Updated on 2023-08-03 GMT+08:00

Resource-Level Authorization

Types of Resources That Can Be Authorized

Resource-level authorization specifies the resources on which users are allowed to perform operations. Certain ECS APIs support resource-level authorization, which means you can use these APIs to control access to specific ECS resources. Table 1 lists the types of resources that can be authorized in permission policies.

Table 1 Types of resources that can be authorized

Resource Type

Unique ID in Permission Policy

Instance

ECS:$region:$domainId:instance:$instanceId

When setting the unique resource ID in a permission policy, replace the variables such as $region, $domainId, and $instanceId to the actual values or use the wildcard (*).

The APIs with Authorization by Instance marked by × in Lifecycle Management to Tag Management do not support resource-level authorization. You can still grant user permissions to perform operations supported by these APIs by setting Resource in the policy syntax to a wildcard (*).

The following example shows how to create a resource-level policy that allows starting, stopping, and restarting ECS 9e0263ee-542a-4114-bf4a-5dd14d3f8a18:
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:cloudServers:start",
                "ecs:cloudServers:reboot",
                "ecs:cloudServers:stop"
            ],
            "Resource": [
                "ECS:*:*:instance:9e0263ee-542a-4114-bf4a-5dd14d3f8a18"
            ]
        }
    ]
}

Using Tags to Control Resource Access

After attaching a tag to an ECS, you can use the tag to group resources and control access to the resources. You can attach multiple tags to resources and then attach policies to IAM users or user groups To control which resources can be accessed by IAM users, you can create custom policies and use tags to control access.

Step 1: Create a policy and grant permissions using your master account.

Create a custom policy policyTest using the master account and attach the policy to an IAM user.

  1. Log in to the IAM console using the master account.
  2. Create a custom policy policyTest and attach tags to an ECS.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:cloudServers:start",
                    "ecs:cloudServers:reboot",
                    "ecs:cloudServers:stop"
                ],
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "g:ResourceTag/team": [
                            "dev"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:cloudServers:list",
                    "ecs:cloudServers:showServer",
                    "ecs:cloudServers:showServerTags"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:cloudServers:batchSetServerTags"
                ]
            }
        ]
    }

    Action

    Policy Content

    Description

    Start, stop, and restart tagged resources

    "g:ResourceTag/team":"dev"

    Allows users to start, stop, and restart ECSs tagged with "team=dev"

    Query ECS details and attached tags

    ecs:cloudServers:list

    ecs:cloudServers:showServer

    ecs:cloudServers:showServerTags

    Allows users to view ECSs and attached tags on the ECS console

    Do not perform operations on tags

    ecs:cloudServers:batchSetServerTags

    Denies operations on tags attached to resources

  3. Attach the policy to IAM users or user groups.

Step 2: Attach a tag to resources using the master account.

Attach a specific tag to ECSs for tag-based access control.

  1. Log in to the management console.
  2. Click the target ECS. On the displayed page, click Tags.
  3. Click Add Tag to create tag team:dev.

Step 3: Access an ECS with tag team:dev as an IAM user.

Log in to the ECS console as an IAM user and perform operations on the tagged ECSs.

  1. Log in to the management console as an IAM user.
  2. Select a region and view the list of all ECSs in the region.
  3. Filter out tagged ECSs.
  4. Start, stop, or restart the ECSs.

The APIs with Authorization by Tag marked by × in Lifecycle Management to Tag Management do not support tag-based access control. You can still grant user permissions to perform operations supported by these APIs without setting g:ResourceTag in the policy syntax.