Before you call an Alibaba Cloud API by using a RAM user, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Resource authorization

By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you use a RAM user to call an API, you must grant the RAM user account the permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.

When you create the authorization policy, you can specify the resource by its Alibaba Resource Name (ARN). An ARN is used to identify the resource for authorization.

The ARN format is described as follows:



  • acs: the abbreviation for Alibaba Cloud Service.
  • service-name: the name of an Alibaba Cloud service, such as ecs, oss, and slb.
  • region: the region where the service resides. If this option is not supported, use the asterisk (*) wildcard instead.

  • account-id: the ID of the user account, such as 1234567890123456.

  • resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.

    For example, acs:oss:1234567890123456:sample_bucket/file1.txt indicates a resource named sample_bucket/file1.txt in Alibaba Could Object Storage Service (OSS) and 1234567890123456 indicates the ID of the user that the resource belongs to.

Resource types

Resource type ARN format
Single cluster
"Resource": [
     "acs:cs:*:*:cluster/The ID of the cluster."
"Resource": [
     "acs:cs:*:*:cluster/The ID of the cluster.",
     "acs:cs:*:*:cluster/The ID of the cluster."
Multiple clusters
All clusters
"Resource": [

API operations

The following table lists the operations that users can be authorized to call.

Table 1. RAM actions
Action Description
CreateCluster Create clusters.
ScaleOutCluster Expand clusters.
AttachInstances Add existing ECS instances to clusters.
DescribeClusterAttachScripts Query scripts for manually adding nodes to clusters.
DescribeClusterUserKubeconfig Query cluster kubeconfig.
ModifyClusterTags Modify cluster tags.
DescribeClusterDetail Query cluster details.
DescribeClusters Query all clusters.
DeleteClusterNodes Delete cluster nodes.
DeleteCluster Delete clusters.
DescribeClusterAddonUpgradeStatus Query upgrade status of cluster addons.
UnInstallClusterAddons Uninstall cluster addons.
DescribeClusterAddonsVersion Query cluster addon details.
ListTagResources List tag resources.
CancelClusterUpgrade Cancel cluster upgrade.
CreateTemplate Create deployment templates.
DeleteTemplate Delete deployment templates.
CreateTriggerHook Create triggers for applications.
DeleteTriggerHook Delete triggers for applications.
DescribeClusterLogs Query cluster logs.
DescribeExternalAgent Query external agents.
DescribeTemplates Query deployment templates.
DescribeUserQuota Query user quota.
GetUpgradeStatus Query upgrade status of clusters.
InstallClusterAddons Install cluster addons.
ModifyCluster Modify clusters.
PauseClusterUpgrade Pause cluster upgrade
RemoveClusterNodes Remove cluster nodes.
ResumeUpgradeCluster Resume upgrade clusters.
UpdateTemplate Update deployment templates.
UpgradeCluster Upgrade clusters.
DescribeClusterNodes Query cluster nodes.
UpgradeClusterAddons Upgrade cluster addons.