Before you create or update a custom access control policy, you must understand the basic elements and usage rules of the languages for access control policies.
|Effect||Specifies whether an access control policy results in an explicit allow or an explicit
deny. Valid values: Allow and Deny.
Note You can set Effect only to Deny for custom access control policies.
|Action||Describes one or more operations that are allowed or not allowed for a resource.|
|Resource||Specifies one or more objects that an access control policy covers.|
|Condition||Specifies the conditions that are required for an access control policy to take effect.|
Rules for using policy elements
Valid values are Allow and Deny.Note You can set Effect only to Deny for custom access control policies.
You can specify multiple values for this element. Valid values are the names of API operations from Alibaba Cloud services.Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information, see the documentation of each Alibaba Cloud service.
ram-code: the Resource Access Management (RAM) code of an Alibaba Cloud service. For more information about the RAM code of each Alibaba Cloud service, see the RAM code column in Alibaba Cloud services that support control policies.
action-name: the names of API operations.
"Action": ["actiontrail:DeleteTrail", "ecs:DeleteInstance*"].
Specifies one or more objects that an access control policy covers.
acs:<ram-code>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).
acs: the abbreviation of Alibaba Cloud Service, which indicates the public cloud offerings of Alibaba Cloud.
ram-code: the RAM code of an Alibaba Cloud service. For more information about the RAM code of each Alibaba Cloud service, see the RAM code column in Alibaba Cloud services that support control policies.
region: the region where the service resides. You can specify an asterisk (
*) for this field.
account-id: the ID of an Alibaba Cloud account. Example:
123456789012****. You can specify an asterisk (
*) for this field.
relative-id: the ID of the service-related resource. The indications of this field vary based on specific services. The format of the relative-id field is similar to a file path.
"Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002"].
- ConditionA condition block contains one or more conditions. Each condition consists of operators, keys, and values.
- You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
- You can specify one or more condition keys for a single condition operator in a condition. The condition is met only if all the requirements for the keys are met.
- A condition block is met only if all of its conditions are met.
Condition operators can be classified into the following categories: string, numeric, date and time, Boolean, and IP address.
Category Condition operator String
Date and time
Boolean Bool IP address
- The syntax of a common condition key is
Common condition key Category Description
Date and time The time when the web server receives a request. Specify the time in the ISO 8601 format. Example:
Boolean Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
IP address The IP address of the client that sends a request.Note If you specify only one value for the
acs:SourceIpkey, the value must be a specific IP address, such as 10.0.0.1. CIDR blocks such as 10.0.0.1/32 cannot be used.
Boolean Specifies whether a user completes multi-factor authentication (MFA) during logon.
String Specifies the identity of an object that performs an operation. Example:
acs:ram:*:*:role/*resourcedirectory*.Note You can specify an ARN only for a specified RAM role. The name can contain only lowercase letters.You can view the ARN of a RAM role on the role details page in the RAM console.
- The syntax of a condition key that is specific to an Alibaba Cloud service is
Condition key specific to an Alibaba Cloud service Alibaba Cloud service Category Description
ECS String The tag key of Elastic Compute Service (ECS) resources. This key can be customized.
RDS String The tag key of ApsaraDB RDS resources. This key can be customized.
The syntax and structure of access control policies are similar to the permission policies in RAM. For more information, see Policy structure and syntax.