Before you call a Resource Management API operation as a RAM user, you must use an Alibaba Cloud account to create an authorization policy and attach the policy to the RAM user to assign permissions to the RAM user. In the authorization policy, you can use Alibaba Cloud Resource Names (ARNs) to specify the resources that can be accessed by the RAM user.
Resource Group API operations that can be authorized
The following table lists the Resource Group API operations that can be authorized and their ARN formats.
| Operation | ARN format |
|---|---|
| ram:CreateResourceGroup | acs:ram:*:$AccountId:resourcegroup/* |
| ram:DeleteResourceGroup | acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName |
| ram:UpdateResourceGroup | acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName |
| ram:CreatePolicy | acs:ram:*:$AccountId:policy/* |
| ram:DeletePolicy | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:ListPolicies | acs:ram:*:$AccountId:policy/* |
| ram:GetPolicy | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:CreatePolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:DeletePolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:ListPolicyVersions | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:GetPolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:SetDefaultPolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
| ram:AttachPolicy |
|
| ram:DetachPolicy |
|
| ram:ListPolicyAttachments | acs:ram:*:$AccountId:* |
| ram:CreateRole | acs:ram:*:$AccountId:role/* |
| ram:GetRole | acs:ram:*:$AccountId:role/$RoleName |
| ram:ListRoles | acs:ram:*:$AccountId:role/* |
| ram:UpdateRole | acs:ram:*:$AccountId:role/$RoleName |
| ram:DeleteRole | acs:ram:*:$AccountId:role/$RoleName |
| ram:CreateServiceLinkedRole | acs:ram:*:$AccountId:role/* |
| ram:DeleteServiceLinkedRole | acs:ram:*:$AccountId:role/$RoleName |
| ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:$AccountId:role/$RoleName |
Resource Directory API operations that can be authorized
The following table lists the Resource Directory API operations that can be authorized and their ARN formats.
| Operation | ARN format |
|---|---|
| resourcemanager:InitResourceDirectory | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:GetResourceDirectory | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:CreateResourceAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:CreateCloudAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ResendCreateCloudAccountEmail | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ResendPromoteResourceAccountEmail | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:CancelCreateCloudAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:CancelPromoteResourceAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:GetAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:MoveAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListAccountsForParent | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListAccounts | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:GetPayerForAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:UpdateAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:CreateFolder | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:DeleteFolder | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:GetFolder | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListFoldersForParent | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListAncestors | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:UpdateFolder | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:InviteAccountToResourceDirectory | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:GetHandshake | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:AcceptHandshake | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:CancelHandshake | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:DeclineHandshake | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:$AccountId:* |
| resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:$AccountId:* |
Tag API operations that can be authorized
The following table lists the Tag API operations that can be authorized and their ARN formats.
| Operation | ARN format |
|---|---|
| tag:ListTagResources | acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId |
| tag:TagResources |
|
| tag:UntagResources |
|
| tag:ListTagKeys | acs:tag:$RegionId:$AccountId:*/* |
| tag:ListTagValues | acs:tag:$RegionId:$AccountId:*/* |