Before you call a Resource Management API operation as a RAM user, you must use an Alibaba Cloud account to create an authorization policy and attach the policy to the RAM user to assign permissions to the RAM user. In the authorization policy, you can use Alibaba Cloud Resource Names (ARNs) to specify the resources that can be accessed by the RAM user.

Resource Group API operations that can be authorized

The following table lists the Resource Group API operations that can be authorized and their ARN formats.

Operation ARN format
ram:CreateResourceGroup acs:ram:*:$AccountId:resourcegroup/*
ram:DeleteResourceGroup acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:UpdateResourceGroup acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:CreatePolicy acs:ram:*:$AccountId:policy/*
ram:DeletePolicy acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicies acs:ram:*:$AccountId:policy/*
ram:GetPolicy acs:ram:*:$AccountId:policy/$PolicyName
ram:CreatePolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:DeletePolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicyVersions acs:ram:*:$AccountId:policy/$PolicyName
ram:GetPolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:SetDefaultPolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:AttachPolicy
  • Policy:

    acs:ram:*:system:policy/$PolicyName or acs:ram:*:$AccountId:policy/$PolicyName

  • RAM user:

    acs:ims:*:$AccountId:user/*

  • RAM user group:

    acs:ims:*:$AccountId:group/*

  • RAM role:

    acs:ram:*:$AccountId:role/*

ram:DetachPolicy
  • Policy:

    acs:ram:*:system:policy/$PolicyName or acs:ram:*:$AccountId:policy/$PolicyName

  • RAM user:

    acs:ims:*:$AccountId:user/*

  • RAM user group:

    acs:ims:*:$AccountId:group/*

  • RAM role:

    acs:ram:*:$AccountId:role/*

ram:ListPolicyAttachments acs:ram:*:$AccountId:*
ram:CreateRole acs:ram:*:$AccountId:role/*
ram:GetRole acs:ram:*:$AccountId:role/$RoleName
ram:ListRoles acs:ram:*:$AccountId:role/*
ram:UpdateRole acs:ram:*:$AccountId:role/$RoleName
ram:DeleteRole acs:ram:*:$AccountId:role/$RoleName
ram:CreateServiceLinkedRole acs:ram:*:$AccountId:role/*
ram:DeleteServiceLinkedRole acs:ram:*:$AccountId:role/$RoleName
ram:GetServiceLinkedRoleDeletionStatus acs:ram:*:$AccountId:role/$RoleName

Resource Directory API operations that can be authorized

The following table lists the Resource Directory API operations that can be authorized and their ARN formats.

Operation ARN format
resourcemanager:InitResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:DestroyResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:GetResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:PromoteResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ResendCreateCloudAccountEmail acs:resourcemanager:*:$AccountId:*
resourcemanager:ResendPromoteResourceAccountEmail acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelCreateCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelPromoteResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:RemoveCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:GetAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:MoveAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAccountsForParent acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAccounts acs:resourcemanager:*:$AccountId:*
resourcemanager:GetPayerForAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:UpdateAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:DeleteFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:GetFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:ListFoldersForParent acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAncestors acs:resourcemanager:*:$AccountId:*
resourcemanager:UpdateFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:InviteAccountToResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:GetHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:AcceptHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:DeclineHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:ListHandshakesForAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ListHandshakesForResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:ListTrustedServiceStatus acs:resourcemanager:*:$AccountId:*

Tag API operations that can be authorized

The following table lists the Tag API operations that can be authorized and their ARN formats.

Operation ARN format
tag:ListTagResources acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:TagResources
  • acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
  • acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:UntagResources
  • acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
  • acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:ListTagKeys acs:tag:$RegionId:$AccountId:*/*
tag:ListTagValues acs:tag:$RegionId:$AccountId:*/*