Before a Resource Access Management (RAM) user can call an API operation to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to attach the required permission policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

Resource Group

The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action Resource
ram:CreateResourceGroup acs:ram:*:$AccountId:resourcegroup/*
ram:DeleteResourceGroup acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:UpdateResourceGroup acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:CreatePolicy acs:ram:*:$AccountId:policy/*
ram:DeletePolicy acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicies acs:ram:*:$AccountId:policy/*
ram:GetPolicy acs:ram:*:$AccountId:policy/$PolicyName
ram:CreatePolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:DeletePolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicyVersions acs:ram:*:$AccountId:policy/$PolicyName
ram:GetPolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:SetDefaultPolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:AttachPolicy
  • Policy:

    acs:ram:*:system:policy/$PolicyName or acs:ram:*:$AccountId:policy/$PolicyName

  • RAM user:

    acs:ims:*:$AccountId:user/*

  • RAM user group:

    acs:ims:*:$AccountId:group/*

  • RAM role:

    acs:ram:*:$AccountId:role/*

ram:DetachPolicy
  • Policy:

    acs:ram:*:system:policy/$PolicyName or acs:ram:*:$AccountId:policy/$PolicyName

  • RAM user:

    acs:ims:*:$AccountId:user/*

  • RAM user group:

    acs:ims:*:$AccountId:group/*

  • RAM role:

    acs:ram:*:$AccountId:role/*

ram:ListPolicyAttachments acs:ram:*:$AccountId:*
ram:CreateRole acs:ram:*:$AccountId:role/*
ram:GetRole acs:ram:*:$AccountId:role/$RoleName
ram:ListRoles acs:ram:*:$AccountId:role/*
ram:UpdateRole acs:ram:*:$AccountId:role/$RoleName
ram:DeleteRole acs:ram:*:$AccountId:role/$RoleName
ram:CreateServiceLinkedRole acs:ram:*:$AccountId:role/*
ram:DeleteServiceLinkedRole acs:ram:*:$AccountId:role/$RoleName
ram:GetServiceLinkedRoleDeletionStatus acs:ram:*:$AccountId:role/$RoleName

Resource Directory

The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action Resource
resourcemanager:InitResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:DestroyResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:GetResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:PromoteResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ResendCreateCloudAccountEmail acs:resourcemanager:*:$AccountId:*
resourcemanager:ResendPromoteResourceAccountEmail acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelCreateCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelPromoteResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:RemoveCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:GetAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:MoveAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAccountsForParent acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAccounts acs:resourcemanager:*:$AccountId:*
resourcemanager:GetPayerForAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:UpdateAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:DeleteFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:GetFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:ListFoldersForParent acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAncestors acs:resourcemanager:*:$AccountId:*
resourcemanager:UpdateFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:InviteAccountToResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:GetHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:AcceptHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:DeclineHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:ListHandshakesForAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ListHandshakesForResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:ListTrustedServiceStatus acs:resourcemanager:*:$AccountId:*

Resource Sharing

The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Note An asterisk (*) in the Resource element indicates all resources.
Action Resource
resourcesharing:CreateResourceShare *
resourcesharing:UpdateResourceShare *
resourcesharing:DeleteResourceShare *
resourcesharing:ListResourceShares *
resourcesharing:AssociateResourceShare *
resourcesharing:DisassociateResourceShare *
resourcesharing:ListResourceShareAssociations *
resourcesharing:ListSharedResources *
resourcesharing:ListSharedTargets *

Tag

The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action Resource
tag:ListTagResources acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:TagResources
  • acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
  • acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:UntagResources
  • acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
  • acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:ListTagKeys acs:tag:$RegionId:$AccountId:*/*
tag:ListTagValues acs:tag:$RegionId:$AccountId:*/*