Before a Resource Access Management (RAM) user calls the API operations of RAM to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

The following list describes the variables that you can specify in a policy. Replace the variables with actual values.

  • <account-id>: the account ID of an Alibaba Cloud account
  • <user-name>: the username of a RAM user
  • <role-name>: the name of a RAM role
    Note The name of a RAM role must be in lowercase letters in a policy.
  • <group-name>: the name of a RAM user group
  • <policy-name>: the name of a policy
  • <serial-number>: the serial number of a virtual multi-factor authentication (MFA) device

The following table lists the RAM API operations that you can specify in the Action element and the ARN format that is used in the Resource element.

Action Resource
ram:CreateUser acs:ram:*:<account-id>:user/*
ram:GetUser acs:ram:*:<account-id>:user/<user-name>
ram:UpdateUser acs:ram:*:<account-id>:user/<user-name>
ram:DeleteUser acs:ram:*:<account-id>:user/<user-name>
ram:ListUsers acs:ram:*:<account-id>:user/*
ram:CreateLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:GetLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:DeleteLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:UpdateLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:CreateAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:UpdateAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:DeleteAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:ListAccessKeys acs:ram:*:<account-id>:user/<user-name>
ram:CreateVirtualMFADevice acs:ram:*:<account-id>:mfa/*
ram:ListVirtualMFADevices acs:ram:*:<account-id>:mfa/*
ram:DeleteVirtualMFADevice acs:ram:*:<account-id>:mfa/<serial-number>
ram:BindMFADevice acs:ram:*:<account-id>:user/<user-name>
ram:UnbindMFADevice acs:ram:*:<account-id>:user/<user-name>
ram:GetUserMFAInfo acs:ram:*:<account-id>:user/<user-name>
ram:ChangePassword acs:ram:*:<account-id>:user/<user-name>
ram:CreateGroup acs:ram:*:<account-id>:group/*
ram:GetGroup acs:ram:*:<account-id>:group/<group-name>
ram:UpdateGroup acs:ram:*:<account-id>:group/<group-name>
ram:ListGroups acs:ram:*:<account-id>:group/*
ram:DeleteGroup acs:ram:*:<account-id>:group/<group-name>
ram:AddUserToGroup acs:ram:*:<account-id>:user/<user-name>
acs:ram:*:<account-id>:group/<group-name>
ram:RemoveUserFromGroup acs:ram:*:<account-id>:user/<user-name>
acs:ram:*:<account-id>:group/<group-name>
ram:ListGroupsForUser acs:ram:*:<account-id>:user/<user-name>
ram:ListUsersForGroup acs:ram:*:<account-id>:group/<group-name>
ram:CreateRole acs:ram:*:<account-id>:role/<role-name>
ram:GetRole acs:ram:*:<account-id>:role/<role-name>
ram:UpdateRole acs:ram:*:<account-id>:role/<role-name>
ram:ListRoles acs:ram:*:<account-id>:role/*
ram:DeleteRole acs:ram:*:<account-id>:role/<role-name>
ram:CreatePolicy acs:ram:*:<account-id>:policy/*
ram:GetPolicy
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:DeletePolicy acs:ram:*:<account-id>:policy/<policy-name>
ram:ListPolicies acs:ram:*:<account-id>:policy/*
ram:CreatePolicyVersion acs:ram:*:<account-id>:policy/<policy-name>
ram:GetPolicyVersion
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:DeletePolicyVersion acs:ram:*:<account-id>:policy/<policy-name>
ram:ListPolicyVersions
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:SetDefaultPolicyVersion acs:ram:*:<account-id>:policy/<policy-name>
ram:AttachPolicyToUser acs:ram:*:<account-id>:user/<user-name>
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:DetachPolicyFromUser acs:ram:*:<account-id>:user/<user-name>
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:AttachPolicyToGroup acs:ram:*:<account-id>:group/<group-name>
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:DetachPolicyFromGroup acs:ram:*:<account-id>:group/<group-name>
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:AttachPolicyToRole acs:ram:*:<account-id>:role/<role-name>
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:DetachPolicyFromRole acs:ram:*:<account-id>:role/<role-name>
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:ListPoliciesForUser acs:ram:*:<account-id>:user/<user-name>
ram:ListPoliciesForGroup acs:ram:*:<account-id>:group/<group-name>
ram:ListPoliciesForRole acs:ram:*:<account-id>:role/<role-name>
ram:ListEntitiesForPolicy
  • System policy: acs:ram:*:system:policy/<policy-name>
  • Custom policy: acs:ram:*:<account-id>:policy/<policy-name>
ram:SetAccountAlias acs:ram:*:<account-id>:*
ram:GetAccountAlias acs:ram:*:<account-id>:*
ram:ClearAccountAlias acs:ram:*:<account-id>:*
ram:SetPasswordPolicy acs:ram:*:<account-id>:*
ram:GetPasswordPolicy acs:ram:*:<account-id>:*
ram:SetSecurityPreference acs:ram:*:<account-id>:*