文档

通过标签实现RAM用户鉴权

更新时间:

标签可用于标识云资源,实现资源的分类管理;访问控制RAM可基于权限策略,管理用户身份,控制云资源的访问和操作权限。标签和RAM结合,将标签作为权限策略的匹配条件,可以实现云资源的精细化权限管理,提升资源管理的效率。

基于标签控制RAM用户权限(即标签鉴权)的逻辑如下:

image

配置示例

  1. 使用阿里云账号(主账号)登录RAM控制台

  2. 创建自定义策略。具体操作,请参见创建自定义权限策略

    您可以在策略(Condition)中为云资源设置多个标签条件来限制操作权限。支持的标签鉴权条件如下:

    标签鉴权条件

    说明

    acs:RequestTag

    在请求中必须传入特定的标签。

    重要

    如果API请求中没有标签参数,则不能使用acs:RequestTag,否则会导致鉴权失败。

    acs:ResourceTag

    指定的资源必须包含特定的标签。

    重要

    如果API请求中没有资源ID参数,则不能使用acs:ResourceTag,否则会导致鉴权失败。

    权限策略示例

    以下策略可实现:

    • 允许创建ECS资源,前提是创建时需给资源绑定标签costcenter:tony

    • 允许任何操作,前提是资源携带了标签costcenter:tony

    • 允许查看实例的某些信息,前提是该实例携带了标签costcenter:tony

    • 禁止管理标签(包括修改、添加、删除等),以防止标签被修改。

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:Run*",
                    "ecs:Create*",
                    "ecs:Purchase*",
                    "ecs:DescribeInstances",
                    "ecs:List*"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "acs:RequestTag/costcenter": "tony"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "acs:ResourceTag/costcenter": "tony"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:List*",
                    "ecs:DescribeInstanceStatus",
                    "ecs:DescribeInstanceVncUrl",
                    "ecs:DescribeInstanceAutoRenewAttribute",
                    "ecs:DescribeInstanceRamRole",
                    "ecs:DescribeInstanceTypeFamilies",
                    "ecs:DescribeInstanceTypes",
                    "ecs:DescribeInstanceAttachmentAttributes",
                    "ecs:DescribeInstancesFullStatus",
                    "ecs:DescribeInstanceHistoryEvents",
                    "ecs:DescribeInstanceMonitorData",
                    "ecs:DescribeInstanceMaintenanceAttributes",
                    "ecs:DescribeInstanceModificationPrice",
                    "ecs:DescribeA*",
                    "ecs:DescribeC*",
                    "ecs:DescribeD*",
                    "ecs:DescribeE*",
                    "ecs:DescribeH*",
                    "ecs:DescribeIm*",
                    "ecs:DescribeInv*",
                    "ecs:DescribeK*",
                    "ecs:DescribeL*",
                    "ecs:DescribeM*",
                    "ecs:DescribeN*",
                    "ecs:DescribeP*",
                    "ecs:DescribeR*",
                    "ecs:DescribeS*",
                    "ecs:DescribeT*",
                    "ecs:DescribeZ*",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches",
                    "bss:PayOrder"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:RemoveTags",
                    "ecs:UntagResources",
                    "ecs:AddTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ]
    }
  3. 将自定义策略授权给您希望控制访问的RAM用户或组。具体操作,请参见为RAM用户授权为RAM用户组授权

    说明

    如果您将自定义策略授权给已存在的RAM用户,请注意RAM用户多个权限策略产生的权限问题。

  • 本页导读 (0)