What is authorization information - Cloud Shell - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM eliminates the need for you to share the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions. This topic describes the elements such as Action, Resource, and Condition that are defined by Cloud Shell. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Cloud Shell is cloudshell.

General structure of a policy

Policies are stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization result. Valid values: Allow and Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Cloud Shell. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform an operation. The following list describes the columns in the table:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.

Operation	Feature	Resource type
cloudshell:CreateEnvironment	Creates a Cloud Shell instance environment.	All Resources `*`
cloudshell:CreateSession	Creates a Cloud Shell session environment.	All Resources `*`
cloudshell:UploadFile	Uploads files from a local computer to Cloud Shell.	All Resources `*`
cloudshell:DownloadFile	Downloads files from Cloud Shell to a local computer.	All Resources `*`
cloudshell:AttachStorage	Binds a storage space to Cloud Shell.	All Resources `*`
cloudshell:DetachStorage	Unbinds a storage space from Cloud Shell.	All Resources `*`

Condition

Cloud Shell does not define service-specific condition keys. For information about common condition keys that are defined by Alibaba Cloud, see Policy elements.

Related operations

You can attach a custom policy to a RAM user, RAM user group, or RAM role. Perform the following operations: