授權(quán)RAM用戶使用云助手
您可以授予RAM用戶不同的RAM策略,從而提升或降低RAM用戶的權(quán)限級(jí)別,實(shí)現(xiàn)更安全可控的訪問(wèn),并有效降低阿里云賬號(hào)AccessKey密鑰被泄露的風(fēng)險(xiǎn)。本文介紹了授權(quán)步驟,并給出了云助手相關(guān)的RAM策略示例。
背景信息
權(quán)限策略分為您自行創(chuàng)建的自定義策略和阿里云提供的系統(tǒng)策略。具體到云助手,除系統(tǒng)策略外,您可以從地域、ECS實(shí)例、云助手命令、托管實(shí)例激活碼等維度設(shè)計(jì)自定義策略,并授權(quán)給RAM用戶使用,從而靈活控制RAM用戶使用云助手的權(quán)限。
操作步驟
使用阿里云賬號(hào)(主賬號(hào))創(chuàng)建一個(gè)RAM用戶。
具體操作,請(qǐng)參見(jiàn)創(chuàng)建RAM用戶。
使用阿里云賬號(hào)創(chuàng)建一個(gè)自定義策略。具體操作,請(qǐng)參見(jiàn)創(chuàng)建自定義權(quán)限策略。
常見(jiàn)云助手功能涉及的自定義策略如下表所示:
云助手功能
自定義策略示例
云助手
云助手Agent
云助手命令
發(fā)送文件
運(yùn)維任務(wù)執(zhí)行記錄投遞
托管實(shí)例
會(huì)話管理
使用阿里云賬號(hào)為已創(chuàng)建的RAM用戶授予權(quán)限。
具體操作,請(qǐng)參見(jiàn)為RAM用戶授權(quán)。
指定您自行創(chuàng)建的自定義策略
指定阿里云提供的系統(tǒng)策略
AliyunECSAssistantFullAccess:允許RAM用戶管理ECS云助手服務(wù)的權(quán)限。
AliyunECSAssistantReadonlyAccess:允許RAM用戶只讀訪問(wèn)ECS云助手服務(wù)的權(quán)限。
您可以在RAM控制臺(tái)查看系統(tǒng)策略的策略內(nèi)容等基本信息,具體操作,請(qǐng)參見(jiàn)查看權(quán)限策略基本信息。
查看RAM用戶信息,確認(rèn)已被授權(quán)登錄阿里云管理控制臺(tái)。
如果未開(kāi)啟控制臺(tái)訪問(wèn)權(quán)限,RAM用戶只能調(diào)用API使用云助手。具體步驟,請(qǐng)參見(jiàn)查看RAM用戶的權(quán)限。
使用RAM用戶登錄阿里云控制臺(tái)。
具體步驟,請(qǐng)參見(jiàn)RAM用戶登錄阿里云控制臺(tái)。
使用RAM用戶登錄ECS管理控制臺(tái)云助手頁(yè)面,RAM用戶開(kāi)始使用云助手。
云助手自定義策略示例
云助手管理員權(quán)限(可讀可寫)
授予以下權(quán)限后,RAM用戶擁有云助手API的全部查詢和操作權(quán)限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*",
"acs:ecs:*:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}云助手查看權(quán)限(只讀)
授予以下權(quán)限后,RAM用戶擁有云助手API的全部查詢權(quán)限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/*"
]
}
]
}設(shè)置云助手的地域限制
通過(guò)在權(quán)限策略元素的地域字段指定地域值,可以限制RAM用戶的地域權(quán)限。例如只允許RAM用戶在華東1(杭州)地域使用云助手。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:instance/*",
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:activation/*",
"acs:ecs:cn-hangzhou:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:servicesettings/*"
]
}
]
}云助手Agent
查詢云助手Agent安裝狀態(tài)
相關(guān)API:DescribeCloudAssistantStatus
授予以下權(quán)限后,允許RAM用戶查詢所有ECS實(shí)例的云助手Agent安裝狀態(tài)。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能查看指定的ECS實(shí)例的云助手Agent安裝狀態(tài)。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
安裝云助手Agent
相關(guān)API:InstallCloudAssistant
授予以下權(quán)限后,允許RAM用戶為任意ECS實(shí)例安裝云助手Agent。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能為指定ECS實(shí)例安裝云助手Agent。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
云助手命令自定義策略示例
查看云助手命令
相關(guān)API:DescribeCommands
授予以下權(quán)限后,允許RAM用戶查看所有云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }通過(guò)在Resource列表中設(shè)置資源ID,授予以下權(quán)限后,RAM用戶只能查看指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
刪除云助手命令
相關(guān)API:DeleteCommand
授予以下權(quán)限后,允許RAM用戶刪除所有云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }通過(guò)在Resource列表中設(shè)置命令I(lǐng)D,授予以下權(quán)限后,RAM用戶只能刪除指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
創(chuàng)建云助手命令
相關(guān)API:CreateCommand
RAM用戶至少需要以下權(quán)限,才能創(chuàng)建云助手命令。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}修改云助手命令
相關(guān)API:ModifyCommand
授予以下權(quán)限后,允許RAM用戶修改任意云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能修改指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
執(zhí)行命令
相關(guān)API:InvokeCommand
授予以下權(quán)限后,允許RAM用戶在任意實(shí)例上執(zhí)行命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能在指定的ECS實(shí)例上執(zhí)行云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }通過(guò)在Resource列表中設(shè)置命令I(lǐng)D,授予以下權(quán)限后,RAM用戶只能在ECS實(shí)例上執(zhí)行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置命令I(lǐng)D和實(shí)例ID,授予以下權(quán)限后,RAM用戶只能在指定的ECS實(shí)例上執(zhí)行指定的命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
立即執(zhí)行命令
相關(guān)API:RunCommand
如果調(diào)用RunCommand時(shí),您指定了參數(shù)KeepCommand=true,則需要在Resource列表中添加一行 "acs::ecs:*:*:command/*"。
授予以下權(quán)限后,允許RAM用戶在任意實(shí)例上立即執(zhí)行命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能在指定的ECS實(shí)例上立即執(zhí)行云助手命令。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查詢命令執(zhí)行結(jié)果
相關(guān)API:DescribeInvocations
授予以下權(quán)限后,允許RAM用戶在任意實(shí)例上查詢命令執(zhí)行結(jié)果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能在指定的ECS實(shí)例上查詢命令執(zhí)行結(jié)果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] }通過(guò)在Resource列表中設(shè)置命令I(lǐng)D,授予以下權(quán)限后,RAM用戶只能在ECS實(shí)例上查詢指定的命令執(zhí)行結(jié)果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }通過(guò)在Resource列表中設(shè)置命令I(lǐng)D和實(shí)例ID,授予以下權(quán)限后,RAM用戶只能在指定的ECS實(shí)例上查詢指定的命令執(zhí)行結(jié)果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
修改定時(shí)任務(wù)的執(zhí)行信息
相關(guān)API:ModifyInvocationAttribute
授予以下權(quán)限后,允許RAM用戶修改任意定時(shí)任務(wù)的執(zhí)行信息,并將任意實(shí)例加入定時(shí)任務(wù)。
當(dāng)您修改了
CommandContent,且調(diào)用InvokeCommand或調(diào)用RunCommand時(shí)設(shè)置KeepCommand為true創(chuàng)建任務(wù),將會(huì)新增一條命令并長(zhǎng)期保留,因此需要在調(diào)用ModifyInvocationAttribute前,在Resource列表中添加一行acs:ecs:*:*:command/*。{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }通過(guò)在Resource列表中設(shè)置任務(wù)ID,授予以下權(quán)限后,RAM用戶只能修改指定任務(wù)的執(zhí)行信息,并將任意實(shí)例加入指定任務(wù)。
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,允許RAM用戶修改任意定時(shí)任務(wù)的執(zhí)行信息,且只能將指定實(shí)例加入定時(shí)任務(wù)。
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID與任務(wù)ID,授予以下權(quán)限后,RAM用戶只能修改指定任務(wù)的執(zhí)行信息,且只能將指定實(shí)例加入定時(shí)任務(wù)。
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }
停止執(zhí)行任務(wù)
相關(guān)API:StopInvocation
授予以下權(quán)限后,允許RAM用戶在任意實(shí)例上停止進(jìn)行中(Running)的云助手命令進(jìn)程。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能在指定的ECS實(shí)例上停止進(jìn)行中(Running)的云助手命令進(jìn)程。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
發(fā)送文件自定義策略示例
上傳本地文件
相關(guān)API:SendFile
授予以下權(quán)限后,允許RAM用戶上傳本地文件到任意ECS實(shí)例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能上傳本地文件到指定的ECS實(shí)例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查詢文件上傳結(jié)果
相關(guān)API:DescribeSendFileResults
授予以下權(quán)限后,允許RAM用戶查詢?nèi)我鈱?shí)例的文件上傳結(jié)果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能查詢指定ECS實(shí)例的文件上傳結(jié)果。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
運(yùn)維任務(wù)執(zhí)行記錄投遞自定義策略示例
查詢和修改運(yùn)維任務(wù)執(zhí)行記錄投遞功能的配置
授予以下權(quán)限后,允許RAM用戶查詢和修改運(yùn)維任務(wù)執(zhí)行記錄投遞功能的配置。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}查詢運(yùn)維任務(wù)執(zhí)行記錄投遞功能的配置
授予以下權(quán)限后,允許RAM用戶查詢運(yùn)維任務(wù)執(zhí)行記錄投遞功能的配置。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}設(shè)置運(yùn)維任務(wù)執(zhí)行記錄投遞功能的地域限制
通過(guò)在權(quán)限策略元素的地域字段指定地域值,可以限制RAM用戶的地域級(jí)別訪問(wèn)權(quán)限。
授予以下權(quán)限后,只允許RAM用戶在華東1(杭州)地域查詢和修改運(yùn)維任務(wù)執(zhí)行記錄投遞功能的配置。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }授予以下權(quán)限后,只允許RAM用戶在華東1(杭州)地域查詢運(yùn)維任務(wù)執(zhí)行記錄投遞功能的配置。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
查詢和修改會(huì)話操作記錄投遞功能的配置
授予以下權(quán)限后,允許RAM用戶查詢和修改會(huì)話操作記錄投遞功能的配置。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}查詢會(huì)話操作記錄投遞功能的配置
授予以下權(quán)限后,允許RAM用戶查詢會(huì)話操作記錄投遞功能的配置。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}設(shè)置會(huì)話操作記錄投遞功能的地域限制
通過(guò)在權(quán)限策略元素的地域字段指定地域值,可以限制RAM用戶的地域級(jí)別訪問(wèn)權(quán)限。
授予以下權(quán)限后,只允許RAM用戶在華東1(杭州)地域查詢和修改會(huì)話操作記錄投遞功能的配置。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCloudAssistantSettings", "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }授予以下權(quán)限后,只允許RAM用戶在華東1(杭州)地域查詢會(huì)話操作記錄投遞功能的配置。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCloudAssistantSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }
查詢OSS存儲(chǔ)空間
使用運(yùn)維任務(wù)執(zhí)行記錄或會(huì)話操作記錄投遞功能時(shí),如果需要投遞到OSS,則需要授予以下權(quán)限允許RAM用戶查詢OSS存儲(chǔ)空間。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}
]
}運(yùn)維任務(wù)執(zhí)行記錄或會(huì)話操作記錄投遞到OSS后,為了便于進(jìn)行查詢、分析等操作,您還需要了解OSS的權(quán)限控制規(guī)則。更多信息,請(qǐng)參見(jiàn)OSS RAM Policy概述和OSS RAM Policy常見(jiàn)示例。
查詢SLS項(xiàng)目與日志庫(kù)
使用運(yùn)維任務(wù)執(zhí)行記錄或會(huì)話操作記錄投遞功能時(shí),如果需要投遞到SLS,則需要授予以下權(quán)限允許RAM用戶查詢SLS項(xiàng)目與對(duì)應(yīng)的日志庫(kù)。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"log:ListProject",
"log:ListLogStores"
],
"Resource": "*"
}
]
}運(yùn)維任務(wù)執(zhí)行記錄或會(huì)話操作記錄投遞到SLS后,為了便于進(jìn)行查詢、分析等操作,您還需要了解SLS的權(quán)限控制規(guī)則。更多信息,請(qǐng)參見(jiàn)SLS鑒權(quán)規(guī)則概覽。
托管實(shí)例自定義策略示例
注銷托管實(shí)例
相關(guān)API:DeregisterManagedInstance
授予以下權(quán)限后,允許RAM用戶注銷任意托管實(shí)例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能注銷指定托管實(shí)例。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
查詢托管實(shí)例
相關(guān)API:DescribeManagedInstances
授予以下權(quán)限后,允許RAM用戶查詢?nèi)我馔泄軐?shí)例的信息。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能查詢指定托管實(shí)例的信息。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
創(chuàng)建托管實(shí)例激活碼
相關(guān)API:CreateActivation
RAM用戶至少需要以下權(quán)限,才能創(chuàng)建阿里云托管實(shí)例激活碼,用于將非阿里云服務(wù)器注冊(cè)為阿里云托管實(shí)例。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateActivation"
],
"Resource": [
"acs:ecs:*:*:activation/*"
]
}
]
}禁用托管實(shí)例激活碼
相關(guān)API:DisableActivation
授予以下權(quán)限后,允許RAM用戶禁用任意阿里云托管實(shí)例激活碼。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能禁用指定阿里云托管實(shí)例激活碼。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
查詢托管實(shí)例激活碼
相關(guān)API:DescribeActivations
授予以下權(quán)限后,允許RAM用戶查詢已創(chuàng)建的托管實(shí)例激活碼以及激活碼的使用情況。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能查詢已創(chuàng)建的指定托管實(shí)例激活碼以及激活碼的使用情況。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
刪除托管實(shí)例激活碼
相關(guān)API:DeleteActivation
授予以下權(quán)限后,允許RAM用戶刪除任意未被使用的托管實(shí)例激活碼。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能刪除指定的未被使用的托管實(shí)例激活碼。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
云助手Agent升級(jí)配置自定義策略示例
相關(guān)API:ModifyCloudAssistantSettings - 修改云助手服務(wù)配置、DescribeCloudAssistantSettings - 查詢?cè)浦址?wù)配置。
查詢和修改云助手Agent升級(jí)配置
授予以下權(quán)限后,允許RAM用戶查詢和修改云助手Agent升級(jí)配置。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ModifyCloudAssistantSettings",
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}查詢?cè)浦諥gent升級(jí)配置
授予以下權(quán)限后,允許RAM用戶查詢?cè)浦諥gent升級(jí)配置。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeCloudAssistantSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/AgentUpgradeConfig"
]
}
]
}Session Manager自定義策略示例
相關(guān)API:StartTerminalSession - 開(kāi)始終端會(huì)話、DescribeTerminalSessions - 查看Session Manager會(huì)話歷史記錄。
創(chuàng)建和查詢會(huì)話管理(Session Manager)
授予以下權(quán)限后,允許RAM用戶創(chuàng)建和查詢會(huì)話管理(Session Manager)。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }通過(guò)在Resource列表中設(shè)置實(shí)例ID,授予以下權(quán)限后,RAM用戶只能給指定實(shí)例創(chuàng)建Session Manager,查詢指定實(shí)例的Session Manager記錄。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTerminalSession", "ecs:DescribeTerminalSessions" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }