Before you use a RAM user to call the API operations of Resource Management to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

The following list describes the variables that you can specify in a policy. Replace the variables with actual values.

  • <AccountId>: the ID of an Alibaba Cloud account
  • <ResourceGroupName>: the name of a resource group
  • <PolicyName>: the name of a policy
  • <RoleName>: the name of a RAM role
  • <ResourceType>: the resource type
  • <ResourceId>: the ID of a resource
  • <RegionId>: the region ID
  • <Product>: the code of a service

Resource Group

The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action Resource
ram:CreateResourceGroup acs:ram:*:<AccountId>:resourcegroup/*
ram:DeleteResourceGroup acs:ram:*:<AccountId>:resourcegroup/<ResourceGroupName>
ram:UpdateResourceGroup acs:ram:*:<AccountId>:resourcegroup/<ResourceGroupName>
ram:CreatePolicy acs:ram:*:<AccountId>:policy/*
ram:DeletePolicy acs:ram:*:<AccountId>:policy/<PolicyName>
ram:ListPolicies acs:ram:*:<AccountId>:policy/*
ram:GetPolicy acs:ram:*:<AccountId>:policy/<PolicyName>
ram:CreatePolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:DeletePolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:ListPolicyVersions acs:ram:*:<AccountId>:policy/<PolicyName>
ram:GetPolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:SetDefaultPolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:AttachPolicy
  • Policy:

    acs:ram:*:system:policy/<PolicyName> or acs:ram:*:<AccountId>:policy/<PolicyName>

  • RAM user:

    acs:ims:*:<AccountId>:user/*

  • RAM user group:

    acs:ims:*:<AccountId>:group/*

  • RAM role:

    acs:ram:*:<AccountId>:role/*

ram:DetachPolicy
  • Policy:

    acs:ram:*:system:policy/<PolicyName> or acs:ram:*:<AccountId>:policy/<PolicyName>

  • RAM user:

    acs:ims:*:<AccountId>:user/*

  • RAM user group:

    acs:ims:*:<AccountId>:group/*

  • RAM role:

    acs:ram:*:<AccountId>:role/*

ram:ListPolicyAttachments acs:ram:*:<AccountId>:*
ram:CreateRole acs:ram:*:<AccountId>:role/*
ram:GetRole acs:ram:*:<AccountId>:role/<RoleName>
ram:ListRoles acs:ram:*:<AccountId>:role/*
ram:UpdateRole acs:ram:*:<AccountId>:role/<RoleName>
ram:DeleteRole acs:ram:*:<AccountId>:role/<RoleName>
ram:CreateServiceLinkedRole acs:ram:*:<AccountId>:role/*
ram:DeleteServiceLinkedRole acs:ram:*:<AccountId>:role/<RoleName>
ram:GetServiceLinkedRoleDeletionStatus acs:ram:*:<AccountId>:role/<RoleName>

Resource Directory

The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action Resource
resourcemanager:InitResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:DestroyResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:CreateResourceAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:CreateCloudAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:PromoteResourceAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:ResendCreateCloudAccountEmail acs:resourcemanager:*:<AccountId>:*
resourcemanager:ResendPromoteResourceAccountEmail acs:resourcemanager:*:<AccountId>:*
resourcemanager:CancelCreateCloudAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:CancelPromoteResourceAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:RemoveCloudAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:MoveAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListAccountsForParent acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListAccounts acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetPayerForAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:UpdateAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:CreateFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:DeleteFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListFoldersForParent acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListAncestors acs:resourcemanager:*:<AccountId>:*
resourcemanager:UpdateFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:InviteAccountToResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:AcceptHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:CancelHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:DeclineHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListHandshakesForAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListHandshakesForResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListTrustedServiceStatus acs:resourcemanager:*:<AccountId>:*

Resource Sharing

The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Note An asterisk (*) in the Resource element indicates all resources.
Action Resource
resourcesharing:CreateResourceShare *
resourcesharing:UpdateResourceShare *
resourcesharing:DeleteResourceShare *
resourcesharing:ListResourceShares *
resourcesharing:AssociateResourceShare *
resourcesharing:DisassociateResourceShare *
resourcesharing:ListResourceShareAssociations *
resourcesharing:ListSharedResources *
resourcesharing:ListSharedTargets *

Tag

The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action Resource
tag:ListTagResources acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
tag:TagResources
  • acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
  • acs:<Product>:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
tag:UntagResources
  • acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
  • acs:<Product>:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
tag:ListTagKeys acs:tag:<RegionId>:<AccountId>:*/*
tag:ListTagValues acs:tag:<RegionId>:<AccountId>:*/*
tag:CreateTags acs:tag:<RegionId>:<AccountId>:*/*
tag:DeleteTag acs:tag:<RegionId>:<AccountId>:*/*