Before you use a RAM user to call an Alibaba Cloud API operation, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Resource authorization

By default, a RAM user is not authorized to call Alibaba Cloud API operations to create or modify cloud resources. Before you use a RAM user to call an API operation, you must grant the RAM user the permission to call the API operation by creating an authorization policy and attaching the policy to the RAM user.

When you create the authorization policy, you can specify the resource to authorize by its Alibaba Resource Name (ARN). An ARN is used to identify the resource to authorize.

ARNs are in the following format:

acs:service-name:region:account-id:resource-relative-id

An ARN contains the following parameters:

  • acs: the abbreviation for Alibaba Cloud Service.
  • service-name: the name of the Alibaba Cloud service. In this case, the value is eventbridge.

  • region: the region where the service resides. If this parameter is not supported, use the asterisk (*) as a wildcard instead.

  • account-id: the ID of the user account, for example, 123456789012****.

  • resource-relative-id: the specific description of a resource. The description varies by service. For more information, see the documentation of each service.

    For example, acs:eventbridge:cn-hangzhou:123456789012****:eventbus/MyEventBus indicates that the resource of the event bus in EventBridge is named MyEventBus and owned by a user whose UID is 123456789012****.

For more information about authorization for API operations, see Policies.