简介
子账号或相关角色只能将云助手命令执行在带有某种标签的ECS实例上,否则执行不成功。
设计
子账号或相关角色权限限制如下:
- 只能将命令执行到带有标签(user:zhangsan)的实例上
- 只能将文件传输到带有标签(user:zhangsan)的实例上
- 可以创建、删除、修改以及查询云助手命令和执行结果
权限设计如下:
要求发送命令/文件的实例带有标签(user:zhangsan):
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/user": "zhangsan" } } }, { "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "acs:ecs:*:*:command/*" } ] }
查询标签、实例以及云助手资源的权限:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeTag*", "ecs:DescribeInstance*", "ecs:DescribeCommands", "ecs:CreateCommand", "ecs:DeleteCommand", "ecs:ModifyCommand", "ecs:DescribeInvocationResults", "ecs:DescribeSendFileResults", "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus", "ecs:DescribeInvocations", "ecs:DescribeResourceByTags", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:ListTagResources", "ecs:DescribeManagedInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oos:ListSecretParameters", "Resource": "*" } ] }
验证
- 将命令执行到不带有标签(user:zhangsan)的实例上:
执行结果符合预期:
- 将命令执行到带有标签(user:zhangsan)的实例上:
执行成功
常见问题
如果权限控制未生效,请检查RAM用户的权限是否已经对这几个Action设置了Allow :["ecs:InvokeCommand","ecs:RunCommand", "ecs:StopInvocation","ecs:SendFile"]
例如:存在如下所示的权限策略,这种情况需要移除RAM用户的这个权限策略
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "*" } ] }
