Manage a specific instance with a RAM user

更新时间:
复制 MD 格式

You can create a custom permission policy that grants a RAM user fine-grained permissions to manage a specific Simple Application Server instance.

Prerequisites

You have a RAM user. For more information, see Create a RAM user.

Procedure

Step 1: Create a custom permission policy

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the navigation pane on the left, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the Visual editor or JSON tab.

    This example selects all actions that contain the keyword Instance for a specific Simple Application Server instance.

    Visual editor

    This method is intuitive.

    1. For Effect, select Allowed.

    2. For Service, select Simple Application Server.

    3. For Actions, select Select action(s), and then select the actions to authorize.

      In this example, all operations that contain Instance are selected by entering Instance in the search box to filter the results. In practice, you can select specific operations as needed.

    4. For Resources, select Specific resource(s). Then, click Add resource next to the resource ARN format acs:swas-open:{#regionId}:{#accountId}:instance/{#instanceId}.

    5. In the Add resource dialog box, specify the region ID and instance ID, and then click OK.

      Note

      You can select Match all to quickly select all associated resources.

    JSON

    This method provides flexibility and is suitable for users who are familiar with permission policy syntax. In the editor, paste the following content and replace the placeholders with your actual values:

    Note

    For more information about the basic elements and syntax of a permission policy, see Policy elements and Policy structure and syntax.

    • regionId: Replace this with the region ID. Example: cn-beijing.

    • accountId: Replace this with your Alibaba Cloud account ID. Example: 160998252992****.

    • instanceId: Replace this with the ID of the Simple Application Server instance. Example: a16ff078e66f4515ad96e93aebb0****.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "swas-open:ListInstances",
            "swas-open:AddInstanceDomainDnsRecord",
            "swas-open:AttachInstanceToLoadBalancer",
            "swas-open:AttachVpcInstanceToCen",
            "swas-open:BindInstanceDomain",
            "swas-open:CreateInstanceKeyPair",
            "swas-open:CreateInstances",
            "swas-open:DeleteInstance",
            "swas-open:DeleteInstanceKeyPair",
            "swas-open:DescribeInstanceDomains",
            "swas-open:DetachInstanceFromLoadBalancer",
            "swas-open:DetachVpcInstanceToCen",
            "swas-open:LoginInstance",
            "swas-open:ModifyDatabaseInstanceDescription",
            "swas-open:ModifyDatabaseInstanceParameter",
            "swas-open:ModifyInstanceVncPassword",
            "swas-open:RebootInstance",
            "swas-open:RebootInstances",
            "swas-open:RemoveInstanceDomainDnsRecord",
            "swas-open:RenewInstance",
            "swas-open:RestartDatabaseInstance",
            "swas-open:StartDatabaseInstance",
            "swas-open:StartInstance",
            "swas-open:StartInstances",
            "swas-open:StopDatabaseInstance",
            "swas-open:StopInstance",
            "swas-open:StopInstances",
            "swas-open:UpdateInstanceAttribute",
            "swas-open:UpgradeInstance",
            "swas-open:UploadInstanceKeyPair",
            "swas-open:DescribeInstanceDomainDnsRecord",
            "swas-open:UnbindInstanceDomains",
            "swas-open:DescribeDatabaseInstanceMetricData",
            "swas-open:DescribeDatabaseInstanceParameters",
            "swas-open:DescribeDatabaseInstances",
            "swas-open:DescribeInstanceDomainRegistrationStatus",
            "swas-open:DescribeInstanceDomainResolveStatus",
            "swas-open:DescribeInstanceDomainsSetting",
            "swas-open:DescribeInstanceKeyPair",
            "swas-open:DescribeInstancePasswordsSetting",
            "swas-open:DescribeInstanceVncUrl",
            "swas-open:ListInstancePlansModification",
            "swas-open:ListInstanceStatus",
            "swas-open:ListInstancesTrafficPackages",
            "swas-open:ListUserCenAttachedVpcInstances"
          ],
          "Resource": "acs:swas-open:regionId:accountId:instance/instanceId"
        }
      ]
    }
  5. On the Create Policy page, click OK.

    If you add many statements and select a large number of operations, the policy document may exceed the length limit, and you cannot click OK. You can submit a ticket to increase the maximum length of the policy document.

  6. In the Create Policy dialog box, enter a Name and Remarks for the policy, and then click OK.

Step 2: Grant permissions to the RAM user

  1. In the navigation pane on the left, choose Identities > Users.

  2. On the Users page, find the RAM user and click Add Permissions in the Actions column.

  3. In the Policies section, search for and select the custom policy that you created.

  4. Click OK.

Step 3: Verify the permissions

  1. Log on to the Simple Application Server console as the RAM user and select the region where the authorized instance is located.

    An Access Denied dialog box appears. Click close.

    The error details in the dialog box show the error code NoPermission for the swas-open:ListInstances action. This error indicates that the user has insufficient permissions, which confirms that your access control policy is effective.

  2. In the search box, enter the ID of the authorized Simple Application Server instance. You can view and manage the instance.

    Note
    • You can view the authorized instance only by searching for its ID. If you search for any other instance, you receive an access denied message.

    • Because you granted permissions to manage only a specific instance, the system may check for other permissions on different pages. If an Access Denied dialog box appears, you can close it. You can still perform the authorized operations.