Before you use a RAM user account to call an Alibaba Cloud API, you must use an Alibaba Cloud account to create an authorization policy to assign permissions to the RAM user account.

Resource authorization

By default, a RAM user account is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you use a RAM user to call an API, you must grant the RAM user account the permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.

When you create the authorization policy, you can specify the resource to authorize by its Alibaba Resource Name (ARN). An ARN is used to identify the resource to authorize. ARNs are in the following format:
An ARN contains the following parameters:
  • acs: the abbreviation for Alibaba Cloud Service.
  • service-name: the name of an Alibaba Cloud service, such as ecs, oss, and ros.
  • region: the region where the service resides. If this option is not supported, use the asterisk (*) instead.

  • account-id: the ID of the user account, such as 123456789012****.

  • resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.

    For example, 123456789012****:sample_bucket/file1.txt indicates a resource named sample_bucket/file1.txt in Object Storage Service (OSS) and 123456789012**** indicates the ID of the user to which the resource belongs.

Types of ROS resources that can be authorized

Resource type ARN format in the authorization policy
Stack acs:ros:$regionid:$accountid:stack/$stackid
Template acs:ros:$regionid:$accountid:template/$templateid
StackGroup acs:ros:$regionid:$accountid:stack_group/*

ROS API operations that can be authorized

The following table lists ROS API operations that can be authorized and their corresponding ARN formats.

API ARN format
CreateStack acs:ros:$regionid:$accountid:stack/*
UpdateStack acs:ros:$regionid:$accountid:stack/$stackid
DeleteStack acs:ros:$regionid:$accountid:stack/$stackid
GetStack acs:ros:$regionid:$accountid:stack/$stackid
ListStacks acs:ros:$regionid:$accountid:stack/*
PreviewStack acs:ros:$regionid:$accountid:stack/*
GetTemplateEstimateCost acs:ros:$regionid:$accountid:*
CancelUpdateStack acs:ros:$regionid:$accountid:stack/$stackid
ContinueCreateStack acs:ros:$regionid:$accountid:stack/$stackid
SetStackPolicy acs:ros:$regionid:$accountid:stack/$stackid
GetStackPolicy acs:ros:$regionid:$accountid:stack/$stackid
GetTemplate acs:ros:$regionid:$accountid:stack/$stackid
CreateChangeSet When ChangeSetType is set to CREATE: acs:ros:$regionid:$accountid:stack/*
When ChangeSetType is set to UPDATE: acs:ros:$regionid:$accountid:stack/$stackid
GetChangeSet acs:ros:$regionid:$accountid:stack/$stackid
ListChangeSets acs:ros:$regionid:$accountid:stack/$stackid
ExecuteChangeSet acs:ros:$regionid:$accountid:stack/$stackid
DeleteChangeSet acs:ros:$regionid:$accountid:stack/$stackid
ListStackEvents acs:ros:$regionid:$accountid:stack/$stackid
ListStackResources acs:ros:$regionid:$accountid:stack/$stackid
GetStackResource acs:ros:$regionid:$accountid:stack/$stackid
SignalResource acs:ros:$regionid:$accountid:stack/$stackid
DetectStackDrift acs:ros:$regionid:$accountid:stack/$stackid
DetectStackResourceDrift acs:ros:$regionid:$accountid:stack/$stackid
GetStackDriftDetectionStatus acs:ros:$regionid:$accountid:stack/$stackid
ListStackResourceDrifts acs:ros:$regionid:$accountid:stack/$stackid
DetectStackGroupDrift acs:ros:$regionid:$accountid:stack_group/*
UpdateStackTemplateByResources acs:ros:$regionid:$accountid:stack/$stackid