您可以為ECS實例綁定標簽,然后通過RAM的自定義策略指定授權的標簽,利用標簽限制RAM用戶只能查看和管理指定的ECS實例。
背景信息
基于標簽限制RAM用戶權限(即標簽鑒權)的邏輯如下圖所示。
自定義策略中是通過條件(Condition)指定授權的標簽。標簽支持的Condition如下:
acs:RequestTag/<tag-key>:請求中傳遞的標簽信息。即用戶在調用API的時候,請求參數里面必須攜帶的標簽。acs:ResourceTag/<tag-key>:請求訪問的資源上綁定的標簽信息。即用戶在操作某個資源的時候,資源上必須具備的標簽。
操作步驟
以下將提供一個示例,僅允許RAM用戶(Alice)查看和管理綁定了標簽owner:alice和environment:production的ECS實例,無權查看和管理其他ECS實例。
在以下整個授權過程中,ECS實例可以正常工作,不會產生任何影響。
以下操作使用賬號管理員完成。
在RAM控制臺,創建RAM用戶(Alice)。
具體操作,請參見創建RAM用戶。
為ECS實例綁定標簽。
本示例中,需要為ECS實例綁定標簽
owner:alice和environment:production。以下兩種綁定標簽的方法您可以任選其一:
在標簽控制臺綁定標簽:創建并綁定自定義標簽。
在RAM控制臺,創建自定義策略(UseTagAccessRes)。
自定義策略內容如下所示。具體操作,請參見創建自定義權限策略。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/owner": [ "alice" ], "acs:ResourceTag/environment": [ "production" ] } } }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": [ "alice" ], "acs:RequestTag/environment": [ "production" ] } } }, { "Effect": "Allow", "Action": [ "ecs:List*", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceVncUrl", "ecs:DescribeInstanceAutoRenewAttribute", "ecs:DescribeInstanceRamRole", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstanceAttachmentAttributes", "ecs:DescribeInstancesFullStatus", "ecs:DescribeInstanceHistoryEvents", "ecs:DescribeInstanceMonitorData", "ecs:DescribeInstanceMaintenanceAttributes", "ecs:DescribeInstanceModificationPrice", "ecs:DescribeA*", "ecs:DescribeC*", "ecs:DescribeD*", "ecs:DescribeE*", "ecs:DescribeH*", "ecs:DescribeIm*", "ecs:DescribeInv*", "ecs:DescribeK*", "ecs:DescribeL*", "ecs:DescribeM*", "ecs:DescribeN*", "ecs:DescribeP*", "ecs:DescribeR*", "ecs:DescribeS*", "ecs:DescribeT*", "ecs:DescribeZ*", "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" } ] }策略說明:
策略內容
策略說明
{ "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": "alice", "acs:RequestTag/environment": "production" } } }允許通過標簽
owner:alice和environment:production篩選對應的ECS實例。{ "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/owner": [ "alice" ], "acs:ResourceTag/environment": [ "production" ] } } }允許對綁定了標簽
owner:alice和environment:production的ECS實例進行管理操作。{ "Effect": "Allow", "Action": [ "ecs:List*", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceVncUrl", "ecs:DescribeInstanceAutoRenewAttribute", "ecs:DescribeInstanceRamRole", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstanceAttachmentAttributes", "ecs:DescribeInstancesFullStatus", "ecs:DescribeInstanceHistoryEvents", "ecs:DescribeInstanceMonitorData", "ecs:DescribeInstanceMaintenanceAttributes", "ecs:DescribeInstanceModificationPrice", "ecs:DescribeA*", "ecs:DescribeC*", "ecs:DescribeD*", "ecs:DescribeE*", "ecs:DescribeH*", "ecs:DescribeIm*", "ecs:DescribeInv*", "ecs:DescribeK*", "ecs:DescribeL*", "ecs:DescribeM*", "ecs:DescribeN*", "ecs:DescribeP*", "ecs:DescribeR*", "ecs:DescribeS*", "ecs:DescribeT*", "ecs:DescribeZ*", "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*" }允許查看ECS實例的相關信息。
{ "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" }不允許刪除、解綁、創建、綁定標簽。
避免RAM用戶因修改標簽導致沒有權限。
在RAM控制臺,為RAM用戶(Alice)授權。
其中,授權范圍選擇整個云賬號,授權主體選擇RAM用戶(Alice),權限策略選擇自定義策略(UseTagAccessRes)。具體操作,請參見為RAM用戶授權。
結果驗證
使用RAM用戶(Alice)登錄ECS控制臺。
具體操作,請參見RAM用戶登錄阿里云控制臺。
在左側導航欄,選擇。
在頂部菜單欄左上角處,選擇地域。
在實例頁面,單擊搜索欄旁邊的標簽篩選,選擇
owner:alice和environment:production標簽。
重要只有RAM用戶選擇了對應標簽后,RAM用戶才能看到綁定了該標簽的ECS實例。否則,RAM用戶無法看到任何ECS實例。
查看和管理僅綁定了
owner:alice和environment:production標簽的ECS實例。
相關文檔
ECS的RAM鑒權規則詳情,請參見鑒權規則。