECI resources by calling API operations: In the System Policies section, select AliyunECIFullAccess. To manage ECI resources in the console: select AliyunECIFullAccess from the System Policies section and the custom policy that you created in Step 2 from the Custom Policies section.

Click OK and follow the on-screen instructions.

Prerequisites

Permissions

Procedure

Related topics