All Products
Search

This Product

    Elastic Compute Service:RAM authorization

    Document Center

    Elastic Compute Service:RAM authorization

    Last Updated:Apr 18, 2025
    Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
    This topic describes the elements, such as Action, Resource, and Condition, which are defined by ECS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ECS is ecs、vpc. You can grant permissions on ECS at the RESOURCE.

    General structure of a policy

    Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
    The following list describes the fields in the policy:
    • Effect: specifies the authorization effect. Valid values: Allow, Deny.
    • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
    • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
    • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
      • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
      • Condition_key: specifies the condition keys.
      • Condition_value: specifies the condition values.

    Action

    ECS defines the values that you can use in the Action element of a policy statement. The following table describes the values.
    • Operation: the value that you can use in the Action element to specify the operation on a resource.
    • API operation: the API operation that you can call to perform the operation.
    • Access level: the access level of each operation. The levels are read, write, and list.
    • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
      • For mandatory resource types, indicate with a prefix of * .
      • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
    • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
    • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
    ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
    ecs:AcceptInquiredSystemEventAcceptInquiredSystemEventupdate
    *All Resources
    *
    		NoneNone
    ecs:AllocateDedicatedHostsAllocateDedicatedHostscreate
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/*
    		NoneNone
    ecs:AllocatePublicIpAddressAllocatePublicIpAddresscreate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ApplyAutoSnapshotPolicyApplyAutoSnapshotPolicyupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    *AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    		NoneNone
    ecs:AssignIpv6AddressesAssignIpv6Addressescreate
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:AssignPrivateIpAddressesAssignPrivateIpAddressescreate
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:AttachClassicLinkVpcAttachClassicLinkVpcupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    vpc:tag
    		None
    ecs:AttachDiskAttachDiskupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ecs:LoginAsNonRoot
    ecs:PasswordCustomized
    		None
    ecs:AttachInstanceRamRoleAttachInstanceRamRoleupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *Role
    acs:ram:{#regionId}:{#accountId}:role/{#roleName}
    		NoneNone
    ecs:AttachKeyPairAttachKeyPairupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    		NoneNone
    ecs:AttachNetworkInterfaceAttachNetworkInterfaceupdate
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:AuthorizeSecurityGroupAuthorizeSecurityGroupcreate
    *All Resources
    *
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:AuthorizeSecurityGroupEgressAuthorizeSecurityGroupEgresscreate
    *All Resources
    *
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:CancelAutoSnapshotPolicyCancelAutoSnapshotPolicyupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    		NoneNone
    ecs:CancelCopyImageCancelCopyImageupdate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:CancelImagePipelineExecutionCancelImagePipelineExecutionupdate
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:CancelSimulatedSystemEventsCancelSimulatedSystemEventsupdate
    *All Resources
    *
    		NoneNone
    ecs:CancelTaskCancelTaskupdate
    *All Resources
    *
    		NoneNone
    ecs:ConvertNatPublicIpToEipConvertNatPublicIpToEipupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CopyImageCopyImageupdate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/*
    		NoneNone
    ecs:CopySnapshotCopySnapshotcreate
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:CreateActivationCreateActivationcreate
    *Activation
    acs:ecs:{#regionId}:{#accountId}:activation/*
    		NoneNone
    ecs:CreateAutoProvisioningGroupCreateAutoProvisioningGroupcreate
    *All Resources
    *
    		NoneNone
    ecs:CreateAutoSnapshotPolicyCreateAutoSnapshotPolicycreate
    *AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/*
    		NoneNone
    ecs:CreateCapacityReservationCreateCapacityReservationcreate
    *CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/*
    		NoneNone
    ecs:CreateCommandCreateCommandcreate
    *Command
    acs:ecs:{#regionId}:{#accountId}:command/*
    		NoneNone
    ecs:CreateDedicatedHostClusterCreateDedicatedHostClustercreate
    *All Resources
    *
    		NoneNone
    ecs:CreateDeploymentSetCreateDeploymentSetcreate
    *All Resources
    *
    		NoneNone
    ecs:CreateDiagnosticMetricSetCreateDiagnosticMetricSetcreate
    *All Resources
    *
    		NoneNone
    ecs:CreateDiagnosticReportCreateDiagnosticReportcreate
    *All Resources
    *
    		NoneNone
    ecs:CreateDiskCreateDiskcreate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/*
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    ecs:IsDiskEncrypted
    ecs:IsDiskByokEncrypted
    		None
    ecs:CreateElasticityAssuranceCreateElasticityAssurancecreate
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
    		NoneNone
    ecs:CreateHpcClusterCreateHpcClustercreate
    *HpcCluster
    acs:ecs:{#regionId}:{#accountId}:hpc/*
    		NoneNone
    ecs:CreateImageCreateImagecreate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/*
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:CreateImageComponentCreateImageComponentcreate
    *ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/*
    		NoneNone
    ecs:CreateImagePipelineCreateImagePipelinecreate
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    		NoneNone
    ecs:CreateInstanceCreateInstancecreate
    *All Resources
    *
    vpc:VPC
    vpc:IsDefaultVSwitch
    vpc:IsDefaultVpc
    ecs:IsDiskEncrypted
    ecs:InstanceType
    ecs:InstanceTypeFamily
    ecs:ImageOwnerId
    ecs:ImageSource
    ecs:NotSpecifySecurityGroupId
    ecs:LoginAsNonRoot
    ecs:IsSystemDiskByokEncrypted
    ecs:IsDiskByokEncrypted
    ecs:PasswordInherit
    ecs:PasswordCustomized
    ecs:IsSystemDiskEncrypted
    ecs:ImagePlatform
    ecs:LoginAsNonRoot
    ecs:IsSystemDiskByokEncrypted
    ecs:IsDiskByokEncrypted
    ecs:PasswordInherit
    ecs:PasswordCustomized
    ecs:IsSystemDiskEncrypted
    ecs:ImagePlatform
    ecs:SecurityHardeningMode
    		None
    ecs:CreateKeyPairCreateKeyPaircreate
    *KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/*
    		NoneNone
    ecs:CreateLaunchTemplateCreateLaunchTemplatecreate
    *LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    		NoneNone
    ecs:CreateLaunchTemplateVersionCreateLaunchTemplateVersioncreate
    *LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:CreateNetworkInterfaceCreateNetworkInterfacecreate
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/*
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    *VSwitch
    acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId}
    vpc:IsDefaultVSwitch
    vpc:IsDefaultVpc
    vpc:VPC
    vpc:tag
    vpc:tag
    vpc:tag
    		None
    ecs:CreatePrefixListCreatePrefixListcreate
    *All Resources
    *
    		NoneNone
    ecs:CreateSecurityGroupCreateSecurityGroupcreate
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/*
    *VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    		NoneNone
    ecs:CreateSimulatedSystemEventsCreateSimulatedSystemEventscreate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:CreateSnapshotCreateSnapshotcreate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/*
    		NoneNone
    ecs:CreateSnapshotGroupCreateSnapshotGroupcreate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#DiskId}
    		NoneNone
    ecs:DeleteActivationDeleteActivationdelete
    *activation
    acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    		NoneNone
    ecs:DeleteAutoProvisioningGroupDeleteAutoProvisioningGroupdelete
    *AutoProvisioningGroup
    acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    		NoneNone
    ecs:DeleteAutoSnapshotPolicyDeleteAutoSnapshotPolicydelete
    *AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId}
    		NoneNone
    ecs:DeleteCommandDeleteCommanddelete
    *Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:DeleteDedicatedHostClusterDeleteDedicatedHostClusterdelete
    *DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    		NoneNone
    ecs:DeleteDeploymentSetDeleteDeploymentSetdelete
    *DeploymentSet
    acs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId}
    		NoneNone
    ecs:DeleteDiagnosticMetricSetsDeleteDiagnosticMetricSetsdelete
    *All Resources
    *
    		NoneNone
    ecs:DeleteDiagnosticReportsDeleteDiagnosticReportsdelete
    *All Resources
    *
    		NoneNone
    ecs:DeleteDiskDeleteDiskdelete
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:DeleteHpcClusterDeleteHpcClusterdelete
    *All Resources
    *
    		NoneNone
    ecs:DeleteImageDeleteImagedelete
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DeleteImageComponentDeleteImageComponentdelete
    *ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
    		NoneNone
    ecs:DeleteImagePipelineDeleteImagePipelinedelete
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:DeleteInstanceDeleteInstancedelete
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DeleteInstancesDeleteInstancesdelete
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DeleteKeyPairsDeleteKeyPairsdelete
    *KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    		NoneNone
    ecs:DeleteLaunchTemplateDeleteLaunchTemplatedelete
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:DeleteLaunchTemplateVersionDeleteLaunchTemplateVersiondelete
    *LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:DeleteNetworkInterfaceDeleteNetworkInterfacedelete
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:DeletePrefixListDeletePrefixListdelete
    *PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:DeleteSecurityGroupDeleteSecurityGroupdelete
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:DeleteSnapshotDeleteSnapshotdelete
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:DeleteSnapshotGroupDeleteSnapshotGroupdelete
    *SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
    		NoneNone
    ecs:DeregisterManagedInstanceDeregisterManagedInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeAccountAttributesDescribeAccountAttributesget
    *All Resources
    *
    		NoneNone
    ecs:DescribeActivationsDescribeActivationsget
    Activation
    acs:ecs:{#regionId}:{#accountId}:activation/*
    Activation
    acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    		NoneNone
    ecs:DescribeAutoProvisioningGroupHistoryDescribeAutoProvisioningGroupHistoryget
    *All Resources
    *
    		NoneNone
    ecs:DescribeAutoProvisioningGroupInstancesDescribeAutoProvisioningGroupInstancesget
    *AutoProvisioningGroup
    acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    		NoneNone
    ecs:DescribeAutoProvisioningGroupsDescribeAutoProvisioningGroupsget
    *All Resources
    *
    		NoneNone
    ecs:DescribeAutoSnapshotPolicyExDescribeAutoSnapshotPolicyExget
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/*
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    		NoneNone
    ecs:DescribeBandwidthLimitationDescribeBandwidthLimitationget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeCapacityReservationInstancesDescribeCapacityReservationInstancesget
    *CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId}
    		NoneNone
    ecs:DescribeCapacityReservationsDescribeCapacityReservationsget
    *CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/*
    		NoneNone
    ecs:DescribeClassicLinkInstancesDescribeClassicLinkInstancesget
    *All Resources
    *
    		NoneNone
    ecs:DescribeCloudAssistantSettingsDescribeCloudAssistantSettingslist
    *ServiceSettings
    acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
    		NoneNone
    ecs:DescribeCloudAssistantStatusDescribeCloudAssistantStatusget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeCommandsDescribeCommandsget
    Command
    acs:ecs:{#regionId}:{#accountId}:command/*
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:DescribeDedicatedHostAutoRenewDescribeDedicatedHostAutoRenewget
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:DescribeDedicatedHostClustersDescribeDedicatedHostClustersget
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/*
    		NoneNone
    ecs:DescribeDedicatedHostsDescribeDedicatedHostsget
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/*
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:DescribeDeploymentSetsDescribeDeploymentSetsget
    *DeploymentSet
    acs:ecs:{#regionId}:{#accountId}:deploymentset/*
    		NoneNone
    ecs:DescribeDiagnosticMetricSetsDescribeDiagnosticMetricSetsget
    *All Resources
    *
    		NoneNone
    ecs:DescribeDiagnosticMetricsDescribeDiagnosticMetricsget
    *All Resources
    *
    		NoneNone
    ecs:DescribeDiagnosticReportAttributesDescribeDiagnosticReportAttributesget
    *All Resources
    *
    		NoneNone
    ecs:DescribeDiagnosticReportsDescribeDiagnosticReportsget
    *All Resources
    *
    		NoneNone
    ecs:DescribeDiskDefaultKMSKeyIdDescribeDiskDefaultKMSKeyIdnone
    *DiskEncryptionDefaultConfig
    acs:ecs:{#regionId}:{#accountId}:diskencryptiondefaultconfig/*
    		NoneNone
    ecs:DescribeDiskEncryptionByDefaultStatusDescribeDiskEncryptionByDefaultStatusnone
    *DiskEncryptionDefaultConfig
    acs:ecs:{#regionId}:{#accountId}:diskencryptiondefaultconfig/*
    		NoneNone
    ecs:DescribeDiskMonitorDataDescribeDiskMonitorDataget
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:DescribeDisksDescribeDiskslist
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/*
    		NoneNone
    ecs:DescribeDisksFullStatusDescribeDisksFullStatuslist
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/*
    		NoneNone
    ecs:DescribeElasticityAssuranceAutoRenewAttributeDescribeElasticityAssuranceAutoRenewAttributeget
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    		NoneNone
    ecs:DescribeElasticityAssuranceInstancesDescribeElasticityAssuranceInstancesget
    *All Resources
    *
    		NoneNone
    ecs:DescribeElasticityAssurancesDescribeElasticityAssurancesget
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
    		NoneNone
    ecs:DescribeEniMonitorDataDescribeEniMonitorDataget
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeHpcClustersDescribeHpcClustersget
    *HpcCluster
    acs:ecs:{#regionId}:{#accountId}:hpc/*
    		NoneNone
    ecs:DescribeImageComponentsDescribeImageComponentsget
    *ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/*
    *ImageComponent
    acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
    		NoneNone
    ecs:DescribeImageFromFamilyDescribeImageFromFamilyget
    *All Resources
    *
    		NoneNone
    ecs:DescribeImagePipelineExecutionsDescribeImagePipelineExecutionsget
    *ImagePipelineExecution
    acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/*
    *ImagePipelineExecution
    acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/{#ImagePipelineExecutionId}
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#ImagePipelineId}
    		NoneNone
    ecs:DescribeImagePipelinesDescribeImagePipelinesget
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:DescribeImageSharePermissionDescribeImageSharePermissionget
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeImageSupportInstanceTypesDescribeImageSupportInstanceTypesget
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeImagesDescribeImagesget
    Image
    acs:ecs:{#regionId}:{#accountId}:image/*
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:DescribeInstanceAttachmentAttributesDescribeInstanceAttachmentAttributesget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeInstanceAttributeDescribeInstanceAttributeget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeInstanceAutoRenewAttributeDescribeInstanceAutoRenewAttributelist
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/*
    		NoneNone
    ecs:DescribeInstanceHistoryEventsDescribeInstanceHistoryEventsget
    *All Resources
    *
    		NoneNone
    ecs:DescribeInstanceMaintenanceAttributesDescribeInstanceMaintenanceAttributesget
    *All Resources
    *
    		NoneNone
    ecs:DescribeInstanceModificationPriceDescribeInstanceModificationPriceget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    		NoneNone
    ecs:DescribeInstanceMonitorDataDescribeInstanceMonitorDataget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeInstanceRamRoleDescribeInstanceRamRoleget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    Role
    acs:ram:{#regionId}:{#accountId}:role/{#roleName}
    		NoneNone
    ecs:DescribeInstanceStatusDescribeInstanceStatuslist
    *All Resources
    *
    		NoneNone
    ecs:DescribeInstanceVncUrlDescribeInstanceVncUrlget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeInstancesDescribeInstanceslist
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/*
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ResourceOwner
    		None
    ecs:DescribeInstancesFullStatusDescribeInstancesFullStatuslist
    *All Resources
    *
    		NoneNone
    ecs:DescribeInvocationResultsDescribeInvocationResultsget
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeInvocationsDescribeInvocationsget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:DescribeKeyPairsDescribeKeyPairsget
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/*
    		NoneNone
    ecs:DescribeLaunchTemplateVersionsDescribeLaunchTemplateVersionslist
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:DescribeLaunchTemplatesDescribeLaunchTemplatesget
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:DescribeManagedInstancesDescribeManagedInstancesget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeNetworkInterfaceAttributeDescribeNetworkInterfaceAttributeget
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:DescribeNetworkInterfacesDescribeNetworkInterfacesget
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:DescribePrefixListAssociationsDescribePrefixListAssociationsget
    *PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:DescribePrefixListAttributesDescribePrefixListAttributesget
    *PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:DescribePrefixListsDescribePrefixListsget
    *PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:DescribePriceDescribePriceget
    *All Resources
    *
    		NoneNone
    ecs:DescribeRenewalPriceDescribeRenewalPriceget
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeReservedInstanceAutoRenewAttributeDescribeReservedInstanceAutoRenewAttributeget
    *ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    		NoneNone
    ecs:DescribeReservedInstancesDescribeReservedInstancesget
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/*
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    		NoneNone
    ecs:DescribeResourcesModificationDescribeResourcesModificationget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeSecurityGroupAttributeDescribeSecurityGroupAttributeget
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    		None
    ecs:DescribeSecurityGroupReferencesDescribeSecurityGroupReferencesget
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:DescribeSecurityGroupsDescribeSecurityGroupsget
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/*
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:DescribeSendFileResultsDescribeSendFileResultsget
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DescribeSnapshotGroupsDescribeSnapshotGroupsget
    SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/*
    SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
    		NoneNone
    ecs:DescribeSnapshotLinksDescribeSnapshotLinksget
    *All Resources
    *
    		NoneNone
    ecs:DescribeSnapshotMonitorDataDescribeSnapshotMonitorDataget
    *All Resources
    *
    		NoneNone
    ecs:DescribeSnapshotPackageDescribeSnapshotPackageget
    *All Resources
    *
    		NoneNone
    ecs:DescribeSnapshotsDescribeSnapshotsget
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/*
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:DescribeSnapshotsUsageDescribeSnapshotsUsageget
    *All Resources
    *
    		NoneNone
    ecs:DescribeStorageCapacityUnitsDescribeStorageCapacityUnitsget
    StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/*
    StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
    		NoneNone
    ecs:DescribeTaskAttributeDescribeTaskAttributeget
    *All Resources
    *
    		NoneNone
    ecs:DescribeTasksDescribeTasksget
    *All Resources
    *
    		NoneNone
    ecs:DescribeTerminalSessionsDescribeTerminalSessionslist
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    		NoneNone
    ecs:DescribeUserDataDescribeUserDataget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DetachClassicLinkVpcDetachClassicLinkVpcupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    		NoneNone
    ecs:DetachDiskDetachDiskupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DetachInstanceRamRoleDetachInstanceRamRoleupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *Role
    acs:ram:{#regionId}:{#accountId}:role/{#roleName}
    		NoneNone
    ecs:DetachKeyPairDetachKeyPairupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    		NoneNone
    ecs:DetachNetworkInterfaceDetachNetworkInterfaceupdate
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:DisableActivationDisableActivationupdate
    *Activation
    acs:ecs:{#regionId}:{#accountId}:activation/{#ActivationId}
    		NoneNone
    ecs:EndTerminalSessionEndTerminalSessionupdate
    *All Resources
    *
    		NoneNone
    ecs:ExportImageExportImageupdate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:GetInstanceConsoleOutputGetInstanceConsoleOutputget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:GetInstanceScreenshotGetInstanceScreenshotget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ImportImageImportImageupdate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/*
    		NoneNone
    ecs:ImportKeyPairImportKeyPaircreate
    *KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/*
    		NoneNone
    ecs:InstallCloudAssistantInstallCloudAssistantupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:InvokeCommandInvokeCommandupdate
    *Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ecs:CommandRunAs
    		None
    ecs:JoinResourceGroupJoinResourceGroupupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId}
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#SnapshotId}
    		NoneNone
    ecs:JoinSecurityGroupJoinSecurityGroupupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:LeaveSecurityGroupLeaveSecurityGroupupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:ListPluginStatusListPluginStatusget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#InstanceId}
    		NoneNone
    ecs:ListTagResourcesListTagResourcesget
    *All Resources
    *
    		NoneNone
    ecs:ModifyAutoProvisioningGroupModifyAutoProvisioningGroupupdate
    *autoprovisioninggroup
    acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    		NoneNone
    ecs:ModifyAutoSnapshotPolicyExModifyAutoSnapshotPolicyExupdate
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#autoSnapshotPolicyId}
    		NoneNone
    ecs:ModifyCapacityReservationModifyCapacityReservationupdate
    *CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId}
    		NoneNone
    ecs:ModifyCloudAssistantSettingsModifyCloudAssistantSettingsupdate
    *ServiceSettings
    acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
    		NoneNone
    ecs:ModifyCommandModifyCommandupdate
    *Command
    acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    		NoneNone
    ecs:ModifyDedicatedHostAttributeModifyDedicatedHostAttributeupdate
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    DedicatedHostCluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    		NoneNone
    ecs:ModifyDedicatedHostAutoReleaseTimeModifyDedicatedHostAutoReleaseTimeupdate
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:ModifyDedicatedHostAutoRenewAttributeModifyDedicatedHostAutoRenewAttributeupdate
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:ModifyDedicatedHostClusterAttributeModifyDedicatedHostClusterAttributeupdate
    *ddhcluster
    acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    		NoneNone
    ecs:ModifyDedicatedHostsChargeTypeModifyDedicatedHostsChargeTypeupdate
    *All Resources
    *
    		NoneNone
    ecs:ModifyDeploymentSetAttributeModifyDeploymentSetAttributeupdate
    *DeploymentSet
    acs:ecs:{#regionId}:{#accountId}:deploymentset/{#DeploymentSetId}
    		NoneNone
    ecs:ModifyDiagnosticMetricSetModifyDiagnosticMetricSetupdate
    *All Resources
    *
    		NoneNone
    ecs:ModifyDiskAttributeModifyDiskAttributeupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:ModifyDiskChargeTypeModifyDiskChargeTypeupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyDiskSpecModifyDiskSpecupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:ModifyElasticityAssuranceModifyElasticityAssuranceupdate
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    		NoneNone
    ecs:ModifyElasticityAssuranceAutoRenewAttributeModifyElasticityAssuranceAutoRenewAttributeupdate
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    		NoneNone
    ecs:ModifyHpcClusterAttributeModifyHpcClusterAttributeupdate
    *All Resources
    *
    		NoneNone
    ecs:ModifyImageAttributeModifyImageAttributeupdate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:ModifyImageSharePermissionModifyImageSharePermissionupdate
    *Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    		NoneNone
    ecs:ModifyInstanceAttachmentAttributesModifyInstanceAttachmentAttributesupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceAttributeModifyInstanceAttributeupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#SecurityGroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:ModifyInstanceAutoReleaseTimeModifyInstanceAutoReleaseTimeupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceAutoRenewAttributeModifyInstanceAutoRenewAttributeupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceChargeTypeModifyInstanceChargeTypeupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceDeploymentModifyInstanceDeploymentupdate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceMaintenanceAttributesModifyInstanceMaintenanceAttributesupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceMetadataOptionsModifyInstanceMetadataOptionsupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceNetworkSpecModifyInstanceNetworkSpecupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceSpecModifyInstanceSpecupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceVncPasswdModifyInstanceVncPasswdupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyInstanceVpcAttributeModifyInstanceVpcAttributeupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    *VSwitch
    acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId}
    vpc:tag
    vpc:VPC
    		None
    ecs:ModifyInvocationAttributeModifyInvocationAttributeupdate
    *Invocation
    acs:ecs:{#regionId}:{#accountId}:invocation/{#invocationId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyLaunchTemplateDefaultVersionModifyLaunchTemplateDefaultVersionupdate
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    		NoneNone
    ecs:ModifyManagedInstanceModifyManagedInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyNetworkInterfaceAttributeModifyNetworkInterfaceAttributeupdate
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:ModifyPrefixListModifyPrefixListupdate
    *PrefixList
    acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    		NoneNone
    ecs:ModifyPrepayInstanceSpecModifyPrepayInstanceSpecupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ModifyReservedInstanceAttributeModifyReservedInstanceAttributeupdate
    *ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    		NoneNone
    ecs:ModifyReservedInstanceAutoRenewAttributeModifyReservedInstanceAutoRenewAttributeupdate
    *ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    		NoneNone
    ecs:ModifyReservedInstancesModifyReservedInstancesupdate
    *ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    		NoneNone
    ecs:ModifySecurityGroupAttributeModifySecurityGroupAttributeupdate
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:ModifySecurityGroupEgressRuleModifySecurityGroupEgressRuleupdate
    *All Resources
    *
    ecs:tag
    ecs:tag
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:ModifySecurityGroupPolicyModifySecurityGroupPolicyupdate
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    		NoneNone
    ecs:ModifySecurityGroupRuleModifySecurityGroupRuleupdate
    *All Resources
    *
    ecs:SecurityGroupIpProtocols
    ecs:SecurityGroupSourceCidrIps
    		None
    ecs:ModifySnapshotAttributeModifySnapshotAttributeupdate
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:ModifySnapshotCategoryModifySnapshotCategoryupdate
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    ecs:tag
    		None
    ecs:ModifySnapshotGroupModifySnapshotGroupupdate
    *SnapshotGroup
    acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#SnapshotGroupId}
    		NoneNone
    ecs:ModifyStorageCapacityUnitAttributeModifyStorageCapacityUnitAttributeupdate
    *StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
    		NoneNone
    ecs:PurchaseElasticityAssurancePurchaseElasticityAssuranceupdate
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    		NoneNone
    ecs:PurchaseReservedInstancesOfferingPurchaseReservedInstancesOfferingcreate
    *ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/*
    		NoneNone
    ecs:PurchaseStorageCapacityUnitPurchaseStorageCapacityUnitcreate
    *StorageCapacityUnit
    acs:ecs:{#regionId}:{#accountId}:scu/*
    		NoneNone
    ecs:ReActivateInstancesReActivateInstancesupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ReInitDiskReInitDiskupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:RebootInstanceRebootInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:RebootInstancesRebootInstancesupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:RedeployDedicatedHostRedeployDedicatedHostupdate
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:RedeployInstanceRedeployInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ReleaseCapacityReservationReleaseCapacityReservationdelete
    *CapacityReservation
    acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId}
    		NoneNone
    ecs:ReleaseDedicatedHostReleaseDedicatedHostdelete
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:RenewDedicatedHostsRenewDedicatedHostsupdate
    *DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    		NoneNone
    ecs:RenewElasticityAssurancesRenewElasticityAssurancescreate
    *ElasticityAssurance
    acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    		NoneNone
    ecs:RenewInstanceRenewInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:RenewReservedInstancesRenewReservedInstancescreate
    *ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
    		NoneNone
    ecs:ReplaceSystemDiskReplaceSystemDiskupdate
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ecs:IsDiskEncrypted
    ecs:IsSystemDiskEncrypted
    ecs:PasswordInherit
    ecs:PasswordCustomized
    ecs:IsDiskByokEncrypted
    ecs:IsSystemDiskByokEncrypted
    ecs:LoginAsNonRoot
    ecs:ImagePlatform
    		None
    ecs:ReportInstancesStatusReportInstancesStatusget
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:ResetDiskResetDiskupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    *Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    		NoneNone
    ecs:ResizeDiskResizeDiskupdate
    *Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    		NoneNone
    ecs:RevokeSecurityGroupRevokeSecurityGroupdelete
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:RevokeSecurityGroupEgressRevokeSecurityGroupEgressdelete
    *SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    ecs:tag
    ecs:tag
    ecs:tag
    		None
    ecs:RunCommandRunCommandupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    ecs:CommandRunAs
    		None
    ecs:RunInstancesRunInstancescreate
    *All Resources
    *
    vpc:IsDefaultVSwitch
    vpc:IsDefaultVpc
    vpc:VPC
    ecs:IsDiskEncrypted
    ecs:InstanceTypeFamily
    ecs:InstanceType
    ecs:ImageOwnerId
    ecs:ImageSource
    ecs:NotSpecifySecurityGroupId
    ecs:LoginAsNonRoot
    ecs:IsSystemDiskByokEncrypted
    ecs:IsDiskByokEncrypted
    ecs:PasswordInherit
    ecs:PasswordCustomized
    ecs:IsSystemDiskEncrypted
    ecs:ImagePlatform
    ecs:IsDiskEncrypted
    ecs:SecurityHardeningMode
    		None
    ecs:SendFileSendFileupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StartImagePipelineExecutionStartImagePipelineExecutionupdate
    *ImagePipeline
    acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    		NoneNone
    ecs:StartInstanceStartInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StartInstancesStartInstancesupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StartTerminalSessionStartTerminalSessionupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StopInstanceStopInstanceupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StopInstancesStopInstancesupdate
    *Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:StopInvocationStopInvocationupdate
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    		NoneNone
    ecs:TagResourcesTagResourcescreate
    DedicatedHost
    acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    Disk
    acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    Image
    acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    KeyPair
    acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId}
    LaunchTemplate
    acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    ReservedInstance
    acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    Snapshot
    acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    AutoSnapshotPolicy
    acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#SnapshotPolicyId}
    		NoneNone
    ecs:UnassignIpv6AddressesUnassignIpv6Addressesdelete
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:UnassignPrivateIpAddressesUnassignPrivateIpAddressesdelete
    *NetworkInterface
    acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    		NoneNone
    ecs:UntagResourcesUntagResourcesdelete
    *All Resources
    *
    		NoneNone

    Resource

    ECS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
    • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
    • An asterisk (*) is used as a wildcard. Examples:
      • {#resourceType} is set to *, all resources are specified.
      • {#regionId} is set to *, all regions are specified.
      • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
    Resource typeARN
    Activation
    • acs:ecs:{#regionId}:{#accountId}:activation/*
    • acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    Address
    • acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId}
    • acs:vpc:{#regionId}:{#accountId}:eip/*
    Association
    • acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId}
    AutoProvisioningGroup
    • acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    • acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/*
    AutoSnapshotPolicy
    • acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
    • acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/*
    • acs:ecs:{#regionId}:{#accountId}:autosnapshotpolicy/*
    BandwidthPackage
    • acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/{#BandwidthPackageId}
    • acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/*
    CapacityReservation
    • acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId}
    • acs:ecs:{#regionId}:{#accountId}:capacityreservation/*
    Command
    • acs:ecs:{#regionId}:{#accountId}:command/{#commandId}
    • acs:ecs:{#regionId}:{#accountId}:command/*
    DedicatedHost
    • acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}
    • acs:ecs:{#regionId}:{#accountId}:ddh/*
    DedicatedHostCluster
    • acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    • acs:ecs:{#regionId}:{#accountId}:ddhcluster/*
    Demand
    • acs:ecs:*:{#accountId}:*
    • acs:ecs:{#regionId}:{#accountId}:ecsdemand/*
    DeploymentSet
    • acs:ecs:{#regionId}:{#accountId}:deploymentset/{#DeploymentSetId}
    • acs:ecs:{#regionId}:{#accountId}:deploymentset/*
    Disk
    • acs:ecs:{#regionId}:{#accountId}:disk/{#diskId}
    • acs:ecs:{#regionId}:{#accountId}:disk/*
    DiskEncryptionDefaultConfig
    • acs:ecs:{#regionId}:{#accountId}:diskencryptiondefaultconfig/*
    ElasticityAssurance
    • acs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
    • acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId}
    Fleet
    • acs:ecs:{#regionId}:{#accountId}:fleet/*
    ForwardTable
    • acs:vpc:{#regionId}:{#accountId}:forwardtable/{#ForwardTableId}
    HaVip
    • acs:vpc:{#regionId}:{#accountId}:havip/*
    • acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId}
    HpcCluster
    • acs:ecs:{#regionId}:{#accountId}:hpc/{#hpcClusterId}
    • acs:ecs:{#regionId}:{#accountId}:hpc/*
    Image
    • acs:ecs:{#regionId}:{#accountId}:image/{#imageId}
    • acs:ecs:{#regionId}:{#accountId}:image/*
    ImageComponent
    • acs:ecs:{#regionId}:{#accountId}:imagecomponent/*
    • acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
    ImagePipeline
    • acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
    • acs:ecs:{#regionId}:{#accountId}:imagepipeline/*
    ImagePipelineExecution
    • acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/*
    • acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/{#ImagePipelineExecutionId}
    Instance
    • acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
    • acs:ecs:{#regionId}:{#accountId}:instance/*
    • acs:vpc:{#regionId}:{#accountId}:instance/{#InstanceId}
    Invocation
    • acs:ecs:{#regionId}:{#accountId}:invocation/{#invocationId}
    KeyPair
    • acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId}
    • acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName}
    • acs:ecs:{#regionId}:{#accountId}:keypair/*
    LaunchTemplate
    • acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
    • acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId}
    NatGateway
    • acs:vpc:{#regionId}:{#accountId}:natgateway/*
    • acs:vpc:{#regionId}:{#accountId}:natgateway/{#NatGatewayId}
    NetworkInterface
    • acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}
    • acs:ecs:{#regionId}:{#accountId}:eni/*
    PhysicalConnection
    • acs:vpc:{#regionId}:{#accountId}:physicalconnection/*
    • acs:vpc:{#regionId}:{#accountId}:physicalconnection/{#PhysicalConnectionId}
    PortRangeList
    • acs:ecs:{#regionId}:{#accountId}:portrangelist/*
    • acs:ecs:{#regionId}:{#accountId}:portrangelist/{#portRangeListId}
    PrefixList
    • acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
    ReservedInstance
    • acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId}
    • acs:ecs:{#regionId}:{#accountId}:reservedinstance/*
    Role
    • acs:ram:{#regionId}:{#accountId}:role/{#roleName}
    RouteTable
    • acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId}
    RouterInterface
    • acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId}
    • acs:vpc:{#regionId}:{#accountId}:routerinterface/*
    SecurityGroup
    • acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    • acs:ecs:{#regionId}:{#accountId}:securitygroup/*
    ServiceSettings
    • acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
    Snapshot
    • acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId}
    • acs:ecs:{#regionId}:{#accountId}:snapshot/*
    • acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#autoSnapshotPolicyId}
    SnapshotGroup
    • acs:ecs:{#regionId}:{#accountId}:snapshotgroup/*
    • acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
    StorageCapacityUnit
    • acs:ecs:{#regionId}:{#accountId}:scu/*
    • acs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
    StorageSet
    • acs:ecs:{#regionId}:{#accountId}:storageset/*
    VPC
    • acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    • acs:vpc:{#regionId}:{#accountId}:vpc/*
    VRouter
    • acs:vpc:{#regionId}:{#accountId}:vrouter/*
    • acs:vpc:{#regionId}:{#accountId}:vrouter/{#VRouterId}
    VSwitch
    • acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId}
    • acs:vpc:{#regionId}:{#accountId}:vswitch/*
    VirtualBorderRouter
    • acs:vpc:{#regionId}:{#AccountId}:virtualborderrouter/{#VbrId}
    • acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VirtualBorderRouterId}
    • acs:vpc:{#regionId}:{#AccountId}:virtualborderrouter/*
    Volume
    • acs:ecs:{#regionId}:{#accountId}:volume/{#volumeId}
    • acs:ecs:{#regionId}:{#accountId}:volume/*
    activation
    • acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
    autoprovisioninggroup
    • acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
    ddhcluster
    • acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}
    • acs:ecs:{#regionId}:{#accountId}:ddhcluster/*
    snapshotpolicy
    • acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}

    Condition

    ECS defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to ECS. For more information about the common condition keys, see Generic Condition Keyword.
    The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
    Condition keyDescriptionData type
    ecs:AssociatePublicIpAddressWhether to support the allocation of public network IP in the process of resource creation and change, that is, whether to allow the operation of resources to make the public network bandwidth greater than 0.Boolean
    ecs:CommandRunAsUser in the operating system that executes cloud assistant commandsString
    ecs:ImageOwnerIdOwner UID of the image.String
    ecs:ImagePlatformOperating system type of the imageString
    ecs:ImageSourceImage SourceString
    ecs:InstanceTypeInstance specificationsString
    ecs:InstanceTypeFamilyinstance specification familyString
    ecs:IsDiskByokEncryptedWhether to encrypt the data disk with the primary key.String
    ecs:IsDiskEncryptedWhether it is an encrypted data diskString
    ecs:IsSystemDiskByokEncryptedWhether the master key encrypts the system disk.String
    ecs:IsSystemDiskEncryptedWhether it is an encryption system diskString
    ecs:LoginAsNonRootWhether to log on to the instance as non-rootBoolean
    ecs:NotSpecifySecurityGroupIdWhether the security group ID is not specifiedBoolean
    ecs:PasswordCustomizedWhether a custom password is usedBoolean
    ecs:PasswordInheritWhether the instance inherits the image password.Boolean
    ecs:SecurityEnhancementStrategyWhether to open security reinforcement.String
    ecs:SecurityGroupIpProtocolsTransport layer protocol with security group openString
    ecs:SecurityGroupSourceCidrIpsThe source IPv4 CIDR segment of the security group that sets access permissionsString
    ecs:SecurityHardeningModeWhether to enforce hardened mode (IMDSv2) when accessing instance metadataBoolean
    vpc:CreateDefaultVpcWhether a default VPC can be createdBoolean
    vpc:IsDefaultVSwitchWhether it is the default VSwitch and whether the default VSwitch can be usedBoolean
    vpc:IsDefaultVpcWhether it is the default VPCBoolean
    vpc:VPCVPC InformationString

    What to do next

    You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: