All Products
Search
Document Center

Resource Management:RAM authorization

Last Updated:Mar 14, 2024

Before you use a RAM user to call the API operations of Resource Management to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

The following list describes the variables that are involved in the Resource element of a policy. Replace the variables with actual values.

  • <account_id>: the ID of an Alibaba Cloud account.

  • <resourcegroup_id>: the ID of a resource group.

  • <policy_name>: the name of a policy.

  • <role_name>: the name of a RAM role.

  • <resource_type>: the type of a resource.

  • <resource_id>: the ID of a resource.

  • <region_id>: the region ID.

  • <product>: the code of a service.

  • <handshake_id>: the ID of an invitation.

  • <policy_id>: the ID of an access control policy.

  • <resource_directory_path>: the RDPath of a folder or member, which indicates the location of a folder or member in a resource directory.

  • <contact_id>: the ID of a contact.

The required resource types are displayed in bold.

Resource Group

The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action

Resource

ram:CreateResourceGroup

acs:ram:*:<account_id>:resourcegroup/*

ram:DeleteResourceGroup

acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>

ram:UpdateResourceGroup

acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>

ram:CreatePolicy

acs:ram:*:<account_id>:policy/*

ram:DeletePolicy

acs:ram:*:<account_id>:policy/<policy_name>

ram:ListPolicies

acs:ram:*:<account_id>:policy/*

ram:GetPolicy

acs:ram:*:<account_id>:policy/<policy_name>

ram:CreatePolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:DeletePolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:ListPolicyVersions

acs:ram:*:<account_id>:policy/<policy_name>

ram:GetPolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:SetDefaultPolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:AttachPolicy

  • Policy:

    acs:ram:*:system:policy/<policy_name> or acs:ram:*:<account_id>:policy/<policy_name>

  • RAM user:

    acs:ims:*:<account_id>:user/*

  • RAM user group:

    acs:ims:*:<account_id>:group/*

  • RAM role:

    acs:ram:*:<account_id>:role/*

ram:DetachPolicy

  • Policy:

    acs:ram:*:system:policy/<policy_name> or acs:ram:*:<account_id>:policy/<policy_name>

  • RAM user:

    acs:ims:*:<account_id>:user/*

  • RAM user group:

    acs:ims:*:<account_id>:group/*

  • RAM role:

    acs:ram:*:<account_id>:role/*

ram:ListPolicyAttachments

acs:ram:*:<account_id>:*

ram:CreateRole

acs:ram:*:<account_id>:role/*

ram:GetRole

acs:ram:*:<account_id>:role/<role_name>

ram:ListRoles

acs:ram:*:<account_id>:role/*

ram:UpdateRole

acs:ram:*:<account_id>:role/<role_name>

ram:DeleteRole

acs:ram:*:<account_id>:role/<role_name>

ram:CreateServiceLinkedRole

acs:ram:*:<account_id>:role/*

ram:DeleteServiceLinkedRole

acs:ram:*:<account_id>:role/<role_name>

ram:GetServiceLinkedRoleDeletionStatus

acs:ram:*:<account_id>:role/<role_name>

Resource Directory

The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action

Resource

resourcemanager:AcceptHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:AttachControlPolicy

  • Access control policy:

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Member:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:BindSecureMobilePhone

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:CancelHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:CheckAccountDelete

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:CreateCloudAccount

acs:resourcemanager:*:<account_id>:*

resourcemanager:CreateControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:CreateFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:CreateResourceAccount

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DeclineHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:DeleteAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:DeleteControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:DeleteFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DeregisterDelegatedAdministrator

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:DestroyResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:DetachControlPolicy

  • Access control policy:

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Member:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DisableControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:EnableControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:EnableResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:GetAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetAccountDeletionCheckResult

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetAccountDeletionStatus

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:GetControlPolicyEnablementStatus

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:GetFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:GetHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:GetPayerForAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:InviteAccountToResourceDirectory

  • Invitation:

    acs:resourcemanager:*:<account_id>:handshake/*

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListAccounts

acs:resourcemanager:*:<account_id>:account/*

resourcemanager:ListAccountsForParent

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListAncestors

acs:resourcemanager:*:<account_id>:folder/*

resourcemanager:ListControlPolicies

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:ListControlPolicyAttachmentsForTarget

  • Access control policy:

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Member:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListDelegatedAdministrators

acs:resourcemanager:*:<account_id>:account/*

resourcemanager:ListDelegatedServicesForAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:ListFoldersForParent

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListHandshakesForAccount

acs:resourcemanager:*:<account_id>:handshake/*

resourcemanager:ListHandshakesForResourceDirectory

acs:resourcemanager:*:<account_id>:handshake/*

resourcemanager:ListTagKeys

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTagValues

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTargetAttachmentsForControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:ListTrustedServiceStatus

acs:resourcemanager:*:<account_id>:*

resourcemanager:MoveAccount

  • Member:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:PromoteResourceAccount

acs:resourcemanager:*:<account_id>:*

resourcemanager:RegisterDelegatedAdministrator

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:RemoveCloudAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:SendVerificationCodeForBindSecureMobilePhone

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:SendVerificationCodeForEnableRD

acs:resourcemanager:*:<account_id>:*

resourcemanager:TagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:UntagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:UpdateAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:UpdateControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:UpdateFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:AddMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/*

resourcemanager:CancelMessageContactUpdate

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:DeleteMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:GetMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:GetMessageContactDeletionStatus

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:ListMessageContacts

acs:resourcemanager:*:<account_id>:messagecontact/*

resourcemanager:ListMessageContactVerifications

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:SendEmailVerificationForMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:SendPhoneVerificationForMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:UpdateMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:AssociateMembers

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

  • Member:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Contact:

    acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:DisassociateMembers

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

  • Member:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Contact:

    acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:CancelChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:ChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:RetryChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:PrecheckForConsolidatedBillingAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

Resource Sharing

The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action

Resource

resourcesharing:EnableSharingWithResourceDirectory

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:CreateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:UpdateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DeleteResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShares

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AssociateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DisassociateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShareAssociations

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListSharedResources

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListSharedTargets

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DescribeRegions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShareInvitations

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AcceptResourceShareInvitation

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:RejectResourceShareInvitation

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AssociateResourceSharePermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DisassociateResourceSharePermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceSharePermissions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:GetPermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListPermissionVersions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListPermissions

acs:resourcesharing:<region_id>:<account_id>:*

Tag

The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.

Action

Resource

tag:ListTagResources

acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:TagResources

  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:UntagResources

  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:ListTagKeys

acs:tag:<region_id>:<account_id>:*/*

tag:ListTagValues

acs:tag:<region_id>:<account_id>:*/*

tag:CreateTags

acs:tag:<region_id>:<account_id>:*/*

tag:DeleteTag

acs:tag:<region_id>:<account_id>:*/*