RAM authorization - API Reference| Alibaba Cloud Documentation Center

Before a Resource Access Management (RAM) user can call an API operation to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to attach the required permission policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

Resource Group

The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.


Action	Resource
ram:CreateResourceGroup	acs:ram::$AccountId:resourcegroup/
ram:DeleteResourceGroup	acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:UpdateResourceGroup	acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:CreatePolicy	acs:ram::$AccountId:policy/
ram:DeletePolicy	acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicies	acs:ram::$AccountId:policy/
ram:GetPolicy	acs:ram:*:$AccountId:policy/$PolicyName
ram:CreatePolicyVersion	acs:ram:*:$AccountId:policy/$PolicyName
ram:DeletePolicyVersion	acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicyVersions	acs:ram:*:$AccountId:policy/$PolicyName
ram:GetPolicyVersion	acs:ram:*:$AccountId:policy/$PolicyName
ram:SetDefaultPolicyVersion	acs:ram:*:$AccountId:policy/$PolicyName
ram:AttachPolicy	Policy: acs:ram::system:policy/$PolicyName or acs:ram::$AccountId:policy/$PolicyName RAM user: acs:ims::$AccountId:user/ RAM user group: acs:ims::$AccountId:group/ RAM role: acs:ram::$AccountId:role/
ram:DetachPolicy	Policy: acs:ram::system:policy/$PolicyName or acs:ram::$AccountId:policy/$PolicyName RAM user: acs:ims::$AccountId:user/ RAM user group: acs:ims::$AccountId:group/ RAM role: acs:ram::$AccountId:role/
ram:ListPolicyAttachments	acs:ram::$AccountId:
ram:CreateRole	acs:ram::$AccountId:role/
ram:GetRole	acs:ram:*:$AccountId:role/$RoleName
ram:ListRoles	acs:ram::$AccountId:role/
ram:UpdateRole	acs:ram:*:$AccountId:role/$RoleName
ram:DeleteRole	acs:ram:*:$AccountId:role/$RoleName
ram:CreateServiceLinkedRole	acs:ram::$AccountId:role/
ram:DeleteServiceLinkedRole	acs:ram:*:$AccountId:role/$RoleName
ram:GetServiceLinkedRoleDeletionStatus	acs:ram:*:$AccountId:role/$RoleName

Resource Directory

The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.


Action	Resource
resourcemanager:InitResourceDirectory	acs:resourcemanager::$AccountId:
resourcemanager:DestroyResourceDirectory	acs:resourcemanager::$AccountId:
resourcemanager:GetResourceDirectory	acs:resourcemanager::$AccountId:
resourcemanager:CreateResourceAccount	acs:resourcemanager::$AccountId:
resourcemanager:CreateCloudAccount	acs:resourcemanager::$AccountId:
resourcemanager:PromoteResourceAccount	acs:resourcemanager::$AccountId:
resourcemanager:ResendCreateCloudAccountEmail	acs:resourcemanager::$AccountId:
resourcemanager:ResendPromoteResourceAccountEmail	acs:resourcemanager::$AccountId:
resourcemanager:CancelCreateCloudAccount	acs:resourcemanager::$AccountId:
resourcemanager:CancelPromoteResourceAccount	acs:resourcemanager::$AccountId:
resourcemanager:RemoveCloudAccount	acs:resourcemanager::$AccountId:
resourcemanager:GetAccount	acs:resourcemanager::$AccountId:
resourcemanager:MoveAccount	acs:resourcemanager::$AccountId:
resourcemanager:ListAccountsForParent	acs:resourcemanager::$AccountId:
resourcemanager:ListAccounts	acs:resourcemanager::$AccountId:
resourcemanager:GetPayerForAccount	acs:resourcemanager::$AccountId:
resourcemanager:UpdateAccount	acs:resourcemanager::$AccountId:
resourcemanager:CreateFolder	acs:resourcemanager::$AccountId:
resourcemanager:DeleteFolder	acs:resourcemanager::$AccountId:
resourcemanager:GetFolder	acs:resourcemanager::$AccountId:
resourcemanager:ListFoldersForParent	acs:resourcemanager::$AccountId:
resourcemanager:ListAncestors	acs:resourcemanager::$AccountId:
resourcemanager:UpdateFolder	acs:resourcemanager::$AccountId:
resourcemanager:InviteAccountToResourceDirectory	acs:resourcemanager::$AccountId:
resourcemanager:GetHandshake	acs:resourcemanager::$AccountId:
resourcemanager:AcceptHandshake	acs:resourcemanager::$AccountId:
resourcemanager:CancelHandshake	acs:resourcemanager::$AccountId:
resourcemanager:DeclineHandshake	acs:resourcemanager::$AccountId:
resourcemanager:ListHandshakesForAccount	acs:resourcemanager::$AccountId:
resourcemanager:ListHandshakesForResourceDirectory	acs:resourcemanager::$AccountId:
resourcemanager:ListTrustedServiceStatus	acs:resourcemanager::$AccountId:

Resource Sharing

The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Note An asterisk (*) in the Resource element indicates all resources.


Action	Resource
resourcesharing:CreateResourceShare	*
resourcesharing:UpdateResourceShare	*
resourcesharing:DeleteResourceShare	*
resourcesharing:ListResourceShares	*
resourcesharing:AssociateResourceShare	*
resourcesharing:DisassociateResourceShare	*
resourcesharing:ListResourceShareAssociations	*
resourcesharing:ListSharedResources	*
resourcesharing:ListSharedTargets	*

Tag

The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.


Action	Resource
tag:ListTagResources	acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:TagResources	acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:UntagResources	acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:ListTagKeys	acs:tag:$RegionId:$AccountId:/
tag:ListTagValues	acs:tag:$RegionId:$AccountId:/