This topic describes how to configure access mode and grant RAM users permissions to call Cloud Control API operation. Proper management of RAM users reduces security risks and supports collaboration among multiple RAM users.
A Resource Access Management (RAM) user is a physical identity. This feature allows you to create RAM users for an Alibaba Cloud account and grant permissions to the RAM users. This way, different RAM users have permissions to access different resources. If multiple users in your enterprise need to simultaneously access resources, you can create multiple RAM users and assign the least permissions to the RAM users. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces security risks.
Specify an access method.
You can call the Cloud Control API in the console or by an OpenAPI. When you authorize a RAM user to call this operation, you need to select an access method. The mapping between RAM user access method and CloudControl API call method is as follows:
Type | Access method | Calling mode | Scenarios |
Personnel accounts | Access Cloud Control API in the console | Call Cloud Control API in the console | Operate in the Cloud Control console |
Applications | Access Cloud Control API by an OpenAPI | Call Cloud Control API by OpenAPI operations | Call Cloud Control API operations by using an application |
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. If a RAM user represents an application, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud.
You can select an access method when you create a RAM user or modify the access method of an exisitng RAM user. For more information, see Create a RAM user.
Call Cloud Control API operations in the console
The following example shows how to obtain details about VPC resources:
You can log on to the VPC console to view the details of a VPC.
Call Cloud Control API operations by using an application
The following code shows how to use codes developed in Java to obtain details about VPC resources.
package com.aliyun.sample;
import com.aliyun.tea.*;
/*<dependency>
<groupId>com.aliyun</groupId>
<artifactId>cloudcontrol20220830</artifactId>
<version>1.1.1</version>
</dependency>*/
public class Sample {
public static com.aliyun.cloudcontrol20220830.Client createClient() throws Exception {
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
// System.getenv() specifies that an AccessKey ID is obtained from environment variables.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
config.endpoint = "cloudcontrol.aliyuncs.com";
return new com.aliyun.cloudcontrol20220830.Client(config);
}
public static void main(String[] args_) throws Exception {
com.aliyun.cloudcontrol20220830.Client client = Sample.createClient();
String requestPath = "/api/v1/providers/Aliyun/products/VPC/resources/VPC/vpc-m5e6l4XXXXXXXX";
com.aliyun.cloudcontrol20220830.models.GetResourcesRequest getResourcesRequest = new com.aliyun.cloudcontrol20220830.models.GetResourcesRequest()
.setRegionId("cn-qingdao");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
java.util.Map<String, String> headers = new java.util.HashMap<>();
try {
GetResourcesResponse getResourcesResponse = client.getResourcesWithOptions(requestPath, getResourcesRequest, headers, runtime);
System.out.println(new Gson().toJson(getResourcesResponse.getBody()));
} catch (TeaException error) {
//The error message.
System.out.println(error.getMessage());
//The URL that is used for troubleshooting.
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
TeaException error = new TeaException(_error.getMessage(), _error);
//The error message.
System.out.println(error.getMessage());
//The URL that is used for troubleshooting.
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
}
}
}Expected output:
{
"resource": {
"resourceId": "vpc-m5e6l4XXXXXXXX",
"resourceAttributes": {
"IsDefault": false,
"Status": "Available",
"Description": "",
"ResourceGroupId": "rg-acfmyXXXXXXXX",
"SecondaryCidrBlocks": [],
"VSwitchIds": [
"vsw-m5emwh9XXXXXXXX",
"vsw-m5e7uotXXXXXXXX"
],
"CreateTime": "2025-03-26T07:27:25Z",
"CidrBlock": "1XX.XXX.X.X/XX",
"RouterId": "vrt-m5e65XXXXXXXX",
"UserCidrs": [],
"VpcId": "vpc-m5e6lXXXXXXXX",
"VpcName": "caf-qingdao-vpc",
"RegionId": "cn-qingdao",
"Ipv6CidrBlock": "",
"Ipv6CidrBlocks": [
{
"Ipv6CidrBlock": ""
}
],
"Tags": [
{
"TagKey": "acs:XXXXXXXX",
"TagValue": "sub:XXXXXXXX"
}
]
}
},
"requestId": "DDEF766D-C25E-51A8-9DF7-1AAF437B8260"
}Grant permissions
When you call the CloudControl API by using a RAM user, you need to grant permissions to the RAM user based on your business requirements. Policies are categorized into system policies and custom policies.
If you want to grant permissions to a RAM user, follow the principle of least privilege.
The following table describes the system policies.
Policy | Description | Scenario |
Permission to manage Cloud Control API. |
| |
Read-only access permission on Cloud Control API. |
|
If the system policies cannot meet your requirements, you can create custom policies. For more information, see Custom policies.