场景
某公司希望根据不同的角色对于资源进行管理。
- datacenter成员: 授权访问带有project:datacenter的ECS所有资源。
- bizcenter成员:授权访问带有project:bizcenter的ECS所有资源。
- 资源生产者: 资源生产。
- 资源授权管理者: 资源授权:对资源进行打标签, 需要资源具备权限则添加该标签,希望资源没有权限删除该标签就可以,不需要进行权限修改。
权限设计如下
datacenter成员
- 子账号直接使用情况,具体到访问控制进行操作。
- 属于该项目的成员所使用子账号通过授权下列权限就可以访问datacenter的资源。
- 注意:在ecs控制台过滤资源时需要根据标签project:datacenter才能看到资源,默认情况没有筛选标签是看不到资源的。
授权策略设计如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "datacenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "datacenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"tag:List*",
"ecs:DescribeTags",
"ecs:DescribeResourceByTags",
"ecs:DescribeTagKeys",
"ecs:ListTagResources",
"ecs:DescribeRegions",
"ecs:DescribeZones",
"ecs:DescribeDisk*",
"ecs:DescribeSecurityGroup*",
"ecs:DescribeInstanceTypes",
"ecs:DescribeSnapshot*",
"ecs:DescribeNetworkInterface*",
"actiontrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "datacenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:command/*"
}
]
}
bizcenter成员
- 子账号通过固定角色使用该权限
- 访问控制 控制台-身份管理-角色-创建角色,名称为bizcenter-member
- 注意:在ecs控制台过滤资源时需要根据标签project:bizcenter才能看到资源,默认情况没有筛选标签是看不到资源的。
授权策略设计如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "bizcenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "bizcenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"tag:List*",
"ecs:DescribeTags",
"ecs:DescribeResourceByTags",
"ecs:DescribeTagKeys",
"ecs:ListTagResources",
"ecs:DescribeRegions",
"ecs:DescribeZones",
"ecs:DescribeDisk*",
"ecs:DescribeSecurityGroup*",
"ecs:DescribeInstanceTypes",
"ecs:DescribeSnapshot*",
"ecs:DescribeNetworkInterface*",
"actiontrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/project": "bizcenter"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "acs:ecs:*:*:command/*"
}
]
}
- bizcenter成员所使用子账号需要通过角色扮演bizcenter-member进行使用bizcenter的资源。
授权策略设计如下:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "acs:ram:*:*:role/bizcenter-member"
}
],
"Version": "1"
}
资源生产者
- 如果资源生产者是资源管理者则使用AliyunECSFullAccess权限即可。
- 如果资源生产者生产的资源必须带有标签project:anyValue,则权限如下。
授权策略设计如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Run*",
"ecs:Create*",
"ecs:Purchase*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"bss:PayOrder"
],
"Resource": "*"
}
]
}
资源授权管理者
- 如果资源授权管理者必须对资源打上标签project:anyValue标签,则权限如下:
- 如何识别资源标签规范可以使用标签策略,确保资源都可以进行正确的标签。
授权策略设计如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Tag*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/project": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"tag:*",
"ecs:Untag*",
"ecs:List*",
"ecs:Describe*"
],
"Resource": "*"
}
]
}
