This topic describes the elements of policies that are used to define permissions in Alibaba Cloud Resource Access Management (RAM).
|Effect||Specifies whether the statement results in an explicit allow or an explicit deny. Valid values: Allow and Deny.|
|Action||Describes one or more operations that are allowed or denied.|
|Resource||Specifies one or more objects that the statement covers.|
|Condition||Specifies the conditions that are required for a policy to take effect.|
Rules for using policy elements
Valid values are Allow and Deny.Note If policies that apply to a request include an Allow statement and a Deny statement, the Deny statement takes precedence over the Allow statement.
This element can contain one or more values. Valid values are the names of API operations from Alibaba Cloud services.Note In most cases, each Alibaba Cloud service has its own set of API operations. For more information, see Alibaba Cloud services that support RAM.
service-name: the name of an Alibaba Cloud service
action-name: service: one or more API operation names from the service
"Action": ["oss:ListBuckets", "ecs:Describe*", "rds:Describe*"]
This element specifies one or more objects that the statement covers.
acs:<service-name>:<region>:<account-id>:<relative-id>. The syntax is the same as the format of an Alibaba Cloud Resource Name (ARN).
acs: the abbreviation of Alibaba Cloud Service, which indicates the public cloud of Alibaba Cloud.
service-name: the name of an Alibaba Cloud service.
region: the region information. If this element is not supported, use the asterisk (
*) wildcard character.
account-id: the Alibaba Cloud account ID, for example,
123456789012****. If no ID is required or available, use an asterisk (
relative-id: the identifier of the service-related resource. The meaning of this element varies by service. The value of the relative-id element can be a file path. For example,
relative-id = "mybucket/dir1/object1.jpg"indicates an OSS object.
"Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002", "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*"]
A condition block can contain one or more conditions, and each condition consists of a condition operator, key, and value.
- You can specify one or more values for a condition key. If the value in a request matches any of the values, the condition is met.
- You can specify one or more condition keys for a single condition operator in a condition. The condition is met only if all the requirements for the keys are met.
- A condition block is met only if all of its conditions are met.
The condition operators are grouped into the following categories: string, numeric, date and time, Boolean, and IP address.
Category Condition operator String
Date and time
Boolean Bool IP address
- The syntax of a common condition key is
Common condition key Category Description
Date and time The time when the web server receives a request. Specify the time in the ISO 8601 standard, for example,
Boolean Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
IP address The IP address of the client that sends a request.Note If you specify only one value for the
acs:SourceIpkey, the value must be an IP address, for example, 10.0.0.1. CIDR blocks, such as 10.0.0.1/32, cannot be used.
Boolean Specifies whether multi-factor authentication (MFA) is used during user logon.
- The syntax of a condition key that is specific to an Alibaba Cloud service is
Condition key specific to an Alibaba Cloud service Alibaba Cloud service Category Description
ECS String The tag key for the ECS resource. This key can be customized.
RDS String The tag key for the RDS resource. This key can be customized.
OSS String The delimiter that is used to categorize object names.
OSS String The prefix of object names.