This topic uses an example policy to demonstrate how to authorize a RAM user to manage a specified ECS instance.

The following policy indicates that the authorized RAM user can view all ECS instances under an Alibaba Cloud account, but the user can manage only the i-001 ECS instance.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "acs:ecs:*:*:instance/i-001"
    },
    {
      "Action": "ecs:Describe*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
Note The Describe* element is required in the policy. Otherwise, the authorized RAM user cannot view instances in the console. However, the RAM user can manage the specified ECS instance through API operations, CLI, or ECS SDK.