All Products
Search
Document Center

Resource Access Management (RAM)

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Resource Access Management (RAM) .

The code (RamCode) in RAM that is used to indicate RAM is ram, sts. You can grant permissions on RAM at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by RAM. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

ram:AddUserToGroup

AddUserToGroup

Write


Group


acs:ram::{#accountId}:group/{#GroupName}


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:AttachPolicyToGroup

AttachPolicyToGroup

Write


Group


acs:ram::{#accountId}:group/{#GroupName}


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:AttachPolicyToRole

AttachPolicyToRole

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


Role


acs:ram::{#accountId}:role/{#RoleName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:AttachPolicyToUser

AttachPolicyToUser

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


User


acs:ram::{#accountId}:user/{#UserName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:BindMFADevice

BindMFADevice

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ChangePassword

ChangePassword

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ClearAccountAlias

ClearAccountAlias

Write


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:CreateAccessKey

CreateAccessKey

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:CreateGroup

CreateGroup

Write


Group


acs:ram::{#accountId}:group/*


N/A

N/A

ram:CreateLoginProfile

CreateLoginProfile

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:CreatePolicy

CreatePolicy

Write


Policy


acs:ram::{#accountId}:policy/*


N/A

N/A

ram:CreatePolicyVersion

CreatePolicyVersion

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:CreateRole

CreateRole

Write


Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:CreateUser

CreateUser

Write


User


acs:ram::{#accountId}:user/*


N/A

N/A

ram:CreateVirtualMFADevice

CreateVirtualMFADevice

Write


MFADevice


acs:ram::{#accountId}:mfa/*


N/A

N/A

ram:DeleteAccessKey

DeleteAccessKey

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:DeleteGroup

DeleteGroup

Write


Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:DeleteLoginProfile

DeleteLoginProfile

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:DeletePolicy

DeletePolicy

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:DeletePolicyVersion

DeletePolicyVersion

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:DeleteRole

DeleteRole

Write


Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:DeleteUser

DeleteUser

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:DeleteVirtualMFADevice

DeleteVirtualMFADevice

Write


MFADevice


acs:ram::{#accountId}:mfa/{#SerialNumber}


N/A

N/A

ram:DetachPolicyFromGroup

DetachPolicyFromGroup

Write


Group


acs:ram::{#accountId}:group/{#GroupName}


Policy


acs:ram::system:policy/{#PolicyName}


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:DetachPolicyFromRole

DetachPolicyFromRole

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


Role


acs:ram::{#accountId}:role/{#RoleName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:DetachPolicyFromUser

DetachPolicyFromUser

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


User


acs:ram::{#accountId}:user/{#UserName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:GetAccessKeyLastUsed

GetAccessKeyLastUsed

Read


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetAccountAlias

GetAccountAlias

Read


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetAccountSummary

None

Read


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetGroup

GetGroup

Read


Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:GetLoginProfile

GetLoginProfile

Read


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetPasswordPolicy

GetPasswordPolicy

Read


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetPolicy

GetPolicy

Read


Policy


acs:ram::system:policy/{#PolicyName}


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:GetPolicyVersion

GetPolicyVersion

Read


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:GetRole

GetRole

Read


Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:GetSecurityPreference

GetSecurityPreference

Read


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:GetUser

GetUser

Read


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:GetUserMFAInfo

GetUserMFAInfo

Read


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ListAccessKeys

ListAccessKeys

List


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ListEntitiesForPolicy

ListEntitiesForPolicy

List


Policy


acs:ram::system:policy/{#PolicyName}


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:ListGroups

ListGroups

List


Group


acs:ram::{#accountId}:group/*


N/A

N/A

ram:ListGroupsForUser

ListGroupsForUser

List


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ListPolicies

ListPolicies

List


Policy


acs:ram::{#accountId}:policy/*


N/A

N/A

ram:ListPoliciesForGroup

ListPoliciesForGroup

List


Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:ListPoliciesForRole

ListPoliciesForRole

List


Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:ListPoliciesForUser

ListPoliciesForUser

List


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:ListPolicyVersions

ListPolicyVersions

List


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


Policy


acs:ram::system:policy/{#PolicyName}


N/A

N/A

ram:ListRoles

ListRoles

List


Role


acs:ram::{#accountId}:role/*


N/A

N/A

ram:ListUsers

ListUsers

List


User


acs:ram::{#accountId}:user/*


N/A

N/A

ram:ListUsersForGroup

ListUsersForGroup

List


Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:ListVirtualMFADevices

ListVirtualMFADevices

List


MFADevice


acs:ram::{#accountId}:mfa/*


N/A

N/A

ram:PassRole

None

Write


Role


acs:ram::{#accountId}:role/{#RoleName}



acs:Service


None

ram:RemoveUserFromGroup

RemoveUserFromGroup

Write


Group


acs:ram::{#accountId}:group/{#GroupName}


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:SetAccountAlias

SetAccountAlias

Write


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:SetDefaultPolicyVersion

SetDefaultPolicyVersion

Write


Policy


acs:ram::{#accountId}:policy/{#PolicyName}


N/A

N/A

ram:SetPasswordPolicy

SetPasswordPolicy

Write


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:SetSecurityPreference

SetSecurityPreference

Write


All resources


acs:ram::{#accountId}:*


N/A

N/A

ram:UnbindMFADevice

UnbindMFADevice

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:UpdateAccessKey

UpdateAccessKey

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:UpdateGroup

UpdateGroup

Write


Group


acs:ram::{#accountId}:group/{#GroupName}


N/A

N/A

ram:UpdateLoginProfile

UpdateLoginProfile

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

ram:UpdateRole

UpdateRole

Write


Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

ram:UpdateUser

UpdateUser

Write


User


acs:ram::{#accountId}:user/{#UserName}


N/A

N/A

sts:AssumeRole

AssumeRole

Write


Role


acs:ram::{#accountId}:role/{#RoleName}


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by RAM.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

User

acs:ram:*:{#accountId}:user/{#UserId}

Role

acs:ram:*:{#accountId}:role/{#RoleName}

Group

acs:ram:*:{#accountId}:group/{#GroupName}

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

MFADevice

acs:ram:*:{#accountId}:mfa/{#SerialNumber}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by RAM. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to RAM. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

ram:ServiceName

Specifies the service principal of the linked service that trusted by the service-linked role (SLR). Example: "ecs.aliyuncs.com"

String

acs:Service

Specifies the service principal of the service to which a role can be passed. This condition key applies to the "PassRole" action in a policy. Example: "ecs.aliyuncs.com"

String