Before calling an Alibaba Cloud API by using a RAM user account, you must use an Alibaba Cloud account to create an authorization policy to assign permissions to the RAM user account.

Resource authorization

By default, a RAM user account is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before using a RAM user account to call an API, you must grant the RAM user account the corresponding permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.

When creating the authorization policy, you can specify the resource to authorize by its Alibaba Resource Name (ARN). An ARN is used to identify the resource to authorize.

The ARN format is as follows:

acs:service-name:region:account-id:resource-relative-id

where:

  • acs: the abbreviation for Alibaba Cloud Service.
  • service-name: the name of an Alibaba Cloud service, such as ecs, oss, and ros.
  • region: the region where the service resides. If this option is not supported, use the asterisk (*) wildcard instead.

  • account-id: the ID of the user account, such as 1234567890123456.

  • resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.

    For example, acs:oss:1234567890123456:sample_bucket/file1.txt indicates a resource named sample_bucket/file1.txt in Alibaba Could OSS and 1234567890123456 is the ID of the user account to which the resource belongs.

Types of ROS resources that can be authorized

Resource type ARN format in the authorization policy
Stack acs:ros:$regionid:$accountid:stack/$stackid
acs:ros:$regionid:$accountid:stack/*

ROS API operations that can be authorized

The following table lists ROS API operations that can be authorized and their corresponding ARN formats.

Operation ARN format
CreateStack acs:ros:$regionid:$accountid:stack/*
UpdateStack acs:ros:$regionid:$accountid:stack/$stackid
DeleteStack acs:ros:$regionid:$accountid:stack/$stackid
GetStack acs:ros:$regionid:$accountid:stack/$stackid
ListStacks acs:ros:$regionid:$accountid:stack/*
PreviewStack acs:ros:$regionid:$accountid:stack/*
GetTemplateEstimateCost acs:ros:$regionid:$accountid:*
CancelUpdateStack acs:ros:$regionid:$accountid:stack/$stackid
ContinueCreateStack acs:ros:$regionid:$accountid:stack/$stackid
SetStackPolicy acs:ros:$regionid:$accountid:stack/$stackid
GetStackPolicy acs:ros:$regionid:$accountid:stack/$stackid
GetTemplate acs:ros:$regionid:$accountid:stack/$stackid
CreateChangeSet When ChangeSetType is set to CREATE: acs:ros:$regionid:$accountid:stack/*
When ChangeSetType is set to UPDATE: acs:ros:$regionid:$accountid:stack/$stackid
GetChangeSet acs:ros:$regionid:$accountid:stack/$stackid
ListChangeSets acs:ros:$regionid:$accountid:stack/$stackid
ExecuteChangeSet acs:ros:$regionid:$accountid:stack/$stackid
DeleteChangeSet acs:ros:$regionid:$accountid:stack/$stackid
ListStackEvents acs:ros:$regionid:$accountid:stack/$stackid
ListStackResources acs:ros:$regionid:$accountid:stack/$stackid
GetStackResource acs:ros:$regionid:$accountid:stack/$stackid
SignalResource acs:ros:$regionid:$accountid:stack/$stackid