Before a Resource Access Management (RAM) user can call an API operation to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to attach the required permission policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).
Resource Group
The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
---|---|
ram:CreateResourceGroup | acs:ram:*:$AccountId:resourcegroup/* |
ram:DeleteResourceGroup | acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName |
ram:UpdateResourceGroup | acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName |
ram:CreatePolicy | acs:ram:*:$AccountId:policy/* |
ram:DeletePolicy | acs:ram:*:$AccountId:policy/$PolicyName |
ram:ListPolicies | acs:ram:*:$AccountId:policy/* |
ram:GetPolicy | acs:ram:*:$AccountId:policy/$PolicyName |
ram:CreatePolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
ram:DeletePolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
ram:ListPolicyVersions | acs:ram:*:$AccountId:policy/$PolicyName |
ram:GetPolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
ram:SetDefaultPolicyVersion | acs:ram:*:$AccountId:policy/$PolicyName |
ram:AttachPolicy |
|
ram:DetachPolicy |
|
ram:ListPolicyAttachments | acs:ram:*:$AccountId:* |
ram:CreateRole | acs:ram:*:$AccountId:role/* |
ram:GetRole | acs:ram:*:$AccountId:role/$RoleName |
ram:ListRoles | acs:ram:*:$AccountId:role/* |
ram:UpdateRole | acs:ram:*:$AccountId:role/$RoleName |
ram:DeleteRole | acs:ram:*:$AccountId:role/$RoleName |
ram:CreateServiceLinkedRole | acs:ram:*:$AccountId:role/* |
ram:DeleteServiceLinkedRole | acs:ram:*:$AccountId:role/$RoleName |
ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:$AccountId:role/$RoleName |
Resource Directory
The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
---|---|
resourcemanager:InitResourceDirectory | acs:resourcemanager:*:$AccountId:* |
resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:$AccountId:* |
resourcemanager:GetResourceDirectory | acs:resourcemanager:*:$AccountId:* |
resourcemanager:CreateResourceAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:CreateCloudAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ResendCreateCloudAccountEmail | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ResendPromoteResourceAccountEmail | acs:resourcemanager:*:$AccountId:* |
resourcemanager:CancelCreateCloudAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:CancelPromoteResourceAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:GetAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:MoveAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListAccountsForParent | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListAccounts | acs:resourcemanager:*:$AccountId:* |
resourcemanager:GetPayerForAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:UpdateAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:CreateFolder | acs:resourcemanager:*:$AccountId:* |
resourcemanager:DeleteFolder | acs:resourcemanager:*:$AccountId:* |
resourcemanager:GetFolder | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListFoldersForParent | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListAncestors | acs:resourcemanager:*:$AccountId:* |
resourcemanager:UpdateFolder | acs:resourcemanager:*:$AccountId:* |
resourcemanager:InviteAccountToResourceDirectory | acs:resourcemanager:*:$AccountId:* |
resourcemanager:GetHandshake | acs:resourcemanager:*:$AccountId:* |
resourcemanager:AcceptHandshake | acs:resourcemanager:*:$AccountId:* |
resourcemanager:CancelHandshake | acs:resourcemanager:*:$AccountId:* |
resourcemanager:DeclineHandshake | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:$AccountId:* |
resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:$AccountId:* |
Resource Sharing
The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
---|---|
resourcesharing:CreateResourceShare | * |
resourcesharing:UpdateResourceShare | * |
resourcesharing:DeleteResourceShare | * |
resourcesharing:ListResourceShares | * |
resourcesharing:AssociateResourceShare | * |
resourcesharing:DisassociateResourceShare | * |
resourcesharing:ListResourceShareAssociations | * |
resourcesharing:ListSharedResources | * |
resourcesharing:ListSharedTargets | * |
Tag
The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
---|---|
tag:ListTagResources | acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId |
tag:TagResources |
|
tag:UntagResources |
|
tag:ListTagKeys | acs:tag:$RegionId:$AccountId:*/* |
tag:ListTagValues | acs:tag:$RegionId:$AccountId:*/* |