This topic lists the values of Action and Resource parameters that are used to implement RAM authentication. You can use the ECS console or call ECS API operations to authenticate team or department members, RAM users, and RAM roles, and implement authorization across cloud services. These parameters are suitable for scenarios where custom policies must be created to implement fine-grained access control.

Background information

Note If the target resources can be accessed without authorization, skip this topic.
You can use your Alibaba Cloud account or RAM user account to perform operations on your ECS resources through the ECS console or API. Operation permissions are required in the following scenarios:
  • A RAM user account created by you has no permissions to perform operations on the ECS resources that belong to your Alibaba Cloud account.
  • You want to access ECS resources from other Alibaba Cloud services, or access other Alibaba Cloud services from ECS.
  • You want to perform operations on ECS resources that require resource and API operation permissions granted by the resource owners.

When an account requests access to ECS resources that belong to your Alibaba Cloud account by calling ECS API operations, Alibaba Cloud ECS instructs RAM to perform a permission check to guarantee that the required permissions have been granted to the account that sends the request. ECS determines which resources require a permission check based on the requested resources and API operation syntax. For more information about authorization policies and access control, see What is RAM? and API overview in the RAM documentation.

Custom policies

You can use the RAM console or call the CreatePolicy API operation of RAM to create a custom policy. If Script is selected as the policy configuration mode, you must specify the value of PolicyDocument based on the JSON template file. You must specify the values of Action and Resource parameters based on the authentication list in the following section. For more information, see Implement access control by using RAM and Policy elements.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
            "Effect": "Allow"
        }
    ]
}

Authentication list

Note For more information about the value format of the Resource parameter, see the following topic in RAM documentation: Terms.
Action Resource
AddTags acs:ecs:$regionid:$accountid:$resourceType/$resourceId
AllocatePublicIpAddress acs:ecs:$regionid:$accountid:instance/$instanceId
ApplyAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
AttachClassicLinkVpc acs:ecs:$regionid:$accountid:instance/$instanceId
AttachDisk
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:instance/$diskId
AttachKeyPair
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:keypair/$keypairName
AuthorizeSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$groupNo
AuthorizeSecurityGroupEgress acs:ecs:$regionid:$accountid:securitygroup/$groupNo
CancelAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
CancelCopyImage acs:ecs:$regionid:$accountid:image/$imageNo
CopyImage
  • acs:ecs:$fromRegionid:$accountid:image/$imageNo
  • acs:ecs:$toRegionid:$accountid:image/*
ConvertNatPublicIpToEip acs:ecs:$regionid:$accountid:instance/$instanceId
CreateAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
CreateDisk
  • acs:ecs:$regionid:$accountid:disk/*
  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId
CreateImage
  • acs:ecs:$regionid:$accountid:image/*
  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId
  • acs:ecs:$regionid:$accountid:instance/$instanceId
CreateInstance
  • acs:ecs:$regionid:$accountid:instance/*
  • acs:ecs:$regionid:$accountid:image/$imageNo
  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo
  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId
  • (Optional) acs:ecs:$regionid:$accountid:keypair/$keyPairName
  • acs:vpc:$regionid:$accountid:vswitch/$vswitchId
  • acs:vpc:$regionid:$accountid:vpc/$vpcId
CreateKeyPair acs:ecs:$regionid:$accountid:keypair/*
CreateSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/*
CreateSnapshot
  • acs:ecs:$regionid:$accountid:snapshot/*
  • acs:ecs:$regionid:$accountid:disk/$diskId
  • acs:ecs:$regionid:$accountid:volume/$volumeId
DeleteAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
DeleteDisk acs:ecs:$regionid:$accountid:disk/$diskId
DeleteImage acs:ecs:$regionid:$accountid:image/$imageNo
DeleteInstance acs:ecs:$regionid:$accountid:instance/$instanceId
DeleteKeyPairs acs:ecs:$regionid:$accountid:keypair/$keyPairName
DeleteSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$groupNo
DeleteSnapshot acs:ecs:$regionid:$accountid:snapshot/$snapshotId
DescribeClassicLinkInstances acs:ecs:$regionid:$accountid:instance/*
DescribeDiskMonitorData acs:ecs:$regionid:$accountid:disk/$diskId
DescribeDisks
  • acs:ecs:$regionid:$accountid:disk/$diskId
  • acs:ecs:$regionid:$accountid:disk/*
DescribeImages
  • acs:ecs:$regionid:$accountid:image/$imageNo
  • acs:ecs:$regionid:$accountid:image/*
DescribeInstanceMonitorData acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeInstances
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:instance/*
DescribeInstanceStatus acs:ecs:$regionid:$accountid:instance/*
DescribeInstanceVncPasswd acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeInstanceVncUrl acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeKeyPairs
  • acs:ecs:$regionid:$accountid:keypair/$keyPairName
  • acs:ecs:$regionid:$accountid:keypair/*
DescribePrice acs:ecs:*:$accountid:*
DescribeRenewalPrice acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeSecurityGroupAttribute acs:ecs:$regionid:$accountid:securitygroup/$groupNo
DescribeSecurityGroups
  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo
  • acs:ecs:$regionid:$accountid:securitygroup/*
DescribeSnapshotAttribute acs:ecs:$regionid:$accountid:snapshot/$snapshotId
DescribeSnapshotLinks
  • acs:ecs:$regionid:$accountid:disk/$diskId
  • acs:ecs:$regionid:$accountid:disk/*
DescribeSnapshotMonitorData acs:ecs:*:$accountid:snapshot/*
DescribeSnapshots
  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId
  • acs:ecs:$regionid:$accountid:snapshot/*
DescribeTags acs:ecs:$regionid:$accountid:$resourceType/$resourceId
DetachClassicLinkVpc acs:ecs:$regionid:$accountid:instance/$instanceId
DetachDisk
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:disk/$diskId
DetachKeyPair
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:keypair/$keypairName
ExportImage acs:ecs:$regionid:$accountid:image/$imageNo
ImportImage acs:ecs:$regionid:$accountid:image/*
ImportKeyPair acs:ecs:$regionid:$accountid:keypair/*
JoinSecurityGroup
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo
LeaveSecurityGroup
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifyAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
ModifyDiskAttribute acs:ecs:$regionid:$accountid:disk/$diskId
ModifyImageAttribute acs:ecs:$regionid:$accountid:image/$imageNo
ModifyInstanceAttribute acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceAutoReleaseTime acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceChargeType acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceNetworkSpec acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceVncPasswd acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceVpcAttribute
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:vswitch/$vSwitchId
ModifySecurityGroupAttribute acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifySecurityGroupEgressRule acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifySecurityGroupRule acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifyPrepayInstanceSpec acs:ecs:$regionid:$accountid:
ModifySnapshotAttribute acs:ecs:$regionid:$accountid:snapshot/$snapshotId
RebootInstance acs:ecs:$regionid:$accountid:instance/$instanceId
ReInitDisk acs:ecs:$regionid:$accountid:disk/$diskId
ReleasePublicIpAddress acs:ecs:$regionid:$accountid:instance/$instanceId
RemoveTags acs:ecs:$regionid:$accountid:$resourceType/$resourceId
RenewInstance acs:ecs:$regionid:$accountid:instance/$instanceId
ReplaceSystemDisk
  • acs:ecs:$regionid:$accountid:instance/$instanceId
  • acs:ecs:$regionid:$accountid:image/$imageNo
ResetDisk acs:ecs:$regionid:$accountid:disk/$diskId
ResizeDisk acs:ecs:$regionid:$accountid:disk/$diskId
RevokeSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$groupNo
RevokeSecurityGroupEgress acs:ecs:$regionid:$accountid:securitygroup/$groupNo
RunInstances
  • acs:ecs:$regionid:$accountid:instance/*
  • acs:ecs:$regionid:$accountid:image/$imageNo
  • acs:ecs:$regionid:$accountid:securitygroup/$groupNo
  • acs:ecs:$regionid:$accountid:snapshot/$snapshotId
  • acs:ecs:$regionid:$accountid:keypair/$keyPairName
StartInstance acs:ecs:$regionid:$accountid:instance/$instanceId
StopInstance acs:ecs:$regionid:$accountid:instance/$instanceId