Control RAM user access to different encrypted parameters

更新时间:
复制 MD 格式

Parameter Store uses encrypted parameters to dynamically maintain encrypted data in the cloud. The parameters are stored and displayed in an encrypted format, and you can read the data at any time. However, if you have multiple Resource Access Management (RAM) users under a single Alibaba Cloud account, you may want to prevent some of them from accessing certain encrypted data. This topic describes how to grant different access permissions for encrypted parameters to different RAM users.

Procedure

  1. Create encrypted parameters.

    1. Log on to the CloudOps Orchestration Service console.

    2. Create an encrypted parameter. For more information, see Create an encrypted parameter.20210114180823

    3. Create two encrypted parameters: group1/parameter and group2/parameter. The following figure shows an example.

  2. Log on to the RAM console and create a custom policy. For more information, see Create a custom policy in script edit mode. Add the following sample script. This script allows a RAM user to access the details of encrypted parameters that start with group1 and to list all encrypted parameters. (To grant a RAM user the permission to read the values of all encrypted parameters, see Appendix: Access policy).

    Important

    Configure the required KMS permissions for the encrypted parameters.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oos:GetSecretParameter",
                    "oos:ListSecretParameters",
                    "kms:GetSecretValue"
                ],
                "Resource": [
                    "acs:oos:*:1234************:secretparameter/group1/*",
                    "acs:kms:*:1234************:secret/oos/group1/*"
                ],
                "Condition": {}
            }
        ]
    }
  3. Attach the custom policy to the target RAM user or RAM role. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM role.

  4. After you create the policy, verify access to the encrypted parameters.

    1. On an instance, configure the AccessKey pair (AK) of the RAM user. Use the command-line interface (CLI) to retrieve the parameter named group1/parameter. The parameter is successfully retrieved.20210115113938

    2. Use the CLI to retrieve the parameter named group2/parameter. The operation fails and a "no permission" error is returned. The following figure shows an example.20210115114000

This example shows that after the policy is attached to the RAM user, the user can access only encrypted parameters whose names start with group1. If the user attempts to access the group2/parameter, a "no permission" error is returned.

Appendix: Access policy

RAM users can access all encrypted parameters:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oos:GetSecretParameter",
                "oos:ListSecretParameters",
                "kms:GetSecretValue"
            ],
            "Resource": [
                "acs:oos:*:1234************:secretparameter/*",
                "acs:kms:*:1234************:secret/oos/*"
            ],
            "Condition": {}
        }
    ]
}