Resource-Level Authorization
Types of Resources That Can Be Authorized
Resource-level authorization specifies the resources on which users are allowed to perform operations. Certain ECS APIs support resource-level authorization, which means you can use these APIs to control access to specific ECS resources. Table 1 lists the types of resources that can be authorized in permission policies.
Resource Type |
Unique ID in Permission Policy |
|---|---|
Instance |
ECS:$region:$domainId:instance:$instanceId |
When setting the unique resource ID in a permission policy, replace the variables such as $region, $domainId, and $instanceId to the actual values or use the wildcard (*).
The APIs with Authorization by Instance marked by × in Lifecycle Management to Tag Management do not support resource-level authorization. You can still grant user permissions to perform operations supported by these APIs by setting Resource in the policy syntax to a wildcard (*).
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:start",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop"
],
"Resource": [
"ECS:*:*:instance:9e0263ee-542a-4114-bf4a-5dd14d3f8a18"
]
}
]
}
Using Tags to Control Resource Access
After attaching a tag to an ECS, you can use the tag to group resources and control access to the resources. You can attach multiple tags to resources and then attach policies to IAM users or user groups To control which resources can be accessed by IAM users, you can create custom policies and use tags to control access.
Step 1: Create a policy and grant permissions using your master account.
Create a custom policy policyTest using the master account and attach the policy to an IAM user.
- Log in to the IAM console using the master account.
- Create a custom policy policyTest and attach tags to an ECS.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:cloudServers:start", "ecs:cloudServers:reboot", "ecs:cloudServers:stop" ], "Condition": { "StringEqualsIgnoreCase": { "g:ResourceTag/team": [ "dev" ] } } }, { "Effect": "Allow", "Action": [ "ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:showServerTags" ] }, { "Effect": "Deny", "Action": [ "ecs:cloudServers:batchSetServerTags" ] } ] }Action
Policy Content
Description
Start, stop, and restart tagged resources
"g:ResourceTag/team":"dev"
Allows users to start, stop, and restart ECSs tagged with "team=dev"
Query ECS details and attached tags
ecs:cloudServers:list
ecs:cloudServers:showServer
ecs:cloudServers:showServerTags
Allows users to view ECSs and attached tags on the ECS console
Do not perform operations on tags
ecs:cloudServers:batchSetServerTags
Denies operations on tags attached to resources
- Attach the policy to IAM users or user groups.
Step 2: Attach a tag to resources using the master account.
Attach a specific tag to ECSs for tag-based access control.
- Log in to the management console.
- Click the target ECS. On the displayed page, click Tags.
- Click Add Tag to create tag team:dev.
Step 3: Access an ECS with tag team:dev as an IAM user.
Log in to the ECS console as an IAM user and perform operations on the tagged ECSs.
- Log in to the management console as an IAM user.
- Select a region and view the list of all ECSs in the region.
- Filter out tagged ECSs.
- Start, stop, or restart the ECSs.
The APIs with Authorization by Tag marked by × in Lifecycle Management to Tag Management do not support tag-based access control. You can still grant user permissions to perform operations supported by these APIs without setting g:ResourceTag in the policy syntax.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
