Policy elements

Elements

Rules of using policy elements

• Effect

  Valid values include Allow and Deny, for example, "Effect": "Allow".

• Action

  This element can have more than one value. Valid values include the names of API operations from Alibaba Cloud services.

  Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information, see Alibaba Cloud services that work with RAM.

  Format:

  <service-name>:<action-name>
  • service-name: the name of an Alibaba Cloud service. Example values include ecs, rds, slb, oss, and ots.
  • action-name: the name of the relevant API operation.

  Example:

  "Action": ["oss:ListBuckets", "ecs:Describe*", "rds:Describe*"]
• Resource

  This element specifies the object or objects that the statement covers.

  Format:

  acs:<service-name>:<region>:<account-id>:<relative-id>
  • acs: the abbreviation of the Alibaba Cloud service, which indicates the public cloud platform from Alibaba Cloud.
  • service-name: the name of an Alibaba Cloud service. Example values include ecs, rds, slb, oss, and ots.
  • region: the region information. If this element is not supported, use the asterisk (*) wildcard character instead.
  • account-id: the Alibaba Cloud account ID, such as 1234567890123456. If no ID is required or available, use an asterisk (*) instead.
  • relative-id: the description of the service-related resource. The meaning of this element is specified by a specific Alibaba Cloud service. The relative-id element is similar to a file path. For example, relative-id = "mybucket/dir1/object1.jpg" indicates an OSS object.

  Example:

  "Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002", "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*"]
• Condition
  A condition block can contain one or more conditions, and each condition consists of a condition operator, key, and value.

  

  Description

  • A condition key can have one or more values. If the condition value matches any of the corresponding values, the condition is met.
  • A condition is met only if the requirements for all the values of the condition key are met.
  • A condition block is met only if all of its conditions are met.

  Operator categories

  The supported operator categories include string, numeric, date and time, Boolean, and IP address.

  Category	Supported operators
  String	StringEquals StringNotEquals StringEqualsIgnoreCase StringNotEqualsIgnoreCase StringLike StringNotLike
  Numeric	NumericEquals NumericNotEquals NumericLessThan NumericLessThanEquals NumericGreaterThan NumericGreaterThanEquals
  Date and time	DateEquals DateNotEquals DateLessThan DateLessThanEquals DateGreaterThan DateGreaterThanEquals
  Boolean	Bool
  IP address	IpAddress NotIpAddress

  Condition keys

  The format of common condition keys is as follows:

  acs:<condition-key>

  The format of condition keys for Alibaba Cloud services is as follows:

  <service-name>:<condition-key>

  Table 1. Condition keys

  Condition key	Category	Description
  acs:CurrentTime	Date and time	The time when the web server receives a request. Specify the time in the ISO 8601 standard, for example, 2012-11-11T23:59:59Z.
  acs:SecureTransport	Boolean	Indicates whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
  acs:SourceIp	IP address	The IP address of the client that sends a request.
  acs:MFAPresent	Boolean	Indicates whether multi-factor authentication (MFA) is used during user logon.

  Table 2. Condition keys for Alibaba Cloud services

  Alibaba Cloud service	Condition key	Category	Description
  ECS	ecs:tag/<tag-key>	String	The tag key for the Elastic Compute Service (ECS) resource. This key can be customized.
  RDS	rds:ResourceTag/<tag-key>	String	The tag key for the RDS resource. This key can be customized.
  OSS	oss:Delimiter	String	The delimiter used by Object Storage Service (OSS) to categorize object names.
  OSS	oss:Prefix	String	The prefix of an OSS object name.