Before you use a RAM user to call Alibaba Cloud API operations, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Resource authorization

By default, a RAM user is not authorized to call Alibaba Cloud API operations. Before you use a RAM user to call Alibaba Cloud API operations, you must grant the RAM user the permissions on the API operations that you want to call. To grant permissions to a RAM user, you must create and attach an authorization policy to the RAM user.

When you create the authorization policy, you can use an Alibaba Cloud Resource Name (ARN) to specify the resource on which you want to grant permissions. An ARN is a globally unique name that is used to identify a resource on Alibaba Cloud. An ARN is in the following format:
acs:service-name:region:account-id:resource-relative-id
An ARN contains the following fields:
  • acs: the abbreviated form of Alibaba Cloud Service. This indicates that the service is a public cloud offering of Alibaba Cloud.
  • service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Resource Orchestration Service (ROS).
  • region: the region where a service resides. If this option is not supported, use the asterisk (*) instead.

  • account-id: the ID of your Alibaba Cloud account, such as 123456789012****.
  • resource-relative-id: the description of the resource. The description varies by service. For more information, see the documentation of the Alibaba Cloud service that you want to use.

    For example, acs:oss:*:123456789012****:sample_bucket/file1.txt indicates a resource named sample_bucket/file1.txt in OSS, and 123456789012**** indicates the ID of the user to which the resource belongs.

Types of ROS resources that can be authorized

Resource type ARN format in the authorization policy
Stack acs:ros:$regionid:$accountid:stack/$stackid
acs:ros:$regionid:$accountid:stack/*
Template acs:ros:$regionid:$accountid:template/$templateid
acs:ros:$regionid:$accountid:template/*
StackGroup acs:ros:$regionid:$accountid:stack_group/*

ROS API operations that can be authorized

  • Stack operations
    API Action ARN format
    PreviewStack ros:PreviewStack acs:ros:cn-hangzhou:$accountid:stack/*
    CreateStack ros:CreateStack cs:ros:cn-hangzhou:$accountid:stack/*
    ContinueCreateStack ros:ContinueCreateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    SetDeletionProtection ros:SetDeletionProtection acs:ros:cn-hangzhou:$accountid:stack/$stackid
    UpdateStack ros:UpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    CancelUpdateStack ros:CancelUpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetStack ros:GetStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListStacks ros:ListStacks acs:ros:cn-hangzhou:$accountid:stack/*
    ListStackEvents ros:ListStackEvents acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListStackOperationRisks ros:ListStackOperationRisks acs:ros:cn-hangzhou:$accountid:stack/$stackid
    DeleteStack ros:DeleteStack acs:ros:cn-hangzhou:$accountid:stack/$stackid
    CreateChangeSet ros:CreateChangeSet
    • When ChangeSetType is set to CREATE: acs:ros:cn-hangzhou:$accountid:stack/*
    • When ChangeSetType is set to UPDATE: acs:ros:cn-hangzhou:$accountid:stack/$stackid
    • When ChangeSetType is set to IMPORT: acs:ros:cn-hangzhou:$accountid:stack/*
    ExecuteChangeSet ros:ExecuteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetChangeSet ros:GetChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid
    ListChangeSets ros:ListChangeSets acs:ros:cn-hangzhou:$accountid:stack/$stackid
    DeleteChangeSet ros:DeleteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid
  • Resource operations
    API Action ARN format
    GetResourceTypeTemplate ros:GetResourceTypeTemplate No authentication required
    ListStackResources ros:ListStackResources acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetStackResource ros:GetStackResource acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetResourceType ros:GetResourceType No authentication required
    ListResourceTypes ros:ListResourceTypes No authentication required
    MoveResourceGroup ros:MoveResourceGroup
    • When ResourceType is set to stack: acs:ros:cn-hangzhou:$accountid:stack/*
    • When ResourceType is set to stackgroup: acs:ros:cn-hangzhou:$accountid:stack_group/*
    • When ResourceType is set to template: acs:ros:cn-hangzhou:$accountid:template/*
  • Stack group operations
    API Action ARN format
    CreateStackGroup ros:CreateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/*
    UpdateStackGroup ros:UpdateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/*
    GetStackGroup ros:GetStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/*
    ListStackGroups ros:ListStackGroups acs:ros:cn-hangzhou:$accountid:stack_group/*
    DeleteStackGroup ros:DeleteStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/*
    CreateStackInstances ros:CreateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    UpdateStackInstances ros:UpdateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    GetStackInstance ros:GetStackInstance acs:ros:cn-hangzhou:$accountid:stack_instance/*
    ListStackInstances ros:ListStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    DeleteStackInstances ros:DeleteStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/*
    GetStackGroupOperation ros:GetStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
    ListStackGroupOperations ros:ListStackGroupOperations acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
    ListStackGroupOperationResults ros:ListStackGroupOperationResults acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
    StopStackGroupOperation ros:StopStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/*
  • Template operations
    API Action ARN format
    GenerateTemplatePolicy ros:GenerateTemplatePolicy acs:ros:cn-hangzhou:$accountid:template/$templateid
    Note If the TemplateId parameter is specified, authentication is required.
    CreateTemplate ros:CreateTemplate acs:ros:cn-hangzhou:$accountid:template/*
    ValidateTemplate ros:ValidateTemplate No authentication required
    UpdateTemplate ros:UpdateTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid
    GetTemplate ros:GetTemplate
    • acs:ros:cn-hangzhou:$accountid:stack/$stackid
    • acs:ros:$regionid:$accountid:stack_group/*
    • acs:ros:cn-hangzhou:$accountid:template/$templateid
    GetTemplateEstimateCost ros:GetTemplateEstimateCost acs:ros:cn-hangzhou:$accountid:*
    GetTemplateSummary ros:GetTemplateSummary acs:ros:cn-hangzhou:$accountid:template/$templateid
    Note If the TemplateId parameter is specified, authentication is required.
    ListTemplates ros:ListTemplates acs:ros:cn-hangzhou:$accountid:template/*
    ListTemplateVersions ros:ListTemplateVersions acs:ros:cn-hangzhou:$accountid:template/$templateid
    SetTemplatePermission ros:SetTemplatePermission acs:ros:cn-hangzhou:$accountid:*
    DeleteTemplate ros:DeleteTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid
  • Tag operations
    API Action ARN format
    ListTagResources ros:ListTagResources acs:ros:cn-hangzhou:$accountid:tag/*
    ListTagKeys ros:ListTagKeys acs:ros:cn-hangzhou:$accountid:tag/*
    ListTagValues ros:ListTagValues acs:ros:cn-hangzhou:$accountid:tag/*
    UntagResources ros:UntagResources acs:ros:cn-hangzhou:$accountid:tag/*
  • Other operations
    API Action ARN format
    DescribeRegions ros:DescribeRegions No authentication required
    SignalResource ros:SignalResource acs:ros:cn-hangzhou:$accountid:stack/$stackid
    GetStackPolicy ros:GetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid
    SetStackPolicy ros:SetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid