DocsICP FilingConsole
官方文档
首页

Grant a RAM user permissions for image generation

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to grant a RAM User permissions for image generation projects.

Prerequisites

You have created a RAM User.

Background information

You can grant a RAM User permissions for image generation projects in two ways.

  • System policy: Grants broad permissions. Although you cannot modify a system policy, the configuration is simple.

  • Custom policy: Lets you create reusable policies, which simplifies configuration. You can also modify a custom policy for more fine-grained control, but the process is more complex.

System policy

  1. Log on to the RAM Console with your Alibaba Cloud account (main account) or as a RAM administrator.

  2. Grant the RAM User the permissions in the table below. For instructions, see Manage permissions for a RAM User.

    Permission policy

    Description

    AliyunRAMReadOnlyAccess

    Grants read-only access to Resource Access Management (RAM) to view users, user groups, and authorization information.

    AliyunFCFullAccess

    Grants permission to manage the Function Compute (FC) service.

    AliyunDevsFullAccess

    Grants permission to manage Serverless Devs.

    AliyunOSSReadOnlyAccess

    Grants read-only access to Object Storage Service (OSS).

    AliyunLogReadOnlyAccess

    Grants read-only access to Log Service.

    AliyunCloudMonitorReadOnlyAccess

    Grants read-only access to CloudMonitor.

    AliyunNASReadOnlyAccess

    Grants read-only access to Apsara File Storage NAS.

    AliyunVPCReadOnlyAccess

    Grants read-only access to Virtual Private Cloud (VPC).

    AliyunECSReadOnlyAccess

    Grants read-only access to Elastic Compute Service (ECS).

Custom policy

  1. Log on to the RAM Console with your Alibaba Cloud account (main account) or as a RAM administrator.

  2. Create a custom policy that grants the RAM User read and write permissions for image generation projects.

    On the Script tab, paste the following script into the policy editor. For instructions, see Create a custom policy.

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ram:Get*",
        "ram:List*",
        "ram:GenerateCredentialReport"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "devs:*",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "devs.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "fc:Get*",
        "fc:List*",
        "fc:PutConcurrencyConfig",
        "fc:DeleteConcurrencyConfig",
        "fc:PutProvisionConfig",
        "fc:InstanceExec",
        "fc:EnableFunctionInvocation",
        "fc:DisableFunctionInvocation",
        "fc:DeleteScalingConfig",
        "fc:PutScalingConfig",
        "fc:UpdateFunction"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*",
        "log:Query*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:Get*",
        "oss:List*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "cms:Get*",
        "cms:List*",
        "cms:Query*",
        "cms:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "vpc:DescribeVpc*",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "nas:Describe*",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ecs:DescribeSecurityGroup*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

  3. Attach the custom policy to the RAM User. For instructions, see Manage permissions for a RAM User.

Previous:What is FunArt?Next:ComfyUI project