RAM authorization - Elastic High Performance Computing - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Elastic High Performance Computing for RAM permission policies. The RAM code (RamCode) for Elastic High Performance Computing is ehpc , and the supported authorization granularity is OPERATION .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Elastic High Performance Computing. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
ehpc:ModifyClusterAttributes	ModifyClusterAttributes	update	All Resource ``	None	None
ehpc:ListSecurityGroups	ListSecurityGroups		All Resource ``	None	None
ehpc:ResetNodes	ResetNodes	update	All Resource ``	None	None
ehpc:StopCluster	StopCluster	update	All Resource ``	None	None
ehpc:ListJobTemplates	ListJobTemplates		All Resource ``	None	None
ehpc:ListTasks	ListTasks		All Resource ``	None	None
ehpc:SubmitServerlessJob	SubmitServerlessJob		All Resource ``	None	None
ehpc:GetCloudMetricLogs	GetCloudMetricLogs		All Resource ``	None	None
ehpc:ListUsers	ListUsers		All Resource ``	None	None
ehpc:ListImages	ListImages		All Resource ``	None	None
ehpc:QueryServicePackAndPrice	QueryServicePackAndPrice		All Resource ``	None	None
ehpc:ListJobsWithFilters	ListJobsWithFilters		All Resource ``	None	None
ehpc:DescribeServerlessJobs	DescribeServerlessJobs		All Resource ``	None	None
ehpc:ListAvailableEcsTypes	ListAvailableEcsTypes		All Resource ``	None	None
ehpc:InvokeShellCommand	InvokeShellCommand	create	All Resource ``	None	None
ehpc:TagResources	TagResources		All Resource ``	None	None
ehpc:SetAutoScaleConfig	SetAutoScaleConfig		All Resource ``	None	None
ehpc:DescribeImagePrice	DescribeImagePrice		All Resource ``	None	None
ehpc:ListUpgradeClients	ListUpgradeClients		All Resource ``	None	None
ehpc:GetAutoScaleConfig	GetAutoScaleConfig		All Resource ``	None	None
ehpc:ListCloudMetricProfilings	ListCloudMetricProfilings		All Resource ``	None	None
ehpc:SubmitJob	SubmitJob	create	All Resource ``	None	None
ehpc:ListJobs	ListJobs		All Resource ``	None	None
ehpc:GetClusterVolumes	GetClusterVolumes		All Resource ``	None	None
ehpc:ListInvocationStatus	ListInvocationStatus		All Resource ``	None	None
ehpc:ListInstalledSoftware	ListInstalledSoftware		All Resource ``	None	None
ehpc:AddQueue	AddQueue	create	All Resource ``	None	None
ehpc:SetPostScripts	SetPostScripts		All Resource ``	None	None
ehpc:RecoverCluster	RecoverCluster		All Resource ``	None	None
ehpc:GetHybridClusterConfig	GetHybridClusterConfig		All Resource ``	None	None
ehpc:ListPreferredEcsTypes	ListPreferredEcsTypes		All Resource ``	None	None
ehpc:ListCurrentClientVersion	ListCurrentClientVersion		All Resource ``	None	None
ehpc:UpgradeClient	UpgradeClient		All Resource ``	None	None
ehpc:ListCommunityImages	ListCommunityImages		All Resource ``	None	None
ehpc:ListCommands	ListCommands		All Resource ``	None	None
ehpc:UninstallSoftware	UninstallSoftware		All Resource ``	None	None
ehpc:StartNodes	StartNodes	update	All Resource ``	None	None
ehpc:GetPostScripts	GetPostScripts		All Resource ``	None	None
ehpc:ListUsersAsync	ListUsersAsync		All Resource ``	None	None
ehpc:StartVisualService	StartVisualService		All Resource ``	None	None
ehpc:ListFileSystemWithMountTargets	ListFileSystemWithMountTargets		All Resource ``	None	None
ehpc:GetAccountingReport	GetAccountingReport		All Resource ``	None	None
ehpc:GetIfEcsTypeSupportHtConfig	GetIfEcsTypeSupportHtConfig		All Resource ``	None	None
ehpc:StopVisualService	StopVisualService		All Resource ``	None	None
ehpc:DescribePrice	DescribePrice		All Resource ``	None	None
ehpc:ModifyVisualServicePasswd	ModifyVisualServicePasswd		All Resource ``	None	None
ehpc:GetJobLog	GetJobLog		All Resource ``	None	None
ehpc:InstallSoftware	InstallSoftware	update	All Resource ``	None	None
ehpc:StopServerlessJobs	StopServerlessJobs		All Resource ``	None	None
ehpc:UnTagResources	UnTagResources		All Resource ``	None	None
ehpc:UpdateQueueConfig	UpdateQueueConfig		All Resource ``	None	None
ehpc:CreateJobTemplate	CreateJobTemplate		All Resource ``	None	None
ehpc:ListVolumes	ListVolumes		All Resource ``	None	None
ehpc:AddUsers	AddUsers	create	All Resource ``	None	None
ehpc:ListClusters	ListClusters		All Resource ``	None	None
ehpc:StopJobs	StopJobs		All Resource ``	None	None
ehpc:DescribeJob	DescribeJob		All Resource ``	None	None
ehpc:ListClusterLogs	ListClusterLogs		All Resource ``	None	None
ehpc:DeleteNodes	DeleteNodes	delete	All Resource ``	None	None
ehpc:DeleteJobTemplates	DeleteJobTemplates		All Resource ``	None	None
ehpc:EditJobTemplate	EditJobTemplate		All Resource ``	None	None
ehpc:CreateHybridCluster	CreateHybridCluster		All Resource ``	None	None
ehpc:ListNodesNoPaging	ListNodesNoPaging		All Resource ``	None	None
ehpc:SetQueue	SetQueue	update	All Resource ``	None	None
ehpc:GetSchedulerInfo	GetSchedulerInfo		All Resource ``	None	None
ehpc:ListSoftwares	ListSoftwares		All Resource ``	None	None
ehpc:RunCloudMetricProfiling	RunCloudMetricProfiling		All Resource ``	None	None
ehpc:DeleteUsers	DeleteUsers	delete	All Resource ``	None	None
ehpc:StopNodes	StopNodes	update	All Resource ``	None	None
ehpc:GetVisualServiceStatus	GetVisualServiceStatus		All Resource ``	None	None
ehpc:DeleteQueue	DeleteQueue	delete	All Resource ``	None	None
ehpc:DescribeAutoScaleConfig	DescribeAutoScaleConfig		All Resource ``	None	None
ehpc:AddLocalNodes	AddLocalNodes		All Resource ``	None	None
ehpc:DeleteJobs	DeleteJobs	delete	All Resource ``	None	None
ehpc:DeleteCluster	DeleteCluster	delete	All Resource ``	None	None
ehpc:CreateCluster	CreateCluster		All Resource ``	None	None
ehpc:AddExistedNodes	AddExistedNodes		All Resource ``	None	None
ehpc:ListTagResources	ListTagResources		All Resource ``	None	None
ehpc:DescribeCluster	DescribeCluster		All Resource ``	None	None
ehpc:GetCloudMetricProfiling	GetCloudMetricProfiling		All Resource ``	None	None
ehpc:ApplyNodes	ApplyNodes		All Resource ``	None	None
ehpc:ListCustomImages	ListCustomImages		All Resource ``	None	None
ehpc:UpdateClusterVolumes	UpdateClusterVolumes		All Resource ``	None	None
ehpc:RerunJobs	RerunJobs		All Resource ``	None	None
ehpc:InitializeEHPC	InitializeEHPC		All Resource ``	None	None
ehpc:ListNodesByQueue	ListNodesByQueue		All Resource ``	None	None
ehpc:AddSecurityGroup	AddSecurityGroup		All Resource ``	None	None
ehpc:ListQueues	ListQueues		All Resource ``	None	None
ehpc:ListInvocationResults	ListInvocationResults		All Resource ``	None	None
ehpc:StartCluster	StartCluster		All Resource ``	None	None
ehpc:SyncUsers	SyncUsers		All Resource ``	None	None
ehpc:ListCpfsFileSystems	ListCpfsFileSystems		All Resource ``	None	None
ehpc:ListRegions	ListRegions		All Resource ``	None	None
ehpc:ModifyUserGroups	ModifyUserGroups	update	All Resource ``	None	None
ehpc:CreateJobFile	CreateJobFile	create	All Resource ``	None	None
ehpc:AddNodes	AddNodes		All Resource ``	None	None
ehpc:ModifyUserPasswords	ModifyUserPasswords	update	All Resource ``	None	None
ehpc:DeleteSecurityGroup	DeleteSecurityGroup		All Resource ``	None	None
ehpc:ListNodes	ListNodes		All Resource ``	None	None
ehpc:SetSchedulerInfo	SetSchedulerInfo		All Resource ``	None	None
ehpc:ListClustersMeta	ListClustersMeta		All Resource ``	None	None
ehpc:ListServerlessJobs	ListServerlessJobs		All Resource ``	None	None

Resource

The following table lists the resources defined by Elastic High Performance Computing. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type

ARN

Condition

Elastic High Performance Computing does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: