RAM用户相当于虚拟账号,其权限级别可随着RAM策略的变更而升高或降低,实现更安全可控的访问策略,并降低了云账号AccessKey密钥被泄露的风险。您可以使用云账号创建自定义策略,从API、ECS实例、云助手命令等维度实现权限控制,并授权给RAM用户。
背景信息
- 使用云助手API的权限。
- 执行指定的云助手命令的权限。
- 在指定的地域使用云助手API的权限。
- 在指定的ECS实例使用云助手API的权限。
操作步骤
- 使用云账号创建一个自定义策略。
具体步骤,请参见创建自定义策略。涉及使用云助手的自定义策略示例,请参见本文后续章节。
- 使用云账号为已创建的RAM用户授权RAM策略。
具体步骤,请参见为RAM用户授权。
- 授权您创建的自定义策略
- 授权阿里云提供的系统权限策略
- AliyunECSAssistantReadonlyAccess:允许RAM用户查看云助手命令和在云服务器ECS上执行记录的权限。
- AliyunECSAssistantFullAccess:允许RAM用户管理云助手命令和向云服务器ECS内发送命令的权限。
- 授权您创建的自定义策略
- 查看RAM用户账号,确认已被授权登录阿里云管理控制台。
- 使用RAM账号登录阿里云控制台。
具体步骤,请参见RAM用户登录控制台。
云助手管理员权限(可读可写)
授予以下权限后,RAM用户拥有云助手API的全部查询和操作权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTagKeys",
"ecs:DescribeTags",
"ecs:CreateCommand",
"ecs:DescribeCommands",
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:DeleteCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StopInvocation",
"ecs:DescribeCloudAssistantStatus",
"ecs:InstallCloudAssistant"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*"
]
}
]
}云助手查看权限(只读)
授予以下权限后,RAM用户可以查询云助手命令、任务记录、任务详情、ECS实例状态等,但不可以创建、执行或修改命令。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTagKeys",
"ecs:DescribeTags",
"ecs:DescribeCommands",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*"
]
}
]
}查询云助手客户端安装状态
相关API:DescribeCloudAssistantStatus
- 授予以下权限后,允许RAM用户查询所有ECS实例的云助手客户端安装状态。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } - 通过在Resources列表中设置实例ID,授予以下权限后,RAM用户只能查看指定的ECS实例的云助手客户端安装状态。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
查看云助手命令
相关API:DescribeCommands
- 授予以下权限后,允许RAM用户查看所有云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] } - 通过在Resources列表中设置资源ID,授予以下权限后,RAM用户只能查看指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
删除云助手命令
相关API:DeleteCommand
- 授予以下权限后,允许RAM用户删除所有云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] } - 通过在Resources列表中设置命令ID,授予以下权限后,RAM用户只能删除指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
创建云助手命令
相关API:CreateCommand
RAM用户至少需要以下权限,才能创建云助手命令。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}执行命令
相关API:InvokeCommand
- 授予以下权限后,允许RAM用户在任意实例上执行命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] } - 通过在Resources列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上执行云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] } - 通过在Resources列表中设置命令ID,授予以下权限后,RAM用户只能在ECS实例上执行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] } - 通过在Resources列表中设置命令ID和实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上执行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
立即执行命令
相关API:RunCommand
说明 如果调用RunCommand时,您指定了参数
KeepCommand=true,则需要在Resource列表中添加一行 "acs::ecs:*:*:command/*"。
- 授予以下权限后,允许RAM用户在任意实例上立即执行命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } - 通过在Resources列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上立即执行云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查询命令执行结果
相关API:DescribeInvocations
- 授予以下权限后,允许RAM用户在任意实例上查询命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] } - 通过在Resources列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上查询命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] } - 通过在Resources列表中设置命令ID,授予以下权限后,RAM用户只能在ECS实例上查询指定的命令执行结果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] } - 通过在Resources列表中设置命令ID和实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上执行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
停止执行任务
相关API:StopInvocation
- 授予以下权限后,允许RAM用户停止任意实例上的执行任务。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] } - 通过在Resources列表中设置实例ID,授予以下权限后,RAM用户只能在指定的ECS实例上停止执行任务。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
设置地域限制
通过在权限策略元素的地域字段指定地域值,可以限制RAM用户的地域权限。例如只允许RAM用户在杭州地域使用云助手。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:CreateCommand",
"ecs:DescribeCommands",
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:DeleteCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StopInvocation",
"ecs:DescribeCloudAssistantStatus",
"ecs:InstallCloudAssistant"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:instance/*"
]
}
]
}
