This topic describes the Action, Resource, and Condition elements in Resource Access Management (RAM) policies and the scenarios in which these policies apply.
Action definition
The Action element specifies one or more API operations. You can use this element to allow or deny user access to those operations.
When you create an authorization policy for Tablestore, prefix each action with ots:, separate multiple actions with commas, and use the asterisk (*) wildcard character for prefix or suffix matching.
A typical Action definition is as follows:
Single API operation
"Action": "ots:GetRow" Multiple APIs
"Action": [
"ots:PutRow",
"ots:GetRow"
] All read-only API operations
{
"Version": "1",
"Statement": [
{
"Action": [
"ots:BatchGet*",
"ots:Describe*",
"ots:Get*",
"ots:List*",
"ots:Consume*",
"ots:Search",
"ots:ComputeSplitPointsBySize"
],
"Resource": "*",
"Effect": "Allow"
}
]
} All read and write API operations
"Action": "ots:*" All SQL-related API operations
"Action": "ots:SQL*"Resource definition
The Resource element for Tablestore includes the service, region, user_id, instance_name, and table_name fields. Use this element to specify the Tablestore resources that other users can access. Each field supports the asterisk (*) wildcard character for prefix or suffix matching. Specify the Resource element in the following format:
acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name] Set the service field to ots. The [region] field specifies the ID of the region where the resource resides, such as cn-hangzhou. The [user_id] field specifies the Alibaba Cloud account ID. The [instance_name] field specifies the name of the Tablestore instance. The [table_name] field specifies the name of the Tablestore table. Configure these fields according to your actual settings.
Tablestore instance names are not case-sensitive. We recommend that you specify the instance_name field value in lowercase.
The Resource element for Tunnel Service is defined at the instance level rather than the table level and includes the service, region, user_id, and instance_name fields. Specify the Resource element in the following format:
acs:ots:[region]:[user_id]:instance/[instance_name] Example Resource definitions
All resources for all users in all regions
"Resource": "acs:ots:*:*:*"All instances and tables for user 123456 in the China (Hangzhou) region
"Resource": "acs:ots:cn-hangzhou:123456:instance*"The instance named abc and all its tables for user 123456 in the China (Hangzhou) region
"Resource": [ "acs:ots:cn-hangzhou:123456:instance/abc", "acs:ots:cn-hangzhou:123456:instance/abc/table*" ]All instances that start with abc and all their tables
"Resource": "acs:ots:*:*:instance/abc*"All tables that start with xyz in instances that start with abc. This excludes instance resources and does not match
acs:ots:*:*:instance/abc*."Resource": "acs:ots:*:*:instance/abc*/table/xyz*"All instances that end with abc and all their tables that end with xyz
"Resource": [ "acs:ots:*:*:instance/*abc", "acs:ots:*:*:instance/*abc/table/*xyz" ]
Usage notes
The Action and Resource elements in a RAM policy are verified by string matching. When you specify these elements, you can use the asterisk (*) wildcard character for prefix or suffix matching. If the Resource element is defined as
acs:ots:*:*:instance/*/,acs:ots:*:*:instance/abcdoes not match. If the Resource element is defined asacs:ots:*:*:instance/abc,acs:ots:*:*:instance/abc/table/xyzdoes not match.If a user wants to manage instances in the Tablestore console, the Tablestore console must query the list of instances. In this case, you must grant the user read permissions on the
acs:ots:[region]:[user_id]:instance/*resources.When you call API operations such as BatchGetRow or BatchWriteRow to perform operations on multiple tables simultaneously, the backend service authenticates each table separately. You can perform the operation only if all tables pass authentication. Otherwise, a permission error is returned.
Tablestore API operations
Tablestore provides instance management operations, table operations, data read/write operations, and Tunnel Service operations. The following tables describe how to configure resources for each type of operation.
Accessible Resources for Management APIs
Management APIs handle instance-level operations and are called from the console or using OpenAPI. The acs:ots:[region]:[user_id]: prefix is omitted from the resources described below. Only the instance is specified.
API Name | Action | Accessed resources |
CreateInstance | ots:InsertInstance | instance/[instance_name] |
UpdateInstance | ots:UpdateInstance | instance/[instance_name] |
GetInstance | ots:GetInstance | instance/[instance_name] |
DeleteInstance | ots:DeleteInstance | instance/[instance_name] |
ListInstances | ots:ListInstance | instance/* |
ChangeResourceGroup | ots:UpdateInstance | instance/[instance_name] |
ListTagResources | ots:ListTagResourcesCustomTags | instance/* |
TagResources | ots:TagResourcesCustomTags | instance/[instance_name] |
UntagResources | ots:UntagResourcesCustomTags | instance/[instance_name] |
UpdateInstancePolicy | ots:UpdateInstancePolicy | instance/[instance_name] |
DeleteInstancePolicy | ots:DeleteInstancePolicy | instance/[instance_name] |
CheckInstancePolicy | ots:CheckInstancePolicy | instance/[instance_name] |
UpdateInstanceElasticVCUUpperLimit | ots:UpdateInstanceElasticVCUUpperLimit | instance/[instance_name] |
Resources accessed by data APIs
Table operations and data read/write operations act on tables and rows and can be called from the Tablestore console or using Tablestore SDKs. If you specify the Action and Resource elements for these operations, some features may become unavailable in the Tablestore console. The acs:ots:[region]:[user_id]: prefix is omitted from the resource names below. Only the instance and table are specified.
API Name | Action | Accessed Resources |
ListTable | ots:ListTable | instance/[instance_name]/table* |
CreateTable | ots:CreateTable | instance/[instance_name]/table/[table_name] |
UpdateTable | ots:UpdateTable | instance/[instance_name]/table/[table_name] |
DescribeTable | ots:DescribeTable | instance/[instance_name]/table/[table_name] |
DeleteTable | ots:DeleteTable | instance/[instance_name]/table/[table_name] |
CreateGlobalTable |
| instance/[instance_name]/table/[table_name] |
DescribeGlobalTable | ots:DescribeGlobalTable | instance/[instance_name]/table/[table_name] |
UpdateGlobalTable |
| instance/[instance_name]/table/[table_name] |
BindGlobalTable |
| instance/[instance_name]/table/[table_name] |
UnbindGlobalTable |
| instance/[instance_name]/table/[table_name] |
AddDefinedColumn | ots:AddDefinedColumn | instance/[instance_name]/table/[table_name] |
DeleteDefinedColumn | ots:DeleteDefinedColumn | instance/[instance_name]/table/[table_name] |
GetRow | ots:GetRow | instance/[instance_name]/table/[table_name] |
PutRow | ots:PutRow | instance/[instance_name]/table/[table_name] |
UpdateRow | ots:UpdateRow | instance/[instance_name]/table/[table_name] |
DeleteRow | ots:DeleteRow | instance/[instance_name]/table/[table_name] |
GetRange | ots:GetRange | instance/[instance_name]/table/[table_name] |
BatchGetRow | ots:BatchGetRow | instance/[instance_name]/table/[table_name] |
BatchWriteRow | ots:BatchWriteRow | instance/[instance_name]/table/[table_name] |
ComputeSplitPointsBySize | ots:ComputeSplitPointsBySize | instance/[instance_name]/table/[table_name] |
StartLocalTransaction | ots:StartLocalTransaction | instance/[instance_name]/table/[table_name] |
CommitTransaction | ots:CommitTransaction | instance/[instance_name]/table/[table_name] |
AbortTransaction | ots:AbortTransaction | instance/[instance_name]/table/[table_name] |
CreateIndex | ots:CreateIndex | instance/[instance_name]/table/[table_name] |
DropIndex | ots:DropIndex | instance/[instance_name]/table/[table_name] |
CreateSearchIndex | ots:CreateSearchIndex | instance/[instance_name]/table/[table_name] |
UpdateSearchIndex | ots:UpdateSearchIndex | instance/[instance_name]/table/[table_name] |
DeleteSearchIndex | ots:DeleteSearchIndex | instance/[instance_name]/table/[table_name] |
ListSearchIndex | ots:ListSearchIndex | instance/[instance_name]/table/[table_name] |
DescribeSearchIndex | ots:DescribeSearchIndex | instance/[instance_name]/table/[table_name] |
Search | ots:Search | instance/[instance_name]/table/[table_name] |
ComputeSplits | ots:ComputeSplits | instance/[instance_name]/table/[table_name] |
ParallelScan | ots:ParallelScan | instance/[instance_name]/table/[table_name] |
CreateTunnel | ots:CreateTunnel | instance/[instance_name]/table/[table_name] |
DeleteTunnel | ots:DeleteTunnel | instance/[instance_name]/table/[table_name] |
ListTunnel | ots:ListTunnel | instance/[instance_name]/table/[table_name] |
ConsumeTunnel | ots:ConsumeTunnel | instance/[instance_name]/table/[table_name] |
DescribeTunnel | ots:DescribeTunnel | instance/[instance_name]/table/[table_name] |
BulkImport | ots:BulkImport | instance/[instance_name]/table/[table_name] |
BulkExport | ots:BulkExport | instance/[instance_name]/table/[table_name] |
SQL_Select | ots:SQL_Select | instance/[instance_name]/table/[table_name] |
SQL_Create | ots:SQL_Create | instance/[instance_name]/table/[table_name] |
SQL_DropMapping | ots:SQL_DropMapping | instance/[instance_name]/table/[table_name] |
Resources for Tunnel API access
Tunnel Service operations handle tunnel-related tasks and can be called from the Tablestore console or using Tablestore SDKs. If you specify the Action and Resource elements for these operations, some features may become unavailable in the Tablestore console. The acs:ots:[region]:[user_id]: prefix is omitted from the resource names below. Only the instance and table are specified.
API operation/Action | Resource |
ListTable | instance/[instance_name] |
CreateTable | instance/[instance_name] |
UpdateTable | instance/[instance_name] |
DescribeTable | instance/[instance_name] |
DeleteTable | instance/[instance_name] |
AddDefinedColumn | instance/[instance_name] |
DeleteDefinedColumn | instance/[instance_name] |
GetRow | instance/[instance_name] |
PutRow | instance/[instance_name] |
UpdateRow | instance/[instance_name] |
DeleteRow | instance/[instance_name] |
GetRange | instance/[instance_name] |
BatchGetRow | instance/[instance_name] |
BatchWriteRow | instance/[instance_name] |
ComputeSplitPointsBySize | instance/[instance_name] |
StartLocalTransaction | instance/[instance_name] |
CommitTransaction | instance/[instance_name] |
AbortTransaction | instance/[instance_name] |
CreateIndex | instance/[instance_name] |
DropIndex | instance/[instance_name] |
CreateSearchIndex | instance/[instance_name] |
DeleteSearchIndex | instance/[instance_name] |
ListSearchIndex | instance/[instance_name] |
DescribeSearchIndex | instance/[instance_name] |
Search | instance/[instance_name] |
CreateTunnel | instance/[instance_name] |
DeleteTunnel | instance/[instance_name] |
ListTunnel | instance/[instance_name] |
DescribeTunnel | instance/[instance_name] |
ConsumeTunnel | instance/[instance_name] |
Condition Definition
You can use the Condition element to configure policies that specify conditions for allowing or denying user access. The policies for Tablestore support various authentication conditions, such as IP address-based access control, HTTPS-based access control, multi-factor authentication (MFA)-based access control, access control based on specific TLS versions (TLS v1.2 and TLS v1.3), and time-based access control.
IP address-based access control
You can create an IP address whitelist to specify the IP addresses or CIDR blocks allowed to access Tablestore resources. This method is suitable for the following scenarios:
Restrict access from multiple IP addresses.
The following example shows how to allow requests only from the IP addresses 10.10.XX.XX and 10.11.XX.XX to access Tablestore resources:
{ "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": "acs:ots:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX", "10.11.XX.XX" ] } } } ], "Version": "1" }You can restrict individual IP addresses and CIDR blocks.
The following example shows how to allow requests only from the IP address 10.10.XX.XX or the CIDR block 10.10.XX.XX/24 to access Tablestore resources:
{ "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": "acs:ots:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX", "10.10.XX.XX/24" ] } } } ], "Version": "1" }
HTTPS-based access control
You can use a custom policy to require that access to Tablestore occurs over HTTPS.
The following example requires that requests to access Tablestore use HTTPS.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ots:*",
"Resource": "acs:ots:*:*:*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
],
"Version": "1"
} TLS version-based access control
You can use a custom policy to restrict access to Tablestore to requests that use TLS v1.2 or TLS v1.3 only.
The following example restricts access to Tablestore to TLS v1.2 and TLS v1.3 only.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ots:*",
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ots:TLSVersion": [
"TLSv1.2",
"TLSv1.3"
]
}
}
}
]
}MFA-based access control
You can create a custom policy to allow access to Tablestore resources only for requests that pass multi-factor authentication (MFA).
The following example restricts access to Tablestore to requests that pass MFA.
{
"Statement": [
{
"Effect": "Allow",
"Action": "ots:*",
"Resource": "acs:ots:*:*:*",
"Condition": {
"Bool": {
"acs:MFAPresent ": "true"
}
}
}
],
"Version": "1"
} Time-based access control
You can create a custom policy to specify when access requests are allowed or denied. Requests sent before the specified time are either allowed or denied.
The following example allows users to access Tablestore only before 00:00 on January 1, 2016 (UTC+8).
{
"Statement": [
{
"Effect": "Allow",
"Action": "ots:*",
"Resource": "acs:ots:*:*:*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2016-01-01T00:00:00+08:00"
}
}
}
],
"Version": "1"
} Scenarios
This section describes typical authorization scenarios using the Action, Resource, and Condition elements. Examples include configuring an IP address whitelist, allowing or denying access to specific resources in specific regions, and specifying access times and methods.
Scenario 1: Multiple access control conditions
In this scenario, RAM users whose IP addresses belong to the 10.10.XX.XX/24 CIDR block can perform read or write operations on the instances named online-01 and online-02, including all tables in those instances. Access is allowed only over HTTPS before 00:00:00 on January 1, 2016.
Log on to the RAM console using your Alibaba Cloud account (the Resource Access Management (RAM) service is enabled by default).
Create a custom policy.
In the navigation pane on the left, choose .
On the Policies page, click Create Policy.
On the Create Access Policy page, click the Script Editor tab. Enter the following script in the policy document and click OK.
{ "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": [ "acs:ots:*:*:instance/online-01", "acs:ots:*:*:instance/online-01/table*", "acs:ots:*:*:instance/online-02", "acs:ots:*:*:instance/online-02/table*" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX/24" ] }, "DateLessThan": { "acs:CurrentTime": "2016-01-01T00:00:00+08:00" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }In the Create Access Policy dialog box, enter a policy name and description, and then click OK.
Attach the policy to a RAM user.
In the navigation pane on the left, choose .
On the Users page, find the RAM user to whom you want to grant permissions, and click Add Permissions in the Actions column.
In the Grant Permission panel, select Custom Policy, search for the name of the policy you created, and select the check box next to the policy to add it to the Selected Policy column.
Click Grant Permissions.
Click Shutdown.
Scenario 2: Reject requests
In this scenario, RAM users who use the IP address 10.10.XX.XX cannot write data to tables in instances whose names contain the online or product prefix in the China (Beijing) region. This policy does not apply to instance-level operations.
Log on to the RAM console using your Alibaba Cloud account (the RAM service is enabled by default).
You can create an access policy.
In the navigation pane on the left, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the Script Editor tab, enter the following content in the policy editor, and click OK.
{ "Statement": [ { "Effect": "Deny", "Action": [ "ots:Create*", "ots:Insert*", "ots:Put*", "ots:Update*", "ots:Delete*", "ots:BatchWrite*" ], "Resource": [ "acs:ots:cn-beijing:*:instance/online*/table*", "acs:ots:cn-beijing:*:instance/product*/table*" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.XX.XX" ] } } } ], "Version": "1" }In the Create Policy dialog box, configure the Name and Description parameters and click OK.
Attach the policy to a RAM user.
In the navigation pane on the left, choose .
On the Users page, find the RAM user to whom you want to attach the policy. In the Actions column, click Add Permissions.
In the Grant Permission panel, select Custom Policy, search for the name of the policy you created, and select the check box next to the policy to add it to the Selected Policy column.
Click Grant Permissions.
Click Close.
Scenario 3: Restrict the instances that a RAM user can manage
In this scenario, a RAM user can manage only specific instances and cannot view or manage other instances.
Log on to the RAM console using your Alibaba Cloud account (the RAM service is enabled by default).
Create an access policy.
In the navigation pane on the left, choose .
On the Policies page, click Create Policy.
On the Create Access Policy page, click the Script Editor tab.
Enter the following policy document, and then click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ots:ListInstance", "ots:ListTagResources" ], "Resource": "acs:ots:*:*:instance/*" }, { "Effect": "Allow", "Action": "ots:*", "Resource": [ "acs:ots:*:*:instance/yourInstance", "acs:ots:*:*:instance/yourInstance/table*" ] }, { "Effect": "Allow", "Action": "cms:Query*", "Resource": "*" } ] }For more information about access policies, see the following table.
access policy
Description
{ "Effect": "Allow", "Action": [ "ots:ListInstance", "ots:ListTagResources" ], "Resource": "acs:ots:*:*:instance/*" }ImportantYou must configure this option so that RAM users can manage only specific instances in the console.
You must grant the RAM user the permissions to retrieve the instance list and the tag list because the Overview page of the Tablestore console needs to request them.
{ "Effect": "Allow", "Action": "ots:*", "Resource": [ "acs:ots:*:*:instance/yourInstance", "acs:ots:*:*:instance/yourInstance/table*" ] }Grant the RAM user all permissions on the
yourInstanceinstance and all tables in the instance.{ "Effect": "Allow", "Action": "cms:Query*", "Resource": "*" }Grant the RAM user the permissions to use CloudMonitor to view the monitoring data of instances and tables.
In the Create Policy dialog box, configure the Policy Name and Description parameters and click OK.
Attach the policy to a RAM user.
In the navigation pane on the left, choose .
On the Users page, find the RAM user to whom you want to grant permissions. In the Actions column, click Add Permissions.
In the Grant Permission panel, select Custom Policy, search for the name of the policy you created, and select the check box next to the policy to add it to the Selected Policy column.
Click Grant Permissions.
Click Close.