Before you use a RAM user account to call an Alibaba Cloud API, you must use an Alibaba Cloud account to create an authorization policy to assign permissions to the RAM user account.
Resource authorization
By default, a RAM user account is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you use a RAM user to call an API, you must grant the RAM user account the permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.
acs:service-name:region:account-id:resource-relative-id- acs: the abbreviation for Alibaba Cloud Service.
- service-name: the name of an Alibaba Cloud service, such as ecs, oss, and ros.
-
region: the region where the service resides. If this option is not supported, use the asterisk (
*) instead. -
account-id: the ID of the user account, such as 123456789012****.
-
resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.
For example,
123456789012****:sample_bucket/file1.txtindicates a resource named sample_bucket/file1.txt in Object Storage Service (OSS) and123456789012****indicates the ID of the user to which the resource belongs.
Types of ROS resources that can be authorized
| Resource type | ARN format in the authorization policy |
|---|---|
| Stack | acs:ros:$regionid:$accountid:stack/$stackid |
| acs:ros:$regionid:$accountid:stack/* | |
| Template | acs:ros:$regionid:$accountid:template/$templateid |
| acs:ros:$regionid:$accountid:template/* | |
| StackGroup | acs:ros:$regionid:$accountid:stack_group/* |
ROS API operations that can be authorized
The following table lists ROS API operations that can be authorized and their corresponding ARN formats.
| API | ARN format |
|---|---|
| CreateStack | acs:ros:$regionid:$accountid:stack/* |
| UpdateStack | acs:ros:$regionid:$accountid:stack/$stackid |
| DeleteStack | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStack | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStacks | acs:ros:$regionid:$accountid:stack/* |
| PreviewStack | acs:ros:$regionid:$accountid:stack/* |
| GetTemplateEstimateCost | acs:ros:$regionid:$accountid:* |
| CancelUpdateStack | acs:ros:$regionid:$accountid:stack/$stackid |
| ContinueCreateStack | acs:ros:$regionid:$accountid:stack/$stackid |
| SetStackPolicy | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStackPolicy | acs:ros:$regionid:$accountid:stack/$stackid |
| GetTemplate | acs:ros:$regionid:$accountid:stack/$stackid |
| acs:ros:$regionid:$accountid:template/$templateid | |
| CreateChangeSet | When ChangeSetType is set to CREATE: acs:ros:$regionid:$accountid:stack/* |
| When ChangeSetType is set to UPDATE: acs:ros:$regionid:$accountid:stack/$stackid | |
| GetChangeSet | acs:ros:$regionid:$accountid:stack/$stackid |
| ListChangeSets | acs:ros:$regionid:$accountid:stack/$stackid |
| ExecuteChangeSet | acs:ros:$regionid:$accountid:stack/$stackid |
| DeleteChangeSet | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStackEvents | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStackResources | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStackResource | acs:ros:$regionid:$accountid:stack/$stackid |
| SignalResource | acs:ros:$regionid:$accountid:stack/$stackid |
| DetectStackDrift | acs:ros:$regionid:$accountid:stack/$stackid |
| DetectStackResourceDrift | acs:ros:$regionid:$accountid:stack/$stackid |
| GetStackDriftDetectionStatus | acs:ros:$regionid:$accountid:stack/$stackid |
| ListStackResourceDrifts | acs:ros:$regionid:$accountid:stack/$stackid |
| DetectStackGroupDrift | acs:ros:$regionid:$accountid:stack_group/* |
| UpdateStackTemplateByResources | acs:ros:$regionid:$accountid:stack/$stackid |