This topic describes the elements of policies that are used in Alibaba Cloud Resource Access Management (RAM) to define a permission, and helps you better manage permission policies.


We recommend that you learn about the policy elements before using permission policies.
Element Description
Effect Specifies whether a statement results in an allow or an explicit deny. Valid values: Allow and Deny
Action Describes the specific API operation or operations that will be allowed or denied.
Resource Specifies the object or objects that the statement covers.
Condition Specifies the conditions for when a policy is in effect.

Rules of using policy elements

  • Effect

    Valid values include Allow and Deny, for example, "Effect": "Allow".

  • Action

    This element can have more than one value. Valid values include the names of API operations from Alibaba Cloud services.

    Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information, see Alibaba Cloud services that work with RAM.


    • service-name: the name of an Alibaba Cloud service. Example values include ecs, rds, slb, oss, and ots.
    • action-name: the name of the relevant API operation.


    "Action": ["oss:ListBuckets", "ecs:Describe*", "rds:Describe*"]
  • Resource

    This element specifies the object or objects that the statement covers.


    • acs: the abbreviation of the Alibaba Cloud service, which indicates the public cloud platform from Alibaba Cloud.
    • service-name: the name of an Alibaba Cloud service. Example values include ecs, rds, slb, oss, and ots.
    • region: the region information. If this element is not supported, use the asterisk (*) wildcard character instead.
    • account-id: the Alibaba Cloud account ID, such as 1234567890123456. If no ID is required or available, use an asterisk (*) instead.
    • relative-id: the description of the service-related resource. The meaning of this element is specified by a specific Alibaba Cloud service. The relative-id element is similar to a file path. For example, relative-id = "mybucket/dir1/object1.jpg" indicates an OSS object.


    "Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002", "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*"]
  • Condition
    A condition block can contain one or more conditions, and each condition consists of a condition operator, key, and value.
    Figure 1. Condition block
    Condition block


    • A condition key can have one or more values. If the condition value matches any of the corresponding values, the condition is met.
    • A condition is met only if the requirements for all the values of the condition key are met.
    • A condition block is met only if all of its conditions are met.

    Operator categories

    The supported operator categories include string, numeric, date and time, Boolean, and IP address.

    Category Supported operators
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    • NumericEquals
    • NumericNotEquals
    • NumericLessThan
    • NumericLessThanEquals
    • NumericGreaterThan
    • NumericGreaterThanEquals
    Date and time
    • DateEquals
    • DateNotEquals
    • DateLessThan
    • DateLessThanEquals
    • DateGreaterThan
    • DateGreaterThanEquals
    Boolean Bool
    IP address
    • IpAddress
    • NotIpAddress

    Condition keys

    The format of common condition keys is as follows:
    The format of condition keys for Alibaba Cloud services is as follows:
    Table 1. Condition keys
    Condition key Category Description
    acs:CurrentTime Date and time The time when the web server receives a request. Specify the time in the ISO 8601 standard, for example, 2012-11-11T23:59:59Z.
    acs:SecureTransport Boolean Indicates whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
    acs:SourceIp IP address The IP address of the client that sends a request.
    acs:MFAPresent Boolean Indicates whether multi-factor authentication (MFA) is used during user logon.
    Table 2. Condition keys for Alibaba Cloud services
    Alibaba Cloud service Condition key Category Description
    ECS ecs:tag/<tag-key> String The tag key for the Elastic Compute Service (ECS) resource. This key can be customized.
    RDS rds:ResourceTag/<tag-key> String The tag key for the RDS resource. This key can be customized.
    OSS oss:Delimiter String The delimiter used by Object Storage Service (OSS) to categorize object names.
    OSS oss:Prefix String The prefix of an OSS object name.