English

(Alibaba Cloud) Service Account Policy Management

Details of service account policies to use SpaceONE plugin

Service Account Policy

SpaceONE highly recommends to set appropriate permissions to Service Account for each purpose.

Please, Set service account, To Create API for each use case:

General Collector

Collector requires appropriate authorities to collect cloud resources. We strongly recommend to limit collector's service account its permission to read only access.

Otherwise, you can add more restrictions per resources or actions. One of the useful example is to restrict its rights.

STEP 1. Create RAM users

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, click Users under Identities.

  3. Click Create User.

    • To create multiple RAM users at a time, click Add User.

  4. Specify the Logon Name and Display Name parameters.

  5. Click OK and return to Create User screen.

STEP 2. Create AccessKey pairs for RAM users

You need AccessKey pairs to enter Alibaba Cloud Credentials in the SpaceOne. If you have authorized a RAM user under your Alibaba Cloud account to manage their own AccessKey pairs, the RAM user can create an AccessKey pair in the RAM console.

  1. In the left-side navigation pane, click Users under Identities.

  2. In the User Logon Name/Display Name column, click the username of the target RAM user.

  3. In the User AccessKey Pairs section, click Create AccessKey.

    • You must enter a verification code if you are creating an AccessKey pair for the first time.

  4. Click OK.

    • The AccessKey Secret is displayed only once when you first create it. You cannot retrieve the AccessKey Secret if you forget it. We recommend that you save the AccessKey Secret for subsequent use.

    • If the AccessKey pair is disclosed or lost, you must create a new one. Currently, you can create a maximum of two AccessKey pairs.

STEP 3-1: Authorize RAM users to access data as read-only. (via console)

  1. In the left-side navigation pane, click Users under Identities.

  2. In the User Logon Name/Display Name column, click the username of the target RAM user.

  3. Click Add Permissions. On the page that appears, the principal is automatically filled in.

  4. In the Policy Name column, select ReadOnlyAccess policy for its System Policy.

    • You can click X in the section on the right side of the page to delete the selected policy.

  5. Click OK.

  6. Click Complete.

  7. You will return to Create User screen, and can check you AccessKey ID and AccessKey Secret. Alibaba Cloud generates AccessKey Pair by default when you create a user. Click Copy to copy your authentication information. Go to step 5 if you miss this step.

STEP 3-2: Authorize RAM users to access data as read-only. (via API call)

You can attach a policy to a RAM user by calling an AttachPolicyToUser API.

  • Action: AttachPolicyToUser

  • PolicyName: ReadOnlyAccess

  • PolicyType: System

  • UserName: the target RAM user name

STEP 4: Generate Your AccessKey Pair. (optional)

Go to RAM Console > Identities > Users > Choose the user you created for General Collector.

Click Create AccessKey in the Authentication tap.

You will receive Create AccessKey popup, and click Copy below the blue box to copy your AccessKey Pair information. Click Close to close the popup window.

Previous(Oracle Cloud Infrastructure) Identity and Access Management(IAM) Policy ManagementNextAlert Manager

Last updated