You can create a custom permission policy that grants a RAM user fine-grained permissions to manage a specific Simple Application Server instance.
Prerequisites
You have a RAM user. For more information, see Create a RAM user.
Procedure
Step 1: Create a custom permission policy
-
Log on to the RAM console with your Alibaba Cloud account.
-
In the navigation pane on the left, choose Permissions > Policies.
-
On the Policies page, click Create Policy.
-
On the Create Policy page, click the Visual editor or JSON tab.
This example selects all actions that contain the keyword
Instancefor a specific Simple Application Server instance.Visual editor
This method is intuitive.
-
For Effect, select Allowed.
-
For Service, select Simple Application Server.
-
For Actions, select Select action(s), and then select the actions to authorize.
In this example, all operations that contain
Instanceare selected by enteringInstancein the search box to filter the results. In practice, you can select specific operations as needed. -
For Resources, select Specific resource(s). Then, click Add resource next to the resource ARN format
acs:swas-open:{#regionId}:{#accountId}:instance/{#instanceId}. -
In the Add resource dialog box, specify the region ID and instance ID, and then click OK.
NoteYou can select Match all to quickly select all associated resources.
JSON
This method provides flexibility and is suitable for users who are familiar with permission policy syntax. In the editor, paste the following content and replace the placeholders with your actual values:
NoteFor more information about the basic elements and syntax of a permission policy, see Policy elements and Policy structure and syntax.
-
regionId: Replace this with the region ID. Example:cn-beijing. -
accountId: Replace this with your Alibaba Cloud account ID. Example:160998252992****. -
instanceId: Replace this with the ID of the Simple Application Server instance. Example:a16ff078e66f4515ad96e93aebb0****.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "swas-open:ListInstances", "swas-open:AddInstanceDomainDnsRecord", "swas-open:AttachInstanceToLoadBalancer", "swas-open:AttachVpcInstanceToCen", "swas-open:BindInstanceDomain", "swas-open:CreateInstanceKeyPair", "swas-open:CreateInstances", "swas-open:DeleteInstance", "swas-open:DeleteInstanceKeyPair", "swas-open:DescribeInstanceDomains", "swas-open:DetachInstanceFromLoadBalancer", "swas-open:DetachVpcInstanceToCen", "swas-open:LoginInstance", "swas-open:ModifyDatabaseInstanceDescription", "swas-open:ModifyDatabaseInstanceParameter", "swas-open:ModifyInstanceVncPassword", "swas-open:RebootInstance", "swas-open:RebootInstances", "swas-open:RemoveInstanceDomainDnsRecord", "swas-open:RenewInstance", "swas-open:RestartDatabaseInstance", "swas-open:StartDatabaseInstance", "swas-open:StartInstance", "swas-open:StartInstances", "swas-open:StopDatabaseInstance", "swas-open:StopInstance", "swas-open:StopInstances", "swas-open:UpdateInstanceAttribute", "swas-open:UpgradeInstance", "swas-open:UploadInstanceKeyPair", "swas-open:DescribeInstanceDomainDnsRecord", "swas-open:UnbindInstanceDomains", "swas-open:DescribeDatabaseInstanceMetricData", "swas-open:DescribeDatabaseInstanceParameters", "swas-open:DescribeDatabaseInstances", "swas-open:DescribeInstanceDomainRegistrationStatus", "swas-open:DescribeInstanceDomainResolveStatus", "swas-open:DescribeInstanceDomainsSetting", "swas-open:DescribeInstanceKeyPair", "swas-open:DescribeInstancePasswordsSetting", "swas-open:DescribeInstanceVncUrl", "swas-open:ListInstancePlansModification", "swas-open:ListInstanceStatus", "swas-open:ListInstancesTrafficPackages", "swas-open:ListUserCenAttachedVpcInstances" ], "Resource": "acs:swas-open:regionId:accountId:instance/instanceId" } ] } -
-
On the Create Policy page, click OK.
-
In the Create Policy dialog box, enter a Name and Remarks for the policy, and then click OK.
Step 2: Grant permissions to the RAM user
-
In the navigation pane on the left, choose Identities > Users.
-
On the Users page, find the RAM user and click Add Permissions in the Actions column.
-
In the Policies section, search for and select the custom policy that you created.
-
Click OK.
Step 3: Verify the permissions
-
Log on to the Simple Application Server console as the RAM user and select the region where the authorized instance is located.
An Access Denied dialog box appears. Click close.
The error details in the dialog box show the error code
NoPermissionfor theswas-open:ListInstancesaction. This error indicates that the user has insufficient permissions, which confirms that your access control policy is effective. -
In the search box, enter the ID of the authorized Simple Application Server instance. You can view and manage the instance.
Note-
You can view the authorized instance only by searching for its ID. If you search for any other instance, you receive an access denied message.
-
Because you granted permissions to manage only a specific instance, the system may check for other permissions on different pages. If an Access Denied dialog box appears, you can close it. You can still perform the authorized operations.
-