权限指在某种条件下 ,允许(Allow)或拒绝(Deny)对某些资源执行某些操作。

操作步骤

权限的载体是授权策略。自定义权限,即在自定义授权策略时定义某些权限。

  1. 登录访问控制 RAM 控制台
  2. 在左侧导航栏,单击权限管理 > 权限策略管理
  3. 权限策略管理页,单击新建权限策略
  4. 新建自定义权限策略页,定义权限策略内容。
    参数 说明
    策略名称 输入策略名称。
    备注 描述策略。
    配置模式 选择为脚本配置
    策略内容 JSON格式的授权策略详情。需包含以下参数:
    • Action:表示要授权的操作。IoT操作都以iot: 开头。定义方式和示例,请参见本文档中Action定义。
    • Effect : 表示授权类型,取值:AllowDeny
    • Resource :表示要授权的资源。
      • 如果为子账号授予访问您的所有物联网平台资源的权限,取值为*
      • 如果进行资源粒度(产品、设备和规则)的授权,请填入阿里云资源名称,即Aliyun Resource Name (ARN)。格式如:acs:iot:$regionid:$accountid:<resource-relative-id>

        例如授予某个具体产品的权限,Resource 的取值,格式如acs:iot:$regionid:$accountid:product/$productKey

        具体ARN请参见创建资源访问权限

    • Condition :表示鉴权条件。详细信息,请参见本文档中Condition定义

Action 定义

Action是API的名称。在创建IoT的授权策略时,每个Action前缀均为iot:,多个Action以英文逗号(,)分隔。并且,支持使用星号(*)通配符。IoT API名称定义,请参见IoT API授权映射表

下面介绍一些典型的Action定义示例。

  • 定义单个API。
    "Action": "iot:CreateProduct"
  • 定义多个API。
    "Action": [
    "iot:UpdateProduct",
    "iot:QueryProduct"
    ]
  • 定义所有只读API,包含规则引擎数据流转目标产品的权限。
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*", 
            "iot:Check*"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "dhs:ListProject", 
            "dhs:GetProject", 
            "dhs:ListTopic", 
            "dhs:GetTopic"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:GetInstance", 
            "ots:ListTable", 
            "ots:DescribeTable"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ons:OnsRegionList", 
            "ons:OnsInstanceInServiceList", 
            "ons:OnsTopicList", 
            "ons:OnsTopicGet"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "hitsdb:DescribeRegions", 
            "hitsdb:DescribeHiTSDBInstanceList", 
            "hitsdb:DescribeHiTSDBInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • 定义所有读写API,包含规则引擎数据流转目标产品的权限。
    {
      "Version": "1", 
      "Statement": [
        {
          "Action": "iot:*", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "rds:DescribeDBInstances", 
            "rds:DescribeDatabases", 
            "rds:DescribeAccounts", 
            "rds:DescribeDBInstanceNetInfo", 
            "rds:ModifySecurityIps"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:ListRoles", 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "mns:ListTopic", 
            "mns:GetTopicRef"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "dhs:ListProject", 
            "dhs:ListTopic", 
            "dhs:GetProject", 
            "dhs:GetTopic"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ots:ListInstance", 
            "ots:ListTable", 
            "ots:DescribeTable", 
            "ots:GetInstance"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "ons:OnsRegionList", 
            "ons:OnsInstanceInServiceList", 
            "ons:OnsTopicList", 
            "ons:OnsTopicGet"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "hitsdb:DescribeRegions", 
            "hitsdb:DescribeHiTSDBInstanceList", 
            "hitsdb:DescribeHiTSDBInstance", 
            "hitsdb:ModifyHiTSDBInstanceSecurityIpList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "fc:ListServices", 
            "fc:GetService", 
            "fc:GetFunction", 
            "fc:ListFunctions"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": [
            "log:ListShards", 
            "log:ListLogStores", 
            "log:ListProject"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }, 
        {
          "Action": "ram:PassRole", 
          "Resource": "*", 
          "Effect": "Allow", 
          "Condition": {
            "StringEquals": {
              "acs:Service": "iot.aliyuncs.com"
            }
          }
        }, 
        {
          "Action": [
            "cms:QueryMetricList"
          ], 
          "Resource": "*", 
          "Effect": "Allow"
        }
      ]
    }
  • 定义资源粒度授权。具体权限设置,请参见创建资源访问权限

    示例:

    • 查询某指定产品详细信息的权限策略示例如下。
      {
       "Statement": [
         {
           "Action": "iot:QueryProduct",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:product/aleEs48****",
         }
       ],
       "Version": "1"
      }
    • 查询某指定设备的详细信息的权限策略示例如下。
      {
       "Statement": [
         {
           "Action": "iot:QueryDeviceDetail",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:product/aleEs48****/device/testdevice1",
         }
       ],
       "Version": "1"
      }
    • 查询某指定规则的详细信息的权限策略示例如下。
      {
       "Statement": [
         {
           "Action": "iot:GetRule",
           "Effect": "Allow",
           "Resource": "acs:iot:$regionid:$accountid:rule/6601****",
         }
       ],
       "Version": "1"
      }

Condition定义

目前RAM授权策略支持访问IP限制、是否通过HTTPS访问、是否通过MFA(多因素认证)访问、访问时间限制等多种鉴权条件。物联网平台的所有API均支持这些条件。

  • 访问IP限制。

    访问控制可以限制访问IoT的源IP地址,并且支持根据网段进行过滤。以下是典型的使用场景示例。

    • 限制单个IP地址和IP网段。例如,只允许IP地址为10.101.168.111或10.101.169.111/24网段的请求访问。
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "10.101.168.111", 
                  "10.101.169.111/24"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
    • 限制多个IP地址。例如,只允许IP地址为10.101.168.111和10.101.169.111的请求访问。
      {
        "Statement": [
          {
            "Effect": "Allow", 
            "Action": "iot:*", 
            "Resource": "*", 
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": [
                  "10.101.168.111", 
                  "10.101.169.111"
                ]
              }
            }
          }
        ], 
        "Version": "1"
      }
  • HTTPS访问限制。

    访问控制可以限制是否通过HTTPS访问。

    示例:限制必须通过HTTPS请求访问。

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • MFA访问限制。

    访问控制可以限制是否通过MFA(多因素认证)访问。MFA访问适用于控制台登录,使用API访问无需MFA码。

    示例:限制必须通过MFA请求访问。

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "Bool": {
              "acs:MFAPresent ": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • 访问时间限制 。

    访问控制可以限制请求的访问时间,即只允许或拒绝在某个时间点范围之前的请求。

    示例:用户可以在北京时间2019年1月1号凌晨之前访问,之后则不能访问。

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }
          }
        }
      ], 
      "Version": "1"
    }

典型使用场景

结合以上对Action、Resource和Condition的定义,下面介绍一些典型使用场景的授权策略定义和授权方法。

  • 允许访问的授权策略示例。

    场景:定义访问IP地址为10.101.168.111/24网段的用户访问IoT的权限,且要求只能在2019-01-01 00:00:00之前访问和通过HTTPS访问。

    {
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": "iot:*", 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.168.111/24"
              ]
            }, 
            "DateLessThan": {
              "acs:CurrentTime": "2019-01-01T00:00:00+08:00"
            }, 
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ], 
      "Version": "1"
    }
  • 拒绝访问的授权策略示例。

    场景:拒绝访问IP地址为10.101.169.111的用户对IoT执行读操作。

    {
      "Statement": [
        {
          "Effect": "Deny", 
          "Action": [
            "iot:Query*", 
            "iot:List*", 
            "iot:Get*", 
            "iot:BatchGet*"
          ], 
          "Resource": "*", 
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": [
                "10.101.169.111"
              ]
            }
          }
        }
      ], 
      "Version": "1"
    }

授权策略创建成功后,将此权限授予子账号用户。获得授权的子账号用户就可以进行权限中定义的操作。创建子账号和授权操作帮助,请参见子账号访问