Create RAM users or RAM roles and grant them custom policies to enforce fine-grained access control on IoT Platform without sharing your Alibaba Cloud account credentials.
Background information
RAM and STS concepts and scenarios are covered in Introduction to RAM and STS. Access control fundamentals are explained in Basic concepts of access control.
RAM service details
|
Service |
Description |
|
RAM service name |
IoT Platform. |
|
RAM code |
iot. |
|
Console support |
Yes. |
|
API support |
Yes. |
|
Authorization granularity |
API-level. RAM users or roles can perform specified operations on a specific resource type. |
|
System policies |
|
Policy elements
A RAM policy consists of Effect, Action, Resource, Condition, and Principal elements. For syntax and evaluation rules, see Policy language.
The following table describes policy elements for IoT Platform.
|
Element |
Required |
Description |
|
Effect |
Yes |
Allow or Deny. Note
If a policy contains both Allow and Deny statements, Deny takes precedence. |
|
Action |
Yes |
An operation on a specific resource. The Action format for IoT Platform is You can specify multiple Actions separated by commas (,) and use the asterisk (*) wildcard. For example, |
|
Resource |
Yes |
The object being authorized. IoT Platform supports only API-level authorization, not resource-level authorization for individual products or devices. Set Resource to |
|
Condition |
No |
Specifies when the authorization takes effect. IoT Platform does not support the Condition element. |
RAM authorization Actions
Each Action follows the format iot:${APIName}. For the full list of API names, see List of all public cloud APIs of IoT Platform. The following table lists sample Actions for public IoT Platform APIs and Actions for operations that correspond to unlisted APIs.
|
API name or operation |
RAM authorization operation (Action) |
Resource |
API description |
|
CreateProduct |
iot:CreateProduct |
* |
Creates a product. |
|
DeleteConsumerGroupSubscribeRelation |
iot:DeleteConsumerGroupSubscribeRelation |
* |
Removes a specified consumer group from multiple consumer groups in an AMQP subscription. |
|
Configure an AMQP server-side subscription |
iot:sub |
* |
Supports connections for AMQP server-side subscriptions. |
|
Reset a product certificate key |
iot:ResetProductSecret |
* |
Resets the ProductSecret of a product certificate. |
Get started
-
Create an account administrator.
An Alibaba Cloud account has full permissions on all resources. You cannot restrict its access by source IP or time. If multiple people share the account, operations cannot be traced to individual users. A compromised account poses a significant security risk. Do not use your Alibaba Cloud account for daily operations.
Create a RAM user in RAM and grant it the AdministratorAccess permission. Use this administrator to create other RAM users and assign permissions.
-
RAM provides system policies (predefined, cannot be modified) and custom policies. Create custom policies when system policies do not meet your requirements.
-
Create and authorize RAM users:
-
Create and authorize a single RAM user.
Create RAM users and assign each one only the permissions required for their responsibilities.
This avoids sharing your Alibaba Cloud account credentials and follows the least-privilege principle to reduce security risks.
-
Create and authorize a RAM user group.
Use RAM user groups to classify and authorize users who share the same responsibilities, simplifying permission management.
-
Create and authorize a RAM role, and then grant a RAM user the permission to assume the role.
A RAM role is a virtual user with no permanent credentials. A trusted entity assumes the role and receives temporary STS credentials to access authorized resources.
-