Using Tag-based Authentication for Fine-grained Management of Auto Scaling
Background
You can achieve fine-grained management of Auto Scaling using tags together with Identity and Access Management (IAM).
- Tags are identifiers of cloud resources. They help you classify, search for, and aggregate cloud resources with the same feature and from different dimensions.
- IAM provides permission management. You can manage user identities and control access to and operations on cloud resources based on permission policies. For details, see What Is IAM?
This section describes how to use tag-based authentication to grant different permissions to different IAM users for improved management efficiency and reduced information leakage risks.
Example Scenarios
Assume that two AS groups have been created. The table below lists the AS groups and their tags.
|
AS Group |
Name |
Tag |
|---|---|---|
|
AS group 1 |
asg-001 |
team:game1, where team is the tag key and game1 is the tag value. |
|
AS group 2 |
asg-002 |
team:game2, where team is the tag key and game2 is the tag value. |
You can use tag-based authentication to control the specific permissions of an IAM user on the preceding AS groups. The following are examples:
- Scenario 1: AS group 1 cannot be created unless team:game1 is attached to it.
- Scenario 2: Only AS group 1 with tag team:game1 attached can be queried.
- Scenario 3: AS group 1 and AS group 2 have tags team:game1 and team:game2 attached, respectively. Only the AS group 1 with tag team:game1 attached can be operated.
Procedure
Ensure that you have created an IAM user and granted read-only permissions for ECS, VPC, and IMS to the IAM user. If no IAM user is available, create one. For details, see Creating an IAM User.
- Create two AS groups. For details, see Creating an AS Group.
- Log in to the IAM console.
- Create a custom policy. For details, see Creating a Custom Policy.
You can set multiple tag-based authentication conditions for cloud resources to restrict the operation permissions on Auto Scaling resources. The table below lists the supported tag-based authentication conditions.
Table 2 Tag-based authentication conditions Condition Key
Description
g:RequestTag
A specific tag must be transferred in a request. Otherwise, the authentication fails.
If an API request does not contain a tag parameter, g:RequestTag cannot be used. Otherwise, the authentication fails.
g:ResourceTag
The specified resource must contain a specific tag. Otherwise, the authentication fails.
If an API request does not contain a resource ID parameter, g:ResourceTag cannot be used. Otherwise, the authentication fails.
- Scenario 1: AS group1 cannot be created without a specific tag attached.
AS group 1 cannot be created unless team:game1 is attached to it.
The custom policy is as follows:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "as:scalingGroup:create" ], "Condition": { "StringEquals": { "g:RequestTag/team": [ "game1" ] } } }, { "Effect": "Allow", "Action": [ "as:scalingConfig:list" ] }, { "Effect": "Allow", "Action": [ "as::listQuotas" ] } ] } - Scenario 2: Only AS group 1 with a specific tag attached can be queried.
After AS group 1 has tag team:game1 attached, only AS group 1 resources can be queried.
The custom policy is as follows:{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "as:scalingGroup:get" ], "Condition": { "StringEquals": { "g:ResourceTag/team": [ "game1" ] } } }, { "Effect": "Allow", "Action": [ "as:scalingConfig:list" ] }, { "Effect": "Allow", "Action": [ "as::listQuotas" ] } ] }
- Scenario 3: Only AS group 1 can be operated.
AS group 1 and AS group 2 have tags team:game1 and team:game2 attached, respectively. Only the AS group 1 with tag team:game1 attached can be operated.
The custom policy is as follows:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "as:scalingConfig:list" ] }, { "Effect": "Allow", "Action": [ "as::listQuotas" ] }, { "Effect": "Allow", "Action": [ "as:scalingGroup:update" ] }, { "Effect": "Allow", "Action": [ "as:scalingGroup:resume", "as:scalingGroup:pause" ], "Condition": { "StringEquals": { "g:ResourceTag/team": [ "game1" ] } } } ] }
- Scenario 1: AS group1 cannot be created without a specific tag attached.
- Attach the custom policy to the IAM user you want to control access for. For details, see Assigning Permissions to an IAM User.
Verification
Verify whether the permission policy is applied.
- Scenario 1: AS group1 cannot be created without a specific tag attached.
You have attached tag team:game1 to AS group 1 and created AS group1 successfully. If tags other than team:game1 is attached to AS group 1, the system displays a message indicating that you do not have required permissions to create AS group 1.
- Scenario 2: Only AS group 1 with a specific tag attached can be queried.
If you query AS group 1 (with tag team:game1 attached) without filtering tags, you can obtain the information about this AS group.
If you query an AS group (without tag team:game1 attached) other than AS group 1, no information is displayed.
- Scenario 3: Only AS group 1 can be operated.
You have permissions to modify AS group 1 (with tag team:game1 attached).
If you attempt to modify AS group 2 with any other tag other than team:game1 attached, the system displays a message indicating that you do not have required permissions to modify this AS group.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
