Before you use a RAM user to call the API operations of Resource Management to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).
The following list describes the variables that you can specify in a policy. Replace the variables with actual values.
- <AccountId>: the ID of an Alibaba Cloud account
- <ResourceGroupName>: the name of a resource group
- <PolicyName>: the name of a policy
- <RoleName>: the name of a RAM role
- <ResourceType>: the resource type
- <ResourceId>: the ID of a resource
- <RegionId>: the region ID
- <Product>: the code of a service
Resource Group
The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
| Action | Resource |
|---|---|
| ram:CreateResourceGroup | acs:ram:*:<AccountId>:resourcegroup/* |
| ram:DeleteResourceGroup | acs:ram:*:<AccountId>:resourcegroup/<ResourceGroupName> |
| ram:UpdateResourceGroup | acs:ram:*:<AccountId>:resourcegroup/<ResourceGroupName> |
| ram:CreatePolicy | acs:ram:*:<AccountId>:policy/* |
| ram:DeletePolicy | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:ListPolicies | acs:ram:*:<AccountId>:policy/* |
| ram:GetPolicy | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:CreatePolicyVersion | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:DeletePolicyVersion | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:ListPolicyVersions | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:GetPolicyVersion | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:SetDefaultPolicyVersion | acs:ram:*:<AccountId>:policy/<PolicyName> |
| ram:AttachPolicy |
|
| ram:DetachPolicy |
|
| ram:ListPolicyAttachments | acs:ram:*:<AccountId>:* |
| ram:CreateRole | acs:ram:*:<AccountId>:role/* |
| ram:GetRole | acs:ram:*:<AccountId>:role/<RoleName> |
| ram:ListRoles | acs:ram:*:<AccountId>:role/* |
| ram:UpdateRole | acs:ram:*:<AccountId>:role/<RoleName> |
| ram:DeleteRole | acs:ram:*:<AccountId>:role/<RoleName> |
| ram:CreateServiceLinkedRole | acs:ram:*:<AccountId>:role/* |
| ram:DeleteServiceLinkedRole | acs:ram:*:<AccountId>:role/<RoleName> |
| ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:<AccountId>:role/<RoleName> |
Resource Directory
The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
| Action | Resource |
|---|---|
| resourcemanager:InitResourceDirectory | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:GetResourceDirectory | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:CreateResourceAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:CreateCloudAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ResendCreateCloudAccountEmail | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ResendPromoteResourceAccountEmail | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:CancelCreateCloudAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:CancelPromoteResourceAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:GetAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:MoveAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListAccountsForParent | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListAccounts | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:GetPayerForAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:UpdateAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:CreateFolder | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:DeleteFolder | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:GetFolder | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListFoldersForParent | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListAncestors | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:UpdateFolder | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:InviteAccountToResourceDirectory | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:GetHandshake | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:AcceptHandshake | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:CancelHandshake | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:DeclineHandshake | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:<AccountId>:* |
| resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:<AccountId>:* |
Resource Sharing
The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
| Action | Resource |
|---|---|
| resourcesharing:CreateResourceShare | * |
| resourcesharing:UpdateResourceShare | * |
| resourcesharing:DeleteResourceShare | * |
| resourcesharing:ListResourceShares | * |
| resourcesharing:AssociateResourceShare | * |
| resourcesharing:DisassociateResourceShare | * |
| resourcesharing:ListResourceShareAssociations | * |
| resourcesharing:ListSharedResources | * |
| resourcesharing:ListSharedTargets | * |
Tag
The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
| Action | Resource |
|---|---|
| tag:ListTagResources | acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId> |
| tag:TagResources |
|
| tag:UntagResources |
|
| tag:ListTagKeys | acs:tag:<RegionId>:<AccountId>:*/* |
| tag:ListTagValues | acs:tag:<RegionId>:<AccountId>:*/* |
| tag:CreateTags | acs:tag:<RegionId>:<AccountId>:*/* |
| tag:DeleteTag | acs:tag:<RegionId>:<AccountId>:*/* |