You can grant or revoke permissions for a RAM user by attaching different RAM policies. This improves security and access control and reduces the risk of an Alibaba Cloud account AccessKey pair being exposed. This topic describes the authorization steps and provides sample RAM policies for Cloud Assistant.
Background
Access policies include custom policies that you create and system policies that Alibaba Cloud provides. For Cloud Assistant, in addition to using system policies, you can create custom policies based on dimensions such as regions, ECS instances, Cloud Assistant commands, and activation codes for managed instances. You can then attach these custom policies to RAM users to control their permissions for Cloud Assistant.
Procedure
Use your Alibaba Cloud account to create a RAM user.
For more information, see Create a RAM user.
Use your Alibaba Cloud account to create a custom policy. For more information, see Create a custom policy.
The following table describes sample custom policies for common Cloud Assistant features.
Cloud Assistant feature
Sample policy
Cloud Assistant
Cloud Assistant Agent
Cloud Assistant command
Send files
O&M task execution record delivery
Query and modify the configuration of O&M task execution record delivery
Query the configuration of O&M task execution record delivery
Set region restrictions for O&M task execution record delivery
Query and modify the configuration of session operation record delivery
Query the configuration of session operation record delivery
Set region restrictions for session operation record delivery
Managed instances
Session Manager
Use your Alibaba Cloud account to grant permissions to the RAM user.
For more information, see Manage permissions for a RAM user.
Specify a custom policy that you created.
Specify a system policy provided by Alibaba Cloud.
AliyunECSAssistantFullAccess: Allows a RAM user to manage the Cloud Assistant service for ECS.
AliyunECSAssistantReadonlyAccess: Allows a RAM user read-only access to the Cloud Assistant service for ECS.
You can view the details of a system policy, including its content, on the RAM console. For more information, see View the information about a policy.
View the RAM user information to confirm that console access is granted.
If Console Access is not enabled, the RAM user can use Cloud Assistant only through API calls. For more information, see View the permissions of a RAM user.
Log on to the Alibaba Cloud Management Console as the RAM user.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Go to the Cloud Assistant page of the ECS console to start using Cloud Assistant.
Custom policies for Cloud Assistant
Administrative permissions for Cloud Assistant
This policy grants a RAM user all query and operational permissions for Cloud Assistant APIs.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:RunCommand"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*",
"acs:ecs:*:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}Read-only permissions for Cloud Assistant
This policy grants a RAM user all query permissions for Cloud Assistant APIs.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}Region restrictions for Cloud Assistant
To restrict a RAM user's permissions to a specific region, specify the region in the policy. For example, the following policy allows a RAM user to use Cloud Assistant only in the China (Hangzhou) region.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:RunCommand"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:instance/*",
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:activation/*",
"acs:ecs:cn-hangzhou:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:servicesettings/*"
]
}
]
}Custom policies for Cloud Assistant Agent
Check the Cloud Assistant Agent installation status
Related API: DescribeCloudAssistantStatus
This policy grants a RAM user the permission to query the installation status of Cloud Assistant Agent on all ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to query the installation status of Cloud Assistant Agent only on the specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
Install the Cloud Assistant Agent
Related API: InstallCloudAssistant
This policy grants a RAM user the permission to install Cloud Assistant Agent on any ECS instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to install Cloud Assistant Agent only on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Custom policies for Cloud Assistant commands
View Cloud Assistant commands
Related API: DescribeCommands
This policy grants a RAM user the permission to view all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }By specifying command IDs in the Resource element, you can grant a RAM user the permission to view only specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Delete a command
Related API: DeleteCommand
This policy grants a RAM user the permission to delete all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }By specifying command IDs in the Resource element, you can grant a RAM user the permission to delete only specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Create a command
Related API: CreateCommand
A RAM user needs the following minimum permissions to create a Cloud Assistant command.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}Modify a command
Related API: ModifyCommand
This policy grants a RAM user the permission to modify any Cloud Assistant command.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }By specifying command IDs in the Resource element, you can grant a RAM user the permission to modify only specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Run a command
Related API: InvokeCommand
This policy grants a RAM user the permission to run commands on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to run Cloud Assistant commands only on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }By specifying command IDs in the Resource element, you can grant a RAM user the permission to run only specified commands on ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] }By specifying command IDs and instance IDs in the Resource element, you can grant a RAM user the permission to run only specified commands on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }This policy limits which plugins are executable. It allows a RAM user to run only the test-plugin by using the public command ACS-ECS-ExecutePlugin-for-linux.sh.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs:InvokeCommand", "Resource": [ "acs:ecs:*:*:command/ACS-ECS-ExecutePlugin-for-linux.sh", "acs:ecs:*:*:instance/*" ], "Condition": { "StringEqualsIgnoreCase": { "ecs:PluginName": [ "test-plugin" ] } } } ] }Add a tag condition to the Condition element to control the ECS instances on which commands can be run. For example, this policy allows commands to be run only on ECS instances that have the
Owner:zxytag.NoteWhen you use acs:ResourceTag, the resource must have a tag attached. For example, you can attach tags to ECS instances, but not to commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs:InvokeCommand", "Resource": [ "acs:ecs:*:*:instance/*" ], "Condition": { "StringEquals": { "acs:ResourceTag/Owner": "zxy" } } }, { "Effect": "Allow", "Action": "ecs:InvokeCommand", "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
Run a command immediately
Related API: RunCommand
When you call the RunCommand API, if you set the KeepCommand=true parameter, you must add "acs:ecs:*:*:command/*" to the Resource element.
This policy grants a RAM user the permission to immediately run commands on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to immediately run Cloud Assistant commands only on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }Add a tag condition to the Condition element to control the ECS instances on which commands can be immediately run. For example, this policy allows commands to be immediately run only on ECS instances that have the
test:tonytag.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunCommand" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "tony" } } } ] }
Query execution results
Related API: DescribeInvocations
This policy grants a RAM user the permission to query command execution results on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to query command execution results only on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] }By specifying command IDs in the Resource element, you can grant a RAM user the permission to query the execution results of only specified commands on ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }By specifying command IDs and instance IDs in the Resource element, you can grant a RAM user the permission to query the execution results of only specified commands on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
Modify a scheduled task
Related API: ModifyInvocationAttribute
This policy allows a RAM user to modify information about any scheduled task and add any instance to the scheduled task.
When you create a task by calling the InvokeCommand or RunCommand API, if you modify the
CommandContentparameter and set theKeepCommandparameter totrue, a new command is created and retained long-term. In this case, you must addacs:ecs:*:*:command/*to the Resource element before calling the ModifyInvocationAttribute API.{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }By specifying a task ID in the Resource element, this policy allows a RAM user to modify only the specified task and add any instance to it.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }By specifying an instance ID in the Resource element, this policy allows a RAM user to modify information about any scheduled task but add only the specified instance to the task.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }By specifying an instance ID and a task ID in the Resource element, this policy allows a RAM user to modify information about only the specified task and add only the specified instance to the task.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }
Stop a task
Related API: StopInvocation
This policy grants a RAM user the permission to stop Cloud Assistant command processes that are in the Running state on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to stop Cloud Assistant command processes that are in the Running state only on specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Use OOS standard parameters
This policy allows a RAM user to use Cloud Assistant to run commands that contain OOS standard parameters.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:CreateCommand",
"ecs:DescribeCommands",
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"oos:GetParameters",
"oos:GetParameter"
],
"Resource": "*"
}
],
"Version": "1"
}Use OOS encrypted parameters
This policy allows a RAM user to use Cloud Assistant to run commands that contain OOS encrypted parameters.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:CreateCommand",
"ecs:DescribeCommands",
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"oos:GetParameters",
"oos:GetSecretParameters",
"oos:GetParameter",
"oos:GetSecretParameter",
"kms:GetSecretValue"
],
"Resource": "*"
}
],
"Version": "1"
}Custom policies for sending files
Upload a local file
Related API: SendFile
This policy grants a RAM user the permission to upload local files to any ECS instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to upload local files only to specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }Add a tag condition to the Condition element to control the ECS instances to which files can be uploaded. For example, this policy allows files to be uploaded only to ECS instances that have the
test:tonytag.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "tony" } } } ] }
Query file upload results
Related API: DescribeSendFileResults
This policy grants a RAM user the permission to query the file upload results for any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to query the file upload results only for specified ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Custom policies for O&M task record delivery
Query and modify delivery configuration
This policy grants a RAM user the permission to query and modify the configuration of the O&M task execution record delivery feature.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}Query delivery configuration
This policy grants a RAM user the permission to query the configuration of the O&M task execution record delivery feature.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}Region restrictions for delivery
You can restrict the permissions of a RAM user to a specific region by specifying the region in the policy.
This policy allows a RAM user to query and modify the configuration of the O&M task execution record delivery feature only in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }This policy allows a RAM user to query the configuration of the O&M task execution record delivery feature only in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
Query and modify session delivery configuration
This policy grants a RAM user the permission to query and modify the configuration of the session operation record delivery feature.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}Query session delivery configuration
This policy grants a RAM user the permission to query the configuration of the session operation record delivery feature.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}Region restrictions for session delivery
You can restrict the permissions of a RAM user to a specific region by specifying the region in the policy.
This policy allows a RAM user to query and modify the configuration of the session operation record delivery feature only in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }This policy allows a RAM user to query the configuration of the session operation record delivery feature only in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }
Query OSS buckets
When you use the O&M task execution record or session operation record delivery feature to deliver records to OSS, you must grant the RAM user the following permission to query OSS buckets.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}
]
}To query and analyze records that are delivered to OSS, you must understand the access control rules of OSS. For more information, see RAM policies for OSS and Common examples of RAM policies for OSS.
Query SLS projects and Logstores
When you use the O&M task execution record or session operation record delivery feature to deliver records to SLS, you must grant the RAM user the following permissions to query SLS projects and their Logstores.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"log:ListProject",
"log:ListLogStores"
],
"Resource": "*"
}
]
}To query and analyze records that are delivered to SLS, you must understand the access control rules of SLS. For more information, see Access control for Log Service.
Custom policies for managed instances
Deregister a managed instance
Related API: DeregisterManagedInstance
This policy grants a RAM user the permission to deregister any managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to deregister only specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Query managed instances
Related API: DescribeManagedInstances
This policy grants a RAM user the permission to query information about any managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to query information only about specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Create activation codes
Related API: CreateActivation
A RAM user needs the following minimum permissions to create an activation code. Activation codes are used to register servers that are not hosted on Alibaba Cloud as managed instances.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateActivation"
],
"Resource": [
"acs:ecs:*:*:activation/*"
]
}
]
}Disable activation codes
Related API: DisableActivation
This policy grants a RAM user the permission to disable any activation code for a managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }By specifying activation code IDs in the Resource element, you can grant a RAM user the permission to disable only specified activation codes.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Query activation codes
Related API: DescribeActivations
This policy grants a RAM user the permission to query created activation codes for managed instances and their usage.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }By specifying activation code IDs in the Resource element, you can grant a RAM user the permission to query only specified activation codes and their usage.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Delete activation codes
Related API: DeleteActivation
This policy grants a RAM user the permission to delete any unused activation code for a managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }By specifying activation code IDs in the Resource element, you can grant a RAM user the permission to delete only specified unused activation codes for managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Custom policies for agent upgrade
Related APIs: ModifyCloudAssistantSettings and DescribeCloudAssistantSettings.
Query and modify upgrade configuration
This policy grants a RAM user the permission to query and modify the Cloud Assistant Agent upgrade configuration.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Query upgrade configuration
This policy grants a RAM user the permission to query the Cloud Assistant Agent upgrade configuration.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Custom policies for Session Manager
Related APIs: StartTerminalSession and DescribeTerminalSessions.
Create and query sessions
This policy allows a RAM user to create and query sessions in Session Manager.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }By specifying instance IDs in the Resource element, you can grant a RAM user the permission to create and query sessions in Session Manager only for specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }