edit-icon download-icon

Permissions

Last Updated: Mar 12, 2018

Resource permissions

By default, a RAM user does not have the permission to call an Alibaba Cloud API to create or modify a resource. If a RAM users wants to call Alibaba Cloud APIs, the primary account must first create an authorization policy. Then, the RAM user can attach the policy to the RAM users to make the user have the corresponding permission.

You can specify the resource that a RAM user has permission to use by creating an authorization policy. In the authorization policy, an Alibaba Resource Name (ARN) is used to identity the resource to authorize.

The ARN format is as follows:

acs:<service-name>:<region>:<account-id>:<resource-relative-id>

where:

  • acs is abbreviation for Alibaba Cloud Service.

  • service-name is the service name such as ecs, oss, and slb.

  • region is the region of the service. Use an asterisk (*) to replace it when it is not supported.

  • account-id is the ID of the resource owner, such as 1234567890123456.

  • resource-relative-id is the resource description. The description varies by product. See specific product API documentation for more information.

    For example, acs:oss::1234567890123456:sample_bucket/file1.txt refers to a resource named sample_bucket/file1.txt in OSS and the resource owner ID is 1234567890123456.

Example

The following policy contains two permissions:

  • Allow the RAM user to view all ECS instances in the China North 1 region (ecs:Describe*).

  • Allow the RAM user to read and access the objects in the mybucket bucket of OSS (oss:ListObjects, oss:GetObject), and the request must come from 42.120.88.10 or 42.120.66.0/24.

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Effect": "Allow",
    6. "Action": "ecs:Describe*",
    7. "Resource": "acs:ecs:cn-hangzhou:*:*"
    8. },
    9. {
    10. "Effect": "Allow",
    11. "Action": [
    12. "oss:ListObjects",
    13. "oss:GetObject"
    14. ],
    15. "Resource": [
    16. "acs:oss:*:*:mybucket",
    17. "acs:oss:*:*:mybucket/*"
    18. ],
    19. "Condition":{
    20. "IpAddress": {
    21. "acs:SourceIp": ["42.120.88.10", "42.120.66.0/24"]
    22. }
    23. }
    24. }
    25. ]
    26. }
Thank you! We've received your feedback.