Before calling an Alibaba Cloud API by using a RAM user account, you must use an Alibaba Cloud account to create an authorization policy to assign permissions to the RAM user account.
Resource authorization
By default, a RAM user account is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before using a RAM user account to call an API, you must grant the RAM user account the corresponding permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.
When creating the authorization policy, you can specify the resource to authorize by its Alibaba Resource Name (ARN). An ARN is used to identify the resource to authorize.
The ARN format is as follows:
acs:service-name:region:account-id:resource-relative-idwhere:
- acs: the abbreviation for Alibaba Cloud Service.
- service-name: the name of an Alibaba Cloud service, such as ecs, oss, and ros.
-
region: the region where the service resides. If this option is not supported, use the asterisk (*) wildcard instead.
-
account-id: the ID of the user account, such as 1234567890123456.
-
resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.
For example,
acs:oss:1234567890123456:sample_bucket/file1.txtindicates a resource named sample_bucket/file1.txt in Alibaba Could OSS and1234567890123456is the ID of the user account to which the resource belongs.
Types of ROS resources that can be authorized
| Resource type | ARN format in the authorization policy |
|---|---|
| Stack | acs:ros:$regionid:$accountid:stack/$stackid |
| acs:ros:$regionid:$accountid:stack/* |
ROS API operations that can be authorized
The following table lists ROS API operations that can be authorized and their corresponding ARN formats.
| Operation | ARN format |
|---|---|
| CreateStack | acs:ros:$regionid:$accountid:stack/* |
| UpdateStack | acs:ros:$regionid:$accountid:stack/$stackid |
| DeleteStack | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStack | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStacks | acs:ros:$regionid:$accountid:stack/* |
| PreviewStack | acs:ros:$regionid:$accountid:stack/* |
| GetTemplateEstimateCost | acs:ros:$regionid:$accountid:* |
| CancelUpdateStack | acs:ros:$regionid:$accountid:stack/$stackid |
| ContinueCreateStack | acs:ros:$regionid:$accountid:stack/$stackid |
| SetStackPolicy | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStackPolicy | acs:ros:$regionid:$accountid:stack/$stackid |
| GetTemplate | acs:ros:$regionid:$accountid:stack/$stackid |
| CreateChangeSet | When ChangeSetType is set to CREATE: acs:ros:$regionid:$accountid:stack/* |
| When ChangeSetType is set to UPDATE: acs:ros:$regionid:$accountid:stack/$stackid | |
| GetChangeSet | acs:ros:$regionid:$accountid:stack/$stackid |
| ListChangeSets | acs:ros:$regionid:$accountid:stack/$stackid |
| ExecuteChangeSet | acs:ros:$regionid:$accountid:stack/$stackid |
| DeleteChangeSet | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStackEvents | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStackResources | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStackResource | acs:ros:$regionid:$accountid:stack/$stackid |
| SignalResource | acs:ros:$regionid:$accountid:stack/$stackid |