RAM authorization - Alibaba Cloud DNS - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Alibaba Cloud DNS for RAM permission policies. The RAM code (RamCode) for Alibaba Cloud DNS is alidns,pubdns,pvtz , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Alibaba Cloud DNS. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
alidns:DeleteDnsCacheDomain	DeleteDnsCacheDomain	delete	*CacheDomain `acs:alidns::{#accountId}:dnscache/{#DomainName}`	None	None
alidns:UpdateGtmMonitor	UpdateGtmMonitor	update	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeSupportLines	DescribeSupportLines	get	All Resource ``	None	None
alidns:UpdateDnsGtmMonitor	UpdateDnsGtmMonitor	update	MonitorConfig `acs:alidns::{#accountId}:gtminstance/{#InstanceId}`	None	None
alidns:DescribeRecordResolveStatisticsSummary	DescribeRecordResolveStatisticsSummary	list	Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeCloudGtmAddressReference	DescribeCloudGtmAddressReference	get	All Resource ``	None	None
alidns:ChangeDomainOfDnsProduct	ChangeDomainOfDnsProduct	update	All Resource ``	None	None
alidns:DescribeDnsGtmLogs	DescribeDnsGtmLogs	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:SetDomainDnssecStatus	SetDomainDnssecStatus	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDnsCacheDomains	DescribeDnsCacheDomains	get	CacheDomain `acs:alidns::{#accountId}:dnscache/`	None	None
alidns:UpdateCloudGtmInstanceConfigAlert	UpdateCloudGtmInstanceConfigAlert	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DeleteCloudGtmMonitorTemplate	DeleteCloudGtmMonitorTemplate	delete	All Resource ``	None	None
alidns:DeleteDnsGtmAddressPool	DeleteDnsGtmAddressPool	delete	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:UpdateDomainRemark	UpdateDomainRemark	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDnsGtmInstance	DescribeDnsGtmInstance	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeGtmMonitorConfig	DescribeGtmMonitorConfig	get	*gtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:UnbindInstanceDomains	UnbindInstanceDomains	update	Instance `acs:alidns::{#accountId}:instance/{#InstanceId}` Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:UpdateCloudGtmAddressRemark	UpdateCloudGtmAddressRemark	update	All Resource ``	None	None
alidns:ListCloudGtmAvailableAlertGroups	ListCloudGtmAvailableAlertGroups	list	All Resource ``	None	None
alidns:UpdateCloudGtmInstanceName	UpdateCloudGtmInstanceName	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeCustomLine	DescribeCustomLine	get	Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDohUserInfo	DescribeDohUserInfo	get	All Resource ``	None	None
alidns:UpdateDomainGroup	UpdateDomainGroup	update	*group `acs:alidns::{#accountId}:group/{#groupId}`	None	None
alidns:AddDomainRecord	AddDomainRecord	create	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:SwitchDnsGtmInstanceStrategyMode	SwitchDnsGtmInstanceStrategyMode		*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:UpdateCloudGtmAddressPoolRemark	UpdateCloudGtmAddressPoolRemark	update	All Resource ``	None	None
alidns:UpdateDnsGtmAddressPool	UpdateDnsGtmAddressPool	update	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:UpdateGtmInstanceGlobalConfig	UpdateGtmInstanceGlobalConfig	update	*gtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:SetDnsGtmMonitorStatus	SetDnsGtmMonitorStatus	update	MonitorConfig `acs:alidns::{#accountId}:gtminstance/{#InstanceId}`	None	None
alidns:AddDnsGtmAddressPool	AddDnsGtmAddressPool	create	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeIspFlushCacheTasks	DescribeIspFlushCacheTasks	list	All Resource ``	None	None
alidns:AddDnsGtmMonitor	AddDnsGtmMonitor	create	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:UpdateGtmRecoveryPlan	UpdateGtmRecoveryPlan	update	All Resource ``	None	None
alidns:DescribeInstanceDomains	DescribeInstanceDomains	get	*instance `acs:alidns::{#accountId}:instance/{#instanceId}`	None	None
alidns:DescribeCloudGtmAddress	DescribeCloudGtmAddress	get	All Resource ``	None	None
alidns:ListCloudGtmMonitorNodes	ListCloudGtmMonitorNodes	list	All Resource ``	None	None
alidns:ListCloudGtmAddresses	ListCloudGtmAddresses	list	All Resource ``	None	None
alidns:UpdateCloudGtmAddressPoolEnableStatus	UpdateCloudGtmAddressPoolEnableStatus	update	All Resource ``	None	None
alidns:ListTagResources	ListTagResources	get	All Resource ``	None	None
alidns:GetTxtRecordForVerify	GetTxtRecordForVerify	get	All Resource ``	None	None
alidns:ListCloudGtmInstances	ListCloudGtmInstances	list	All Resource ``	None	None
alidns:RetrieveDomain	RetrieveDomain	none	All Resource ``	None	None
alidns:DescribeSubDomainRecords	DescribeSubDomainRecords	get	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:UpdateCloudGtmInstanceConfigBasic	UpdateCloudGtmInstanceConfigBasic	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeDomainGroups	DescribeDomainGroups	get	All Resource ``	None	None
alidns:UpdateCloudGtmGlobalAlert	UpdateCloudGtmGlobalAlert	update	All Resource ``	None	None
alidns:AddDnsCacheDomain	AddDnsCacheDomain	create	CacheDomain `acs:alidns::{#accountId}:dnscache/`	None	None
alidns:DescribeGtmInstanceSystemCname	DescribeGtmInstanceSystemCname	get	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:UpdateCloudGtmMonitorTemplateRemark	UpdateCloudGtmMonitorTemplateRemark	update	All Resource ``	None	None
alidns:DescribeDohDomainStatistics	DescribeDohDomainStatistics	get	All Resource ``	alidns:test	None
alidns:UpdateCloudGtmAddressPoolLbStrategy	UpdateCloudGtmAddressPoolLbStrategy	update	All Resource ``	None	None
alidns:ListCloudGtmAlertLogs	ListCloudGtmAlertLogs	list	All Resource ``	None	None
alidns:DescribeDNSSLBSubDomains	DescribeDNSSLBSubDomains	get	*domain `acs:alidns::{#accountId}:domain/{#domainId}`	None	None
alidns:DescribeDnsGtmAddressPoolAvailableConfig	DescribeDnsGtmAddressPoolAvailableConfig	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeDnsProductInstance	DescribeDnsProductInstance	get	*instance `acs:alidns::{#accountId}:instance/{#instanceId}`	None	None
alidns:DescribeDohSubDomainStatistics	DescribeDohSubDomainStatistics	get	All Resource ``	None	None
alidns:UpdateGtmAddressPool	UpdateGtmAddressPool	update	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DeleteGtmAddressPool	DeleteGtmAddressPool	delete	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:TagResources	TagResources	update	All Resource ``	None	None
alidns:DescribeGtmAccessStrategy	DescribeGtmAccessStrategy	get	All Resource ``	None	None
alidns:DescribeGtmLogs	DescribeGtmLogs	get	All Resource ``	None	None
alidns:DescribeDomainInfo	DescribeDomainInfo	get	All Resource ``	None	None
alidns:UpdateIspFlushCacheInstanceConfig	UpdateIspFlushCacheInstanceConfig	update	All Resource ``	None	None
alidns:DescribeDnsGtmAccessStrategyAvailableConfig	DescribeDnsGtmAccessStrategyAvailableConfig	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeCloudGtmAddressPool	DescribeCloudGtmAddressPool	get	All Resource ``	None	None
alidns:DescribeInternetDnsLogs	DescribeInternetDnsLogs	get	All Resource ``	None	None
alidns:DescribeDnsGtmInstances	DescribeDnsGtmInstances	get	All Resource ``	None	None
alidns:UpdateCloudGtmInstanceConfigEnableStatus	UpdateCloudGtmInstanceConfigEnableStatus	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:CreateCloudGtmMonitorTemplate	CreateCloudGtmMonitorTemplate	create	All Resource ``	None	None
alidns:SearchCloudGtmAddressPools	SearchCloudGtmAddressPools	list	All Resource ``	None	None
alidns:UpdateCloudGtmAddressPoolBasicConfig	UpdateCloudGtmAddressPoolBasicConfig	update	All Resource ``	None	None
alidns:UpdateDnsCacheDomainRemark	UpdateDnsCacheDomainRemark	update	*CacheDomain `acs:alidns::{#accountId}:dnscache/{#DomainName}`	None	None
alidns:AddDomain	AddDomain	create	All Resource ``	None	None
alidns:DescribeDnsGtmAvailableAlertGroup	DescribeDnsGtmAvailableAlertGroup	get	All Resource ``	None	None
alidns:CopyGtmConfig	CopyGtmConfig		All Resource ``	None	None
alidns:DeleteCloudGtmInstanceConfig	DeleteCloudGtmInstanceConfig	delete	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeCloudGtmSystemLines	DescribeCloudGtmSystemLines	list	All Resource ``	None	None
alidns:CreateCloudGtmInstanceConfig	CreateCloudGtmInstanceConfig	create	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DeleteDnsGtmAccessStrategy	DeleteDnsGtmAccessStrategy	delete	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeDnsGtmInstanceStatus	DescribeDnsGtmInstanceStatus	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DeleteCloudGtmAddressPool	DeleteCloudGtmAddressPool	delete	All Resource ``	None	None
alidns:DescribeDohSubDomainStatisticsSummary	DescribeDohSubDomainStatisticsSummary	get	All Resource ``	None	None
alidns:SetDNSSLBStatus	SetDNSSLBStatus	update	*domain `acs:alidns::{#accountId}:domain/{#domainId}`	None	None
alidns:ListCloudGtmInstanceConfigs	ListCloudGtmInstanceConfigs	list	All Resource ``	None	None
alidns:DescribeCloudGtmMonitorTemplate	DescribeCloudGtmMonitorTemplate	get	All Resource ``	None	None
alidns:SearchCloudGtmInstances	SearchCloudGtmInstances	get	All Resource ``	None	None
alidns:DeleteDomainGroup	DeleteDomainGroup	delete	*group `acs:alidns::{#accountId}:group/{#groupId}`	None	None
alidns:DescribeRecordLogs	DescribeRecordLogs	get	Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:CreateCloudGtmAddress	CreateCloudGtmAddress	create	All Resource ``	None	None
alidns:SetDomainRecordStatus	SetDomainRecordStatus	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeCloudGtmSummary	DescribeCloudGtmSummary	get	All Resource ``	None	None
alidns:AddDnsGtmAccessStrategy	AddDnsGtmAccessStrategy	create	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:CreateCloudGtmAddressPool	CreateCloudGtmAddressPool	create	All Resource ``	None	None
alidns:DescribeCloudGtmGlobalAlert	DescribeCloudGtmGlobalAlert	get	All Resource ``	None	None
alidns:DescribeDnsGtmAccessStrategies	DescribeDnsGtmAccessStrategies	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:BindInstanceDomains	BindInstanceDomains	update	All Resource ``	None	None
alidns:DescribeIspFlushCacheInstances	DescribeIspFlushCacheInstances	list	All Resource ``	None	None
alidns:SearchCloudGtmInstanceConfigs	SearchCloudGtmInstanceConfigs	list	All Resource ``	None	None
alidns:UpdateCustomLine	UpdateCustomLine	update	Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeBatchResultDetail	DescribeBatchResultDetail	get	All Resource ``	None	None
alidns:DescribeDohDomainStatisticsSummary	DescribeDohDomainStatisticsSummary	get	All Resource ``	None	None
alidns:SearchCloudGtmMonitorTemplates	SearchCloudGtmMonitorTemplates	list	All Resource ``	None	None
alidns:AddGtmAccessStrategy	AddGtmAccessStrategy	create	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#gtminstanceId}`	None	None
alidns:DescribeDomainLogs	DescribeDomainLogs	get	All Resource ``	None	None
alidns:DeleteDomain	DeleteDomain	delete	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:DescribeDnsGtmInstanceAddressPools	DescribeDnsGtmInstanceAddressPools	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeCustomLines	DescribeCustomLines	get	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:DescribeDomainRecordInfo	DescribeDomainRecordInfo	get	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDomains	DescribeDomains	get	All Resource ``	None	None
alidns:DeleteSubDomainRecords	DeleteSubDomainRecords	delete	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:DeleteCloudGtmAddress	DeleteCloudGtmAddress	delete	All Resource ``	None	None
alidns:AddGtmRecoveryPlan	AddGtmRecoveryPlan	create	All Resource ``	None	None
alidns:UpdateGtmAccessStrategy	UpdateGtmAccessStrategy	update	*gtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:ListCloudGtmAddressPools	ListCloudGtmAddressPools	list	All Resource ``	None	None
alidns:DescribeTags	DescribeTags	get	All Resource ``	None	None
alidns:MoveDomainResourceGroup	MoveDomainResourceGroup	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:SetGtmAccessMode	SetGtmAccessMode	update	*gtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:UntagResources	UntagResources	update	All Resource ``	None	None
alidns:UpdateCloudGtmAddressEnableStatus	UpdateCloudGtmAddressEnableStatus	update	All Resource ``	None	None
alidns:AddGtmMonitor	AddGtmMonitor	create	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#gtminstanceId}`	None	None
alidns:UpdateCloudGtmInstanceConfigLbStrategy	UpdateCloudGtmInstanceConfigLbStrategy	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:UpdateDnsGtmAccessStrategy	UpdateDnsGtmAccessStrategy	update	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeIspFlushCacheTask	DescribeIspFlushCacheTask	get	All Resource ``	None	None
alidns:UpdateCloudGtmInstanceConfigRemark	UpdateCloudGtmInstanceConfigRemark	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:UpdateDNSSLBWeight	UpdateDNSSLBWeight	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDnsGtmInstanceSystemCname	DescribeDnsGtmInstanceSystemCname	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:AddRspDomainServerHoldStatusForGateway	AddRspDomainServerHoldStatusForGateway	update	All Resource ``	None	None
alidns:DescribeDomainDnssecInfo	DescribeDomainDnssecInfo	get	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:DescribeTransferDomains	DescribeTransferDomains	get	All Resource ``	None	None
alidns:DescribeDnsGtmMonitorAvailableConfig	DescribeDnsGtmMonitorAvailableConfig	get	All Resource ``	None	None
alidns:DeleteDomainRecord	DeleteDomainRecord	delete	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:DescribeDomainStatisticsSummary	DescribeDomainStatisticsSummary	get	All Resource ``	None	None
alidns:DescribeIspFlushCacheRemainQuota	DescribeIspFlushCacheRemainQuota	get	All Resource ``	None	None
alidns:ReplaceCloudGtmInstanceConfigAddressPool	ReplaceCloudGtmInstanceConfigAddressPool	update	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeGtmInstances	DescribeGtmInstances	get	All Resource ``	None	None
alidns:PreviewGtmRecoveryPlan	PreviewGtmRecoveryPlan	get	All Resource ``	None	None
alidns:ListCloudGtmMonitorTemplates	ListCloudGtmMonitorTemplates	list	All Resource ``	None	None
alidns:ReplaceCloudGtmAddressPoolAddress	ReplaceCloudGtmAddressPoolAddress	update	All Resource ``	None	None
alidns:SetGtmMonitorStatus	SetGtmMonitorStatus	update	*gtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeDnsGtmMonitorConfig	DescribeDnsGtmMonitorConfig	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeDomainRecords	DescribeDomainRecords	get	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDomainStatistics	DescribeDomainStatistics	get	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:UpdateDnsGtmInstanceGlobalConfig	UpdateDnsGtmInstanceGlobalConfig	update	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:ChangeDomainGroup	ChangeDomainGroup	update	domain `acs:alidns::{#accountId}:domain/{#domainName}` group `acs:alidns::{#accountId}:group/{#groupId}`	None	None
alidns:DescribeCloudGtmAddressPoolReference	DescribeCloudGtmAddressPoolReference	get	All Resource ``	None	None
alidns:DescribeDomainResolveStatisticsSummary	DescribeDomainResolveStatisticsSummary	list	All Resource ``	None	None
alidns:TransferDomain	TransferDomain	update	All Resource ``	None	None
alidns:DeleteCustomLines	DeleteCustomLines	delete	*domain `acs:alidns::{#accountId}:domain/{#domainName}`	None	None
alidns:AddCustomLine	AddCustomLine	create	*domain `acs:alidns::{#accountId}:domain/{#domainId}`	None	None
alidns:UpdateCloudGtmAddressManualAvailableStatus	UpdateCloudGtmAddressManualAvailableStatus	update	All Resource ``	None	None
alidns:DescribeDnsGtmInstanceAddressPool	DescribeDnsGtmInstanceAddressPool	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
alidns:DescribeCloudGtmInstanceConfigFullInfo	DescribeCloudGtmInstanceConfigFullInfo	get	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeDnsGtmAddrAttributeInfo	DescribeDnsGtmAddrAttributeInfo	get	All Resource ``	None	None
alidns:DescribeCloudGtmInstanceConfigAlert	DescribeCloudGtmInstanceConfigAlert	get	All Resource ``	None	None
alidns:DescribeGtmRecoveryPlans	DescribeGtmRecoveryPlans	get	All Resource ``	None	None
alidns:ValidateDnsGtmCnameRrCanUse	ValidateDnsGtmCnameRrCanUse		GtmInstance `acs:alidns::{#accountId}:gtminstance/{#InstanceId}`	None	None
alidns:DescribeBatchResultCount	DescribeBatchResultCount	get	All Resource ``	None	None
alidns:ModifyHichinaDomainDNS	ModifyHichinaDomainDNS	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:RemoveRspDomainServerHoldStatusForGateway	RemoveRspDomainServerHoldStatusForGateway	update	All Resource ``	None	None
alidns:UpdateRspDomainServerProhibitStatusForGateway	UpdateRspDomainServerProhibitStatusForGateway	update	All Resource ``	None	None
alidns:UpdateCloudGtmMonitorTemplate	UpdateCloudGtmMonitorTemplate	update	All Resource ``	None	None
alidns:UpdateDomainRecord	UpdateDomainRecord	update	*domain `acs:alidns::{#accountId}:domain/{#domainId}`	None	None
alidns:DescribeDnsProductInstances	DescribeDnsProductInstances	get	Instance `acs:alidns::{#accountId}:instance/*`	None	None
alidns:UpdateDnsCacheDomain	UpdateDnsCacheDomain	update	*CacheDomain `acs:alidns::{#accountId}:dnscache/{#DomainName}`	None	None
alidns:DescribeGtmInstanceStatus	DescribeGtmInstanceStatus	get	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:AddDomainBackup	AddDomainBackup	create	*domain `acs:alidns::{#accountId}:domain/{#domainId}`	None	None
alidns:DescribeGtmAccessStrategyAvailableConfig	DescribeGtmAccessStrategyAvailableConfig	get	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeGtmInstanceAddressPools	DescribeGtmInstanceAddressPools	get	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:SetDnsGtmAccessMode	SetDnsGtmAccessMode	update	AccessStrategy `acs:alidns::{#accountId}:gtminstance/{#InstanceId}`	None	None
alidns:DescribeGtmInstanceAddressPool	DescribeGtmInstanceAddressPool	get	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeGtmRecoveryPlanAvailableConfig	DescribeGtmRecoveryPlanAvailableConfig	get	All Resource ``	None	None
alidns:ExecuteGtmRecoveryPlan	ExecuteGtmRecoveryPlan		All Resource ``	None	None
alidns:SubmitIspFlushCacheTask	SubmitIspFlushCacheTask	create	All Resource ``	None	None
alidns:DescribeGtmMonitorAvailableConfig	DescribeGtmMonitorAvailableConfig	get	All Resource ``	None	None
alidns:MoveGtmResourceGroup	MoveGtmResourceGroup		*gtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeGtmRecoveryPlan	DescribeGtmRecoveryPlan	get	All Resource ``	None	None
alidns:DescribeGtmInstance	DescribeGtmInstance	get	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:RollbackGtmRecoveryPlan	RollbackGtmRecoveryPlan		All Resource ``	None	None
alidns:OperateBatchDomain	OperateBatchDomain	create	All Resource ``	None	None
alidns:DescribeGtmAccessStrategies	DescribeGtmAccessStrategies	get	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:UpdateDomainRecordRemark	UpdateDomainRecordRemark	update	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DescribeDohAccountStatistics	DescribeDohAccountStatistics	get	All Resource ``	None	None
alidns:SearchCloudGtmAddresses	SearchCloudGtmAddresses	list	All Resource ``	None	None
alidns:DescribeGtmAvailableAlertGroup	DescribeGtmAvailableAlertGroup	get	All Resource ``	None	None
alidns:AddGtmAddressPool	AddGtmAddressPool	create	*gtminstance `acs:alidns::{#accountId}:gtminstance/{#gtminstanceId}`	None	None
alidns:DeleteGtmRecoveryPlan	DeleteGtmRecoveryPlan	delete	All Resource ``	None	None
alidns:DescribeRecordStatisticsSummary	DescribeRecordStatisticsSummary	get	*Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:DeleteGtmAccessStrategy	DeleteGtmAccessStrategy	delete	*GtmInstance `acs:alidns::{#accountId}:gtminstance/{#instanceId}`	None	None
alidns:DescribeRecordStatistics	DescribeRecordStatistics	get	Domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:UpdateCloudGtmAddress	UpdateCloudGtmAddress	update	All Resource ``	None	None
alidns:GetMainDomainName	GetMainDomainName	get	All Resource ``	None	None
alidns:DescribeDomainNs	DescribeDomainNs	get	*domain `acs:alidns::{#accountId}:domain/{#DomainName}`	None	None
alidns:AddDomainGroup	AddDomainGroup	create	All Resource ``	None	None
alidns:DescribeDnsGtmAccessStrategy	DescribeDnsGtmAccessStrategy	get	*gtmInstance `acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId}`	None	None
pubdns:DescribePdnsRequestStatistic	DescribePdnsRequestStatistic	get	All Resource ``	None	None
pubdns:DeleteRecursionZone	DeleteRecursionZone	delete	*recursionZone `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:AddRecursionZone	AddRecursionZone	create	All Resource ``	None	None
pubdns:DescribeRecursionRecord	DescribeRecursionRecord	get	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:UpdateRecursionRecordWeightEnableStatus	UpdateRecursionRecordWeightEnableStatus	update	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribeRecursionZone	DescribeRecursionZone	get	*recursionZone `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:ListRecursionZones	ListRecursionZones	list	All Resource ``	None	None
pubdns:UpdateRecursionZoneProxyPattern	UpdateRecursionZoneProxyPattern	update	*recursionZone `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:UpdateRecursionRecord	UpdateRecursionRecord	update	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:UpdateRecursionRecordRemark	UpdateRecursionRecordRemark	update	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribePdnsAppKeys	DescribePdnsAppKeys	get	All Resource ``	None	None
pubdns:UpdateAppKeyState	UpdateAppKeyState	update	All Resource ``	None	None
pubdns:PausePdnsService	PausePdnsService	update	All Resource ``	None	None
pubdns:RemovePdnsAppKey	RemovePdnsAppKey	delete	All Resource ``	None	None
pubdns:UpdateRecursionRecordEnableStatus	UpdateRecursionRecordEnableStatus	update	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribePdnsUdpIpSegments	DescribePdnsUdpIpSegments	get	All Resource ``	None	None
pubdns:UpdateRecursionZoneEffectiveScope	UpdateRecursionZoneEffectiveScope	update	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:CreatePdnsUdpIpSegment	CreatePdnsUdpIpSegment	create	All Resource ``	None	None
pubdns:AddRecursionRecord	AddRecursionRecord	create	*recursionZone `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribePdnsRequestStatistics	DescribePdnsRequestStatistics	get	All Resource ``	None	None
pubdns:SearchRecursionRecords	SearchRecursionRecords	list	*recursion `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:ListRecursionRecords	ListRecursionRecords	list	*recursion `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribePdnsThreatLogs	DescribePdnsThreatLogs	get	All Resource ``	None	None
pubdns:ResumePdnsService	ResumePdnsService	update	All Resource ``	None	None
pubdns:DescribePdnsThreatStatistic	DescribePdnsThreatStatistic	get	All Resource ``	None	None
pubdns:DeleteRecursionRecord	DeleteRecursionRecord	delete	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribePdnsAccountSummary	DescribePdnsAccountSummary	get	All Resource ``	None	None
pubdns:DescribePdnsUserInfo	DescribePdnsUserInfo	get	All Resource ``	None	None
pubdns:DescribePdnsAppKey	DescribePdnsAppKey	get	All Resource ``	None	None
pubdns:CreatePdnsAppKey	CreatePdnsAppKey	create	All Resource ``	None	None
pubdns:SearchRecursionZones	SearchRecursionZones	list	All Resource ``	None	None
pubdns:ValidatePdnsUdpIpSegment	ValidatePdnsUdpIpSegment	none	All Resource ``	None	None
pubdns:DescribePdnsThreatStatistics	DescribePdnsThreatStatistics	get	All Resource ``	None	None
pubdns:UpdateRecursionZoneRemark	UpdateRecursionZoneRemark	update	*recursionZone `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:RemovePdnsUdpIpSegment	RemovePdnsUdpIpSegment	delete	All Resource ``	None	None
pubdns:UpdateRecursionRecordWeight	UpdateRecursionRecordWeight	update	*recursionRecord `acs:pubdns::{#accountId}:recursionZone/{#zoneId}`	None	None
pubdns:DescribePdnsOperateLogs	DescribePdnsOperateLogs	get	All Resource ``	None	None

Resource

The following table lists the resources defined by Alibaba Cloud DNS. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
CacheDomain	acs:alidns::{#accountId}:dnscache/{#DomainName} acs:alidns::{#accountId}:dnscache/*
gtmInstance	acs:alidns::{#accountId}:gtmInstance/{#gtmInstanceId} acs:alidns::{#accountId}:gtminstance/{#instanceId} acs:alidns::{#accountId}:gtmInstance/*
MonitorConfig	acs:alidns:*:{#accountId}:gtminstance/{#InstanceId}
Domain	acs:alidns::{#accountId}:domain/{#DomainName} acs:alidns::{#accountId}:domain/{#DomainName} acs:alidns::{#accountId}:flushcache/* acs:alidns::{#accountId}:domain/ acs:alidns::{#accountId}:domain/* acs:eiam:{#regionId}:{#accountId}:flushcache/*
cloudGtmAddress	acs:alidns::{#accountId}:cloudGtmAddress/{#addressId} acs:alidns::{#accountId}:cloudGtmAddress/*
GtmInstance	acs:alidns::{#accountId}:gtminstance/{#instanceId} acs:alidns::{#accountId}:gtminstance/* acs:alidns:*:{#accountId}:gtminstance/{#InstanceId}
cloudGtmMonitorTemplate	acs:alidns::{#accountId}:cloudGtmMonitorTemplate/{#templateId} acs:alidns::{#accountId}:cloudGtmMonitorTemplate/*
Instance	acs:alidns::{#accountId}:instance/{#InstanceId} acs:alidns::{#accountId}:instance/*
doh	acs:alidns::{#accountId}:doh/*
group	acs:alidns::{#accountId}:group/{#groupId} acs:alidns::{#accountId}:group/ acs:alidns::{#accountId}:group/*
domain	acs:alidns::{#accountId}:domain/{#domainName} acs:alidns::{#accountId}:domain/* acs:alidns::{#accountId}:domain/{#domainId} acs:alidns::{#accountId}:domain/{#$domainName}
cloudGtmAddressPool	acs:alidns::{#accountId}:cloudGtmAddressPool/{#addressPoolId} acs:alidns::{#accountId}:cloudGtmAddressPool/{#addressId}
instance	acs:alidns::{#accountId}:instance/{#instanceId}
gtminstance	acs:alidns::{#accountId}:gtminstance/{#instanceId} acs:alidns::{#accountId}:gtminstance/* acs:alidns::{#accountId}:gtminstance/{#gtminstanceId}
gtmInstnace	acs:alidns::{#accountId}:gtmInstnace/
AccessStrategy	acs:alidns:*:{#accountId}:gtminstance/{#InstanceId}
recursionZone	acs:pubdns::{#accountId}:recursionZone/{#zoneId} acs:pubdns::{#accountId}:recursionZone/*
recursionRecord	acs:pubdns::{#accountId}:recursionZone/{#zoneId}
recursion	acs:pubdns::{#accountId}:recursionZone/* acs:pubdns::{#accountId}:recursionZone/{#zoneId}

Condition

Alibaba Cloud DNS does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: