By default, a RAM user does not have the permission to call an Alibaba Cloud API to create or modify a resource. If a RAM users wants to call Alibaba Cloud APIs, the primary account must first create an authorization policy. Then, the RAM user can attach the policy to the RAM users to make the user have the corresponding permission.
You can specify the resource that a RAM user has permission to use by creating an authorization policy. In the authorization policy, an Alibaba Resource Name (ARN) is used to identity the resource to authorize.
The ARN format is as follows:
acsis abbreviation for Alibaba Cloud Service.
service-nameis the service name such as ecs, oss, and slb.
regionis the region of the service. Use an asterisk (*) to replace it when it is not supported.
account-idis the ID of the resource owner, such as 1234567890123456.
resource-relative-idis the resource description. The description varies by product. See specific product API documentation for more information.
acs:oss::1234567890123456:sample_bucket/file1.txtrefers to a resource named sample_bucket/file1.txt in OSS and the resource owner ID is
The following policy contains two permissions:
Allow the RAM user to view all ECS instances in the China North 1 region (ecs:Describe*).
Allow the RAM user to read and access the objects in the
mybucketbucket of OSS (oss:ListObjects, oss:GetObject), and the request must come from 184.108.40.206 or 220.127.116.11/24.
"acs:SourceIp": ["18.104.22.168", "22.214.171.124/24"]