Before you call an Alibaba Cloud API as a Resource Access Management (RAM) user, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.
Resource authorization
By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you call an API as a RAM user, you must grant the RAM user the permissions to call the API by creating an authorization policy and attaching the policy to the RAM user.
When you create the authorization policy, you can use an Alibaba Cloud Resource Name
(ARN) to specify the resource that you are allowed to access. An ARN is a globally
unique name used to identify a resource on Alibaba Cloud. The following format is
used for ARNs:
acs:service-name:region:account-id:resource-relative-idAn ARN contains the following fields:
- acs: the abbreviation for Alibaba Cloud Service.
- service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Resource Orchestration Service (ROS).
-
region: the region where the service resides. If this option is not supported, use the asterisk (
*) instead. - account-id: the ID of the Alibaba Cloud account, such as 123456789012****.
- resource-relative-id: the specific description of a resource. The description varies by service. For more
information, see the documentation of each service.
For example,
acs:oss:123456789012****:sample_bucket/file1.txtindicates a resource named sample_bucket/file1.txt in OSS, and123456789012****indicates the ID of the user to which the resource belongs.
Types of ROS resources that can be authorized
| Resource type | ARN format in the authorization policy |
|---|---|
| Stack | acs:ros:$regionid:$accountid:stack/$stackid |
| acs:ros:$regionid:$accountid:stack/* | |
| Template | acs:ros:$regionid:$accountid:template/$templateid |
| acs:ros:$regionid:$accountid:template/* | |
| StackGroup | acs:ros:$regionid:$accountid:stack_group/* |
ROS API operations that can be authorized
- Stack operations
API operation Action ARN format PreviewStack ros:PreviewStack acs:ros:cn-hangzhou:$accountid:stack/* CreateStack ros:CreateStack cs:ros:cn-hangzhou:$accountid:stack/* ContinueCreateStack ros:ContinueCreateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid SetDeletionProtection ros:SetDeletionProtection acs:ros:cn-hangzhou:$accountid:stack/$stackid UpdateStack ros:UpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CancelUpdateStack ros:CancelUpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStack ros:GetStack acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStacks ros:ListStacks acs:ros:cn-hangzhou:$accountid:stack/* ListStackEvents ros:ListStackEvents acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStackOperationRisks ros:ListStackOperationRisks acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteStack ros:DeleteStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CreateChangeSet ros:CreateChangeSet - When ChangeSetType is set to CREATE: acs:ros:cn-hangzhou:$accountid:stack/*
- When ChangeSetType is set to UPDATE: acs:ros:cn-hangzhou:$accountid:stack/$stackid
- When ChangeSetType is set to IMPORT: acs:ros:cn-hangzhou:$accountid:stack/*
ExecuteChangeSet ros:ExecuteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid GetChangeSet ros:GetChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid ListChangeSets ros:ListChangeSets acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteChangeSet ros:DeleteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid - Resource operations
API operation Action ARN format GetResourceTypeTemplate ros:GetResourceTypeTemplate No authentication required ListStackResources ros:ListStackResources acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackResource ros:GetStackResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetResourceType ros:GetResourceType No authentication required ListResourceTypes ros:ListResourceTypes No authentication required MoveResourceGroup ros:MoveResourceGroup - When ResourceType is set to stack: acs:ros:cn-hangzhou:$accountid:stack/*
- When ResourceType is set to stackgroup: acs:ros:cn-hangzhou:$accountid:stack_group/*
- When ResourceType is set to template: acs:ros:cn-hangzhou:$accountid:template/*
- Stack group operations
API operation Action ARN format CreateStackGroup ros:CreateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* UpdateStackGroup ros:UpdateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid GetStackGroup ros:GetStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid ListStackGroups ros:ListStackGroups acs:ros:cn-hangzhou:$accountid:stack_group/* DeleteStackGroup ros:DeleteStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid CreateStackInstances ros:CreateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* UpdateStackInstances ros:UpdateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackInstance ros:GetStackInstance acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStackInstances ros:ListStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* DeleteStackInstances ros:DeleteStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackGroupOperation ros:GetStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperations ros:ListStackGroupOperations acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperationResults ros:ListStackGroupOperationResults acs:ros:cn-hangzhou:$accountid:stack_group_operation/* StopStackGroupOperation ros:StopStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* - Template operations
API operation Action ARN format GenerateTemplatePolicy ros:GenerateTemplatePolicy acs:ros:cn-hangzhou:$accountid:template/$templateid Note If the TemplateId parameter is specified, authentication is required.CreateTemplate ros:CreateTemplate acs:ros:cn-hangzhou:$accountid:template/* ValidateTemplate ros:ValidateTemplate No authentication required UpdateTemplate ros:UpdateTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid GetTemplate ros:GetTemplate - acs:ros:cn-hangzhou:$accountid:stack/$stackid
- acs:ros:$regionid:$accountid:stack_group/*
- acs:ros:cn-hangzhou:$accountid:template/$templateid
GetTemplateEstimateCost ros:GetTemplateEstimateCost acs:ros:cn-hangzhou:$accountid:* GetTemplateSummary ros:GetTemplateSummary acs:ros:cn-hangzhou:$accountid:template/$templateid Note If the TemplateId parameter is specified, authentication is required.ListTemplates ros:ListTemplates acs:ros:cn-hangzhou:$accountid:template/* ListTemplateVersions ros:ListTemplateVersions acs:ros:cn-hangzhou:$accountid:template/$templateid SetTemplatePermission ros:SetTemplatePermission acs:ros:cn-hangzhou:$accountid:* DeleteTemplate ros:DeleteTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid - Tag operations
API operation Action ARN format ListTagResources ros:ListTagResources acs:ros:cn-hangzhou:$accountid:tag/* ListTagKeys ros:ListTagKeys acs:ros:cn-hangzhou:$accountid:tag/* ListTagValues ros:ListTagValues acs:ros:cn-hangzhou:$accountid:tag/* UntagResources ros:UntagResources acs:ros:cn-hangzhou:$accountid:tag/* - Other operations
API operation Action ARN format DescribeRegions ros:DescribeRegions No authentication required SignalResource ros:SignalResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackPolicy ros:GetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid SetStackPolicy ros:SetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid