This topic describes the elements of policies that are used in Alibaba Cloud Resource Access Management (RAM) to define a permission, and helps you better manage permission policies.
Elements
Element | Description |
---|---|
Effect | Specifies whether a statement results in an allow or an explicit deny. Valid values: Allow and Deny |
Action | Describes the specific API operation or operations that will be allowed or denied. |
Resource | Specifies the object or objects that the statement covers. |
Condition | Specifies the conditions for when a policy is in effect. |
Rules of using policy elements
- Effect
Valid values include Allow and Deny, for example,
"Effect": "Allow"
. - Action
This element can have more than one value. Valid values include the names of API operations from Alibaba Cloud services.
Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information, see Alibaba Cloud services that work with RAM.Format:
<service-name>:<action-name>
service-name
: the name of an Alibaba Cloud service. Example values include ecs, rds, slb, oss, and ots.action-name
: the name of the relevant API operation.
Example:
"Action": ["oss:ListBuckets", "ecs:Describe*", "rds:Describe*"]
- Resource
This element specifies the object or objects that the statement covers.
Format:
acs:<service-name>:<region>:<account-id>:<relative-id>
acs
: the abbreviation of the Alibaba Cloud service, which indicates the public cloud platform from Alibaba Cloud.service-name
: the name of an Alibaba Cloud service. Example values include ecs, rds, slb, oss, and ots.region
: the region information. If this element is not supported, use the asterisk (*
) wildcard character instead.account-id
: the Alibaba Cloud account ID, such as1234567890123456
. If no ID is required or available, use an asterisk (*
) instead.relative-id
: the description of the service-related resource. The meaning of this element is specified by a specific Alibaba Cloud service. The relative-id element is similar to a file path. For example,relative-id = "mybucket/dir1/object1.jpg"
indicates an OSS object.
Example:
"Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002", "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*"]
- Condition
A condition block can contain one or more conditions, and each condition consists of a condition operator, key, and value.
Figure 1. Condition block Description
- A condition key can have one or more values. If the condition value matches any of the corresponding values, the condition is met.
- A condition is met only if the requirements for all the values of the condition key are met.
- A condition block is met only if all of its conditions are met.
Operator categories
The supported operator categories include string, numeric, date and time, Boolean, and IP address.
Category Supported operators String - StringEquals
- StringNotEquals
- StringEqualsIgnoreCase
- StringNotEqualsIgnoreCase
- StringLike
- StringNotLike
Numeric - NumericEquals
- NumericNotEquals
- NumericLessThan
- NumericLessThanEquals
- NumericGreaterThan
- NumericGreaterThanEquals
Date and time - DateEquals
- DateNotEquals
- DateLessThan
- DateLessThanEquals
- DateGreaterThan
- DateGreaterThanEquals
Boolean Bool IP address - IpAddress
- NotIpAddress
Condition keys
The format of common condition keys is as follows:acs:<condition-key>
The format of condition keys for Alibaba Cloud services is as follows:<service-name>:<condition-key>
Table 1. Condition keys Condition key Category Description acs:CurrentTime
Date and time The time when the web server receives a request. Specify the time in the ISO 8601 standard, for example, 2012-11-11T23:59:59Z
.acs:SecureTransport
Boolean Indicates whether a secure channel is used to send a request. For example, a request can be sent over HTTPS. acs:SourceIp
IP address The IP address of the client that sends a request. acs:MFAPresent
Boolean Indicates whether multi-factor authentication (MFA) is used during user logon. Table 2. Condition keys for Alibaba Cloud services Alibaba Cloud service Condition key Category Description ECS ecs:tag/<tag-key>
String The tag key for the Elastic Compute Service (ECS) resource. This key can be customized. RDS rds:ResourceTag/<tag-key>
String The tag key for the RDS resource. This key can be customized. OSS oss:Delimiter
String The delimiter used by Object Storage Service (OSS) to categorize object names. OSS oss:Prefix
String The prefix of an OSS object name.