Before you call the API operations provided by Cloud Config as a RAM user, you must use your Alibaba Cloud account to create a custom policy and attach the policy to the RAM user to grant permissions. Alibaba Cloud Resource Names (ARNs) are used to specify resources in policies.

ARN format

ARN format: acs:config:*:{AccountId}:*

The following table describes the parameters included in the ARN format.
Parameter Description
acs The acronym of Alibaba Cloud Service.
config The alias of Cloud Config.
* The region to which the current policy applies. In Cloud Config, you must specify this part as an asterisk (*).
{AccountId} The account ID of the RAM user to be authorized. Example: 171322098523****.
* The description of the resource permissions on which are to be granted to the RAM user. In Cloud Config, you must specify this part as an asterisk (*).

Note

The following list shows the formats required when you set the Action and Resource fields in a custom policy for Cloud Config.
  • Action: config: API operation name
  • Resource: acs:config:*:{AccountId}:*

For example, to authorize a RAM user to call the CreateConfigRule operation, you must set the Action field to config:CreateConfigRule and the Resource field to acs:config:*:{AccountId}:* in the policy.