Before you call an Alibaba Cloud API as a Resource Access Management (RAM) user, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Resource authorization

By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you call an API as a RAM user, you must grant the RAM user the permissions to call the API by creating an authorization policy and attaching the policy to the RAM user.

When you create the authorization policy, you can use an Alibaba Cloud Resource Name (ARN) to specify the resource that you are allowed to access. An ARN is a globally unique name used to identify a resource on Alibaba Cloud. The following format is used for ARNs:
acs:service-name:region:account-id:resource-relative-id
An ARN contains the following fields:
  • acs: the abbreviation for Alibaba Cloud Service.
  • service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Resource Orchestration Service (ROS).
  • region: the region where the service resides. If this option is not supported, use the asterisk (*) instead.

  • account-id: the ID of the Alibaba Cloud account, such as 123456789012****.
  • resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.

    For example, acs:oss:123456789012****:sample_bucket/file1.txt indicates a resource named sample_bucket/file1.txt in OSS, and 123456789012**** indicates the ID of the user to which the resource belongs.

Types of ROS resources that can be authorized

Resource type ARN format in the authorization policy
Stack acs:ros:$regionid:$accountid:stack/$stackid
acs:ros:$regionid:$accountid:stack/*
Template acs:ros:$regionid:$accountid:template/$templateid
acs:ros:$regionid:$accountid:template/*
StackGroup acs:ros:$regionid:$accountid:stack_group/*

ROS API operations that can be authorized

  • Stack operations
    API operation Action ARN format
    PreviewStack ros:PreviewStack acs:ros:cn-hangzhou:$accountid:stack/*
    CreateStack ros:CreateStack cs:ros:cn-hangzhou:$accountid:stack/*
    ContinueCreateStack ros:ContinueCreateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    SetDeletionProtection ros:SetDeletionProtection acs:ros:cn-hangzhou:$accountid:stack/$stackid
    UpdateStack ros:UpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    CancelUpdateStack ros:CancelUpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetStack ros:GetStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListStacks ros:ListStacks acs:ros:cn-hangzhou:$accountid:stack/*
    ListStackEvents ros:ListStackEvents acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListStackOperationRisks ros:ListStackOperationRisks acs:ros:cn-hangzhou:$accountid:stack/$stackid
    DeleteStack ros:DeleteStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    CreateChangeSet ros:CreateChangeSet
    • When ChangeSetType is set to CREATE: acs:ros:cn-hangzhou:$accountid:stack/*
    • When ChangeSetType is set to UPDATE: acs:ros:cn-hangzhou:$accountid:stack/$stackid
    • When ChangeSetType is set to IMPORT: acs:ros:cn-hangzhou:$accountid:stack/*
    ExecuteChangeSet ros:ExecuteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetChangeSet ros:GetChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListChangeSets ros:ListChangeSets acs:ros:cn-hangzhou:$accountid:stack/$stackid
    DeleteChangeSet ros:DeleteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid
  • Resource operations
    API operation Action ARN format
    GetResourceTypeTemplate ros:GetResourceTypeTemplate No authentication required
    ListStackResources ros:ListStackResources acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetStackResource ros:GetStackResource acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetResourceType ros:GetResourceType No authentication required
    ListResourceTypes ros:ListResourceTypes No authentication required
    MoveResourceGroup ros:MoveResourceGroup
    • When ResourceType is set to stack: acs:ros:cn-hangzhou:$accountid:stack/*
    • When ResourceType is set to stackgroup: acs:ros:cn-hangzhou:$accountid:stack_group/*
    • When ResourceType is set to template: acs:ros:cn-hangzhou:$accountid:template/*
  • Stack group operations
    API operation Action ARN format
    CreateStackGroup ros:CreateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/*
    UpdateStackGroup ros:UpdateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid
    GetStackGroup ros:GetStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid
    ListStackGroups ros:ListStackGroups acs:ros:cn-hangzhou:$accountid:stack_group/*
    DeleteStackGroup ros:DeleteStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid
    CreateStackInstances ros:CreateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    UpdateStackInstances ros:UpdateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    GetStackInstance ros:GetStackInstance acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListStackInstances ros:ListStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    DeleteStackInstances ros:DeleteStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    GetStackGroupOperation ros:GetStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
    ListStackGroupOperations ros:ListStackGroupOperations acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
    ListStackGroupOperationResults ros:ListStackGroupOperationResults acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
    StopStackGroupOperation ros:StopStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
  • Template operations
    API operation Action ARN format
    GenerateTemplatePolicy ros:GenerateTemplatePolicy acs:ros:cn-hangzhou:$accountid:template/$templateid
    Note If the TemplateId parameter is specified, authentication is required.
    CreateTemplate ros:CreateTemplate acs:ros:cn-hangzhou:$accountid:template/*
    ValidateTemplate ros:ValidateTemplate No authentication required
    UpdateTemplate ros:UpdateTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid
    GetTemplate ros:GetTemplate
    • acs:ros:cn-hangzhou:$accountid:stack/$stackid
    • acs:ros:$regionid:$accountid:stack_group/*
    • acs:ros:cn-hangzhou:$accountid:template/$templateid
    GetTemplateEstimateCost ros:GetTemplateEstimateCost acs:ros:cn-hangzhou:$accountid:*
    GetTemplateSummary ros:GetTemplateSummary acs:ros:cn-hangzhou:$accountid:template/$templateid
    Note If the TemplateId parameter is specified, authentication is required.
    ListTemplates ros:ListTemplates acs:ros:cn-hangzhou:$accountid:template/*
    ListTemplateVersions ros:ListTemplateVersions acs:ros:cn-hangzhou:$accountid:template/$templateid
    SetTemplatePermission ros:SetTemplatePermission acs:ros:cn-hangzhou:$accountid:*
    DeleteTemplate ros:DeleteTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid
  • Tag operations
    API operation Action ARN format
    ListTagResources ros:ListTagResources acs:ros:cn-hangzhou:$accountid:tag/*
    ListTagKeys ros:ListTagKeys acs:ros:cn-hangzhou:$accountid:tag/*
    ListTagValues ros:ListTagValues acs:ros:cn-hangzhou:$accountid:tag/*
    UntagResources ros:UntagResources acs:ros:cn-hangzhou:$accountid:tag/*
  • Other operations
    API operation Action ARN format
    DescribeRegions ros:DescribeRegions No authentication required
    SignalResource ros:SignalResource acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetStackPolicy ros:GetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid
    SetStackPolicy ros:SetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid