How to configure a RAM user to run Cloud Assistant commands-Elastic Compute Service(ECS)-阿里云帮助中心

Use RAM policies to restrict Cloud Assistant commands to regular users such as non-root or non-system users.

Prerequisites

A regular user is created on the ECS instance. This topic uses user01 and user02 as examples.

Background

By default, Cloud Assistant runs commands with the highest privilege on an ECS instance: as root on Linux and system on Windows.

You can use a RAM policy to deny root or system from running Cloud Assistant commands and grant permissions only to regular users such as user01 and user02.

Configure a regular user for Linux instances

Follow these steps to prevent a RAM user from running Cloud Assistant commands as root on Linux instances.

Log on to the RAM console with your Alibaba Cloud account.

Create a RAM user.

Example RAM user settings:

Parameter	Example
Logon name	commandUser
Display name	commandUser
Access mode	Select both Console Access and Programmatic Access (this topic uses both). Note Select only the access mode you need to follow the principle of least privilege.
Set password	Select Automatically generate password.
Password reset	Select Required at Next Logon.
MFA	Select Not Required.

Save the username, password, and AccessKey after creation.

Create a custom policy for Cloud Assistant.

ram用户权限设置

Create a policy named commandUserPolicy. Two examples follow — modify as needed.

Allow user01 and user02 to run Cloud Assistant commands:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ecs:CommandRunAs": [
                        "user01",
                        "user02"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

Add or modify usernames in the Condition block to grant permissions to other users.

Deny root and system from running Cloud Assistant commands:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ],
            "Condition": {
                "StringNotEqualsIgnoreCase": {
                    "ecs:CommandRunAs": [
                        "system",
                        "root"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

Add or modify usernames in the Condition block to restrict other users.

Grant the RAM user read-only ECS permissions and Cloud Assistant permissions.
- ECS read-only: select AliyunECSReadOnlyAccess.
- Cloud Assistant: select commandUserPolicy (created in the previous step).
Log on to the Alibaba Cloud console as the RAM user.
Verify by running a Cloud Assistant command. See Create and run commands.
- In the console, specify the user to run the command:
  
  user01 runs the command successfully, but root returns an error.
- In the CLI, user01 runs the command successfully, but root returns an error:

Configure a regular user for Windows instances

Running Cloud Assistant commands on a Windows instance requires a username and password. Store the Windows logon password as an encrypted parameter in CloudOps Orchestration Service and encrypt it with Key Management Service (KMS). See What is CloudOps Orchestration Service and What is Key Management Service.

Follow these steps to prevent a RAM user from running Cloud Assistant commands as root or system.

Log on to the RAM console with your Alibaba Cloud account.

Create a RAM user.

Example RAM user settings:

Parameter	Example
Logon name	commandUser
Display name	commandUser
Access mode	Select both Console Access and Programmatic Access (this topic uses both). Note Select only the access mode you need to follow the principle of least privilege.
Set password	Select Automatically generate password.
Password reset	Select Required at Next Logon.
MFA	Select Not Required.

Save the username, password, and AccessKey after creation.

Create custom policies for Cloud Assistant and KMS.

Cloud Assistant permissions:

Create a policy named commandUserPolicy. Two examples follow — modify as needed.

Allow user01 and user02 to run Cloud Assistant commands:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ecs:CommandRunAs": [
                        "user01",
                        "user02"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

Add or modify usernames in the Condition block to grant permissions to other users.

Deny root and system from running Cloud Assistant commands:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:InvokeCommand",
                "ecs:RunCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ],
            "Condition": {
                "StringNotEqualsIgnoreCase": {
                    "ecs:CommandRunAs": [
                        "system",
                        "root"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

Add or modify usernames in the Condition block to restrict other users.

KMS permissions:

Create a policy named kmsPolicy. See Examples of common authorization policies.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*", "kms:Describe*",
        "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Grant the RAM user permissions for ECS, OOS, Cloud Assistant, and KMS.
- ECS read-only: select AliyunECSReadOnlyAccess.
- OOS read-only: select AliyunOOSReadOnlyAccess.
- Cloud Assistant: select commandUserPolicy (created in the previous step).
- KMS: select kmsPolicy (created in the previous step).

Configure a RAM role for the Windows instance.

Create a custom policy for the RAM role.

Example policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:GetSecretValue"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oos:GetSecretParameter"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Create a service RAM role.

Example configuration:

Parameter

Example

Trusted entity type

Select Alibaba Cloud Service.

Trusted service

Select ECS.

Role name

AxtSecretRamRole
Grant permissions to the RAM role.
Attach the RAM role to the ECS instance.

Create an encrypted parameter in OOS to store the Windows logon password.

Note
The OOS encrypted parameter must be in the same region as the ECS instance.

Example values for user01:

Parameter

Example

Parameter name

axtSecretPassword

KMS key ID

Use the default Default Service CMK.

Value

The user01 logon password.
Log on to the Alibaba Cloud console as the RAM user.
Verify by running a Cloud Assistant command. See Create and run commands.
Run a Cloud Assistant command on the Windows instance to verify permissions.
- In the console, specify the user and the OOS encrypted password parameter:
  
  user01 runs the command successfully, but system returns an error.
- In the CLI, user01 runs the command successfully, but system returns an error:

Parameter	Example
Trusted entity type	Select Alibaba Cloud Service.
Trusted service	Select ECS.
Role name	AxtSecretRamRole

Parameter	Example
Parameter name	axtSecretPassword
KMS key ID	Use the default Default Service CMK.
Value	The `user01` logon password.