Grant RAM users different levels of permissions for AgentRun by using custom policies.
Prerequisites
You have created a RAM user.
Overview
Grant RAM users permissions to use AgentRun through custom policies.
Policy details: Basic elements of a policy and Policy evaluation logic.
Custom policies
Log on to the Resource Access Management (RAM) console using your Alibaba Cloud account (master account) or as a RAM administrator. Grant the following custom permissions to the RAM user. Manage permissions for RAM users.
Full-access policy
Covers all AgentRun features. Recommended for full access.
Least-privilege policy
Covers only core AgentRun features. To add permissions, generate a custom policy JSON from the AgentRun services and permissions page.
Roles and authorization
Authorization process
AgentRun requires specific roles. After you complete permission assignment, if required roles are missing when you first access the page, an authorization pop-up guides you through role creation and authorization.
Required roles
AgentRun overall
|
Role |
Trusted entity |
Policy/Permission |
Description |
|
AliyunFCFunctionAICustomRole |
functionai.fc.aliyuncs.com |
AliyunFCFunctionAIAgentrunDeployPolicy |
Permission policy required for AgentRun deployment |
|
AliyunFCFunctionAIServicesDeployPolicy |
Permission policy required for function service deployment |
||
|
AliyunFCFunctionAIDefaultRole |
functionai.fc.aliyuncs.com |
AliyunFCFunctionAIDefaultRolePolicy |
Authorization policy for AgentRun service roles |
|
AliyunServiceRoleForFC |
fc.aliyuncs.com |
- |
FC service-linked role |
|
AliyunServiceRoleForAgentRun |
agentrun.aliyuncs.com |
- |
AgentRun service-linked role |
Flow Agent (optional)
|
Role |
Trusted entity |
Policy/Permission |
Description |
|
AliyunFnFExecutionRole |
fnf.aliyuncs.com |
AliyunFCInvocationAccess |
Permissions required to execute Function Compute nodes |
|
AliyunFCFunctionAIReadOnlyAccess |
Permissions required to execute tools and MCP nodes |
||
|
AliyunFnFFullAccess |
Permissions required to execute other workflows within Flow Agent |
||
|
AliyunAgentRunReadOnlyAccess |
Permissions required to use AgentRun sandbox, tools, and other resources |
||
|
AliyunEventBridgePutEventsPolicy |
Permissions required to use triggers |
||
|
AliyunBailianDataFullAccess |
Permissions required to execute knowledge base nodes |
Feature module permission details
1. Agent management
|
API name |
Product/Service |
Description |
|
ListAgentRuntimes |
AgentRun |
Get agent list |
|
GetAgentRuntime |
AgentRun |
Get agent details |
|
CreateAgentRuntime |
AgentRun |
Create agent |
|
UpdateAgentRuntime |
AgentRun |
Update agent |
|
DeleteAgentRuntime |
AgentRun |
Delete agent |
|
ListAgentRuntimeVersions |
AgentRun |
Get version list |
|
PublishRuntimeVersion |
AgentRun |
Publish agent version |
|
ListAgentRuntimeEndpoints |
AgentRun |
Get endpoint list |
|
CreateAgentRuntimeEndpoint |
AgentRun |
Create endpoint |
|
UpdateAgentRuntimeEndpoint |
AgentRun |
Update endpoint |
|
DeleteAgentRuntimeEndpoint |
AgentRun |
Delete endpoint |
|
InstanceExec |
FC |
Log on to instance |
2. Workflow (Flow) management
|
API name |
Product/Service |
Description |
|
ListFlows |
FNF |
Get flow list |
|
DescribeFlow |
FNF |
Get flow details |
|
CreateFlow |
FNF |
Create flow |
|
UpdateFlow |
FNF |
Update flow |
|
DeleteFlow |
FNF |
Delete flow |
|
DeleteFlowVersion |
FNF |
Delete flow version |
|
UpdateFlowDraft |
FNF |
Update flow draft |
|
ListFlowVersions |
FNF |
Get version list |
|
PublishFlowVersion |
FNF |
Publish flow version |
|
ListFlowAliases |
FNF |
Get alias list |
|
DescribeFlowAlias |
FNF |
Get alias details |
|
CreateFlowAlias |
FNF |
Create alias |
|
UpdateFlowAlias |
FNF |
Update alias |
|
DeleteFlowAlias |
FNF |
Delete alias |
|
StartExecution |
FNF |
Start execution |
|
StartSyncExecution |
FNF |
Synchronous execution |
|
StartDebugExecution |
FNF |
Start debug execution |
|
StopExecution |
FNF |
Stop execution |
|
ListExecutions |
FNF |
Get execution list |
|
DescribeExecution |
FNF |
Get execution details |
|
GetExecutionHistory |
FNF |
Get execution history |
|
DescribeAgentRunLogs |
FNF |
Get agent operational logs |
|
ListModelSets |
Devs |
Get model set list |
|
GetModelSet |
Devs |
Get model set details |
|
ListToolsets |
Devs |
Get toolset list |
|
GetToolset |
Devs |
Get toolset details |
|
FetchModelSetAuthorization |
Devs |
Get model set authorization information |
|
ListFunctions |
FC |
Get function list (Function Compute node) |
|
ListAliases |
FC |
Get function alias list (Function Compute node) |
|
ListFunctionVersions |
FC |
Get function version list (Function Compute node) |
|
ListTriggers |
FC |
Get trigger list (Function Compute node) |
|
GetCmsService |
CMS |
Get CMS service status (infrastructure monitoring) |
|
OpenCmsService |
CMS |
Activate CMS service (infrastructure monitoring) |
|
ListWorkspaces |
Bailian |
Get Model Studio workspace list (knowledge base node) |
|
CreateUser |
Bailian |
Create a Model Studio user (knowledge base node) |
|
ListRoles |
Bailian |
Retrieve the list of Model Studio roles (knowledge base nodes). |
|
ListUsers |
Bailian |
Retrieve the Model Studio user list (knowledge base node) |
|
AttachWorkspaceToUser |
Bailian |
Associate workspace with user (knowledge base node) |
|
AttachRoleToUser |
Bailian |
Associate role with user (knowledge base node) |
|
ListIndex |
SFM |
Get index list (knowledge base node) |
|
ListModelServices |
AgentRun |
Get AgentRun service list |
|
ListTemplates |
AgentRun |
Get sandbox list |
|
GetCredential |
AgentRun |
Get authentication information for model services and sandbox |
|
ListAgentRuntimes |
AgentRun |
Get Agent Runtime list |
|
ListAgentRuntimeEndpoints |
AgentRun |
Get Agent Runtime endpoint list |
3. Model service management
|
API name |
Product/Service |
Description |
|
ListModelProviders |
AgentRun |
Get model provider list |
|
ListModelServices |
AgentRun |
Get model service list |
|
GetModelService |
AgentRun |
Get model service details |
|
CreateModelService |
AgentRun |
Create model service |
|
UpdateModelService |
AgentRun |
Update model service |
|
DeleteModelService |
AgentRun |
Delete model service |
|
ListModelProxies |
AgentRun |
Get model proxy list |
|
GetModelProxy |
AgentRun |
Get model proxy details |
|
CreateModelProxy |
AgentRun |
Create model proxy |
|
UpdateModelProxy |
AgentRun |
Update model proxy |
|
DeleteModelProxy |
AgentRun |
Delete model proxy |
4. Credential management
|
API name |
Product/Service |
Description |
|
ListCredentials |
AgentRun |
Get credential list |
|
GetCredential |
AgentRun |
Get credential details |
|
CreateCredential |
AgentRun |
Create credential |
|
UpdateCredential |
AgentRun |
Update credential |
|
DeleteCredential |
AgentRun |
Delete credential |
|
GetAccessToken |
AgentRun |
Get access token |
5. Sandbox and template management
|
API name |
Product/Service |
Description |
|
ListTemplates |
AgentRun |
Get sandbox list |
|
GetTemplate |
AgentRun |
Get sandbox details |
|
CreateTemplate |
AgentRun |
Create sandbox |
|
UpdateTemplate |
AgentRun |
Update sandbox |
|
DeleteTemplate |
AgentRun |
Delete sandbox |
|
ActivateTemplateMCP |
AgentRun |
Activate sandbox MCP |
|
StopTemplateMCP |
AgentRun |
Stop sandbox MCP |
|
GetSandbox |
AgentRun |
Get sandbox instance details |
|
StopSandbox |
AgentRun |
Stop sandbox instance |
|
CreateSandbox |
AgentRun |
Create sandbox instance |
|
ListSandboxes |
AgentRun |
Get sandbox instance list |
6. Memory storage
6.1. Memory storage management
|
API name |
Product/Service |
Description |
|
ListMemoryCollections |
AgentRun |
Get memory storage list |
|
GetMemoryCollection |
AgentRun |
Get memory storage details |
|
CreateMemoryCollection |
AgentRun |
Create memory storage |
|
UpdateMemoryCollection |
AgentRun |
Update memory storage |
|
DeleteMemoryCollection |
AgentRun |
Delete memory storage |
|
ListInstances |
OTS |
Get OTS instance list |
|
GetInstance |
OTS |
Get OTS instance information |
|
CreateInstance |
OTS |
Create OTS instance |
6.2 Observability
|
API name |
Product/Service |
Description |
|
GetChartData |
OTS |
Get chart data (for monitoring metrics display) |
|
GetTableData |
OTS |
Get table data (for status statistics) |
7. Custom domain management
|
API name |
Product/Service |
Description |
|
ListCustomDomains |
AgentRun |
Get custom domain list |
|
GetCustomDomain |
AgentRun |
Get custom domain details |
|
CreateCustomDomain |
AgentRun |
Create custom domain |
|
UpdateCustomDomain |
AgentRun |
Update custom domain |
|
DeleteCustomDomain |
AgentRun |
Delete custom domain |
|
DescribeUserCertificateList |
Yundun |
Get user certificate list |
|
DescribeUserCertificateDetail |
Yundun |
Get certificate details |
8. Tool management
|
API name |
Product/Service |
Description |
|
ListToolsets |
Devs |
Get toolset list |
|
GetToolset |
Devs |
Get toolset details |
|
CreateToolset |
Devs |
Create toolset |
|
UpdateToolset |
Devs |
Update toolset |
|
DeleteToolset |
Devs |
Delete toolset |
|
FetchToolsetAuthorization |
Devs |
Get toolset authorization |
|
GetArtifact |
Devs |
Get artifact information |
|
CreateArtifact |
Devs |
Create artifact |
|
FetchArtifactTempBucketToken |
Devs |
Get temporary artifact credentials |
|
PreviewEnvironment |
Devs |
Preview configuration content to be deployed |
9. Model set management
|
API name |
Product/Service |
Description |
|
ListModelSets |
Devs |
Get model set list |
|
GetModelSet |
Devs |
Get model set details |
|
FetchModelSetAuthorization |
Devs |
Get model set authorization |
10. Project and environment management
|
API name |
Product/Service |
Description |
|
ListProjects |
Devs |
Get project list |
|
GetProject |
Devs |
Get project details |
|
CreateProject |
Devs |
Create project |
|
UpdateProject |
Devs |
Update project |
|
GetEnvironment |
Devs |
Get environment information |
|
UpdateEnvironment |
Devs |
Update environment |
|
DeployEnvironment |
Devs |
Deploy environment |
|
RenderServicesByTemplate |
Devs |
Render services based on template |
|
DeployServices |
Devs |
Deploy services |
|
ListServiceDeployments |
Devs |
Get deployment list |
11. Function Compute management
|
API name |
Product/Service |
Description |
|
GetFunction |
FC |
Get function information |
|
CreateFunction |
FC |
Create function |
|
DeleteFunction |
FC |
Delete function |
|
GetFunctionCode |
FC |
Get function code |
|
ListFunctions |
FC |
Get function list |
|
ListAliases |
FC |
Get function alias list |
|
ListFunctionVersions |
FC |
Get function version list |
|
ListTriggers |
FC |
Get trigger list |
|
ListInstances |
FC |
List function instances |
|
DescribeRegions |
FC |
Get supported regions |
|
ListCustomDomains |
FC |
Get custom domain list |
|
CreateCustomDomain |
FC |
Create custom domain |
|
UpdateCustomDomain |
FC |
Update custom domain |
|
DeleteCustomDomain |
FC |
Delete custom domain |
|
ListProvisionConfigs |
FC |
List provisioned concurrency configurations |
|
GetProvisionConfig |
FC |
Get provisioned concurrency configuration |
|
PutProvisionConfig |
FC |
Update provisioned concurrency configuration |
|
DeleteProvisionConfig |
FC |
Delete provisioned concurrency configuration |
12. Network configuration
|
API name |
Product/Service |
Description |
|
DescribeVpcs |
VPC |
Get VPC list |
|
DescribeVSwitches |
VPC |
Get vSwitch list |
|
DescribeSecurityGroups |
ECS |
Get security group list |
13. Object Storage Service
|
API name |
Product/Service |
Description |
|
ListBuckets |
OSS |
Get bucket list |
|
ListObjectsV2 |
OSS |
Get bucket contents |
14. Simple Log Service
|
API name |
Product/Service |
Description |
|
GetSlsService |
Log |
Get SLS service status |
|
OpenSlsService |
Log |
Activate SLS service |
|
ListProject |
Log |
List log projects |
|
CreateProject |
Log |
Create log project |
|
CreateLogStore |
Log |
Create log store |
|
CreateIndex |
Log |
Create index |
|
CreateLogging |
Log |
Create service logs for a project. |
|
CreateMetricStore |
Log |
Create MetricStore to store time series data. |
|
GetLogStoreLogs |
Log |
Get log data |
|
GetIndex |
Log |
Query index information for a specified Logstore. |
|
EnableService |
Log |
Enable service |
|
ListLogstore |
Log |
Get log store list |
|
GetMLServiceResults |
Log |
Get algorithm analysis results for a specified scenario task |
|
QueryPrometheusMetrics |
Log |
Prometheus protocol query permission |
|
QueryMetrics |
Log |
Query monitoring metrics |
|
RemoteWritePrometheus |
Log |
Write time series metric data to MetricStore using Prometheus Remote Write protocol |
|
RemoteWrite |
Log |
Write time series metric data |
14. Observability
|
API name |
Product/Service |
Description |
|
CheckCommercialStatus |
ARMS |
Check commercial status |
|
GetCommercialStatus |
ARMS |
Get commercial status |
|
DescribeTraceLicenseKey |
ARMS |
Get Trace License |
|
SearchTraceAppByName |
ARMS |
Search applications by name |
|
ListAppInstances |
ARMS |
Get application instance list |
|
ListLLMSessions |
ARMS |
Get LLM session list |
|
QueryLLMSessionDetail |
ARMS |
Get session details |
|
ListAllServices |
ARMS |
Get all service list |
|
DoInsightsAction |
ARMS |
Perform insights action |
|
ConfigApp |
ARMS |
Configure application |
|
SaveTraceAppConfig |
ARMS |
Save tracing configuration |
|
DoInsightsAction |
ARMS |
Access various sub-features related to Insights |
|
GetTraceApp |
ARMS |
Get application monitoring task details |
|
GetTrace |
ARMS |
Get trace details |
|
GetStack |
ARMS |
Get call stack information |
|
GetMultipleTrace |
ARMS |
Get details of multiple traces |
|
GetTraceAppConfig |
ARMS |
Query all custom settings for an application in Application Monitoring (such as trace sampling settings, Agent switches, etc.). |
|
ConfigApp |
ARMS |
Turn the global Agent switch for Application Monitoring on or off, or check its status. |
|
SaveTraceAppConfig |
ARMS |
Configure custom settings for Application Monitoring (such as trace sampling settings, Agent switches, etc.). |
|
TagResources |
ARMS |
Tag ARMS resource instances. |
|
UntagResources |
ARMS |
Remove tags from ARMS resource instances. |
16. Cloud Monitor
|
API name |
Product/Service |
Description |
|
ListPrometheusVirtualInstances |
CMS |
Get Prometheus instances |
|
CreatePrometheusVirtualInstance |
CMS |
Create Prometheus instance |
|
GetCmsService |
CMS |
Get CMS service status |
|
OpenCmsService |
CMS |
Activate CMS service |
|
QueryCommercialUsage |
CMS |
Query observability usage data |
|
DescribeEnvironment |
CMS |
Query environment details |
|
Cursor |
CMS |
Define the range for exporting monitoring data |
|
BatchGet |
CMS |
Batch get monitoring data |
|
BatchExport |
CMS |
Batch export monitoring data |
17. Tracing Analysis
|
API name |
Product/Service |
Description |
|
GetTraceLicenseKey |
Xtrace |
Get Trace License |
|
DescribeTraceApps |
Xtrace |
Describe tracing applications |
18. Resource Access Management
|
API name |
Product/Service |
Description |
|
ListRolesForService |
RAM |
Get service role list |
|
ListPoliciesForRole |
RAM |
Get role policy list |
|
CheckServiceLinkedRoleExistence |
ResourceManager |
Check service-linked role |
|
CreateServiceLinkedRole |
RAM |
Create service-linked role |
|
PassRole |
RAM |
Pass role |
19. CDN
|
API name |
Product/Service |
Description |
|
DescribeUserDomains |
CDN |
Get user CDN domain list |
20. Container Registry
|
API name |
Product/Service |
Description |
|
ListRepoTag |
ACR |
Get image repository tag list |
21. Security Services
|
API name |
Product/Service |
Description |
|
GetUserBuyStatus |
Yundun |
Get user purchase status |
22. Commercial status query
|
API name |
Product/Service |
Description |
|
DescribeUserBusinessStatus |
Ubsms |
Get user commercial status |
23. Knowledge base management
|
API name |
Product/Service |
Description |
|
GetKnowledgeBase |
AgentRun |
Get knowledge base details |
|
CreateKnowledgeBase |
AgentRun |
Create knowledge base |
|
UpdateKnowledgeBase |
AgentRun |
Update knowledge base |
|
DeleteKnowledgeBase |
AgentRun |
Delete knowledge base |
|
ListKnowledgeBases |
AgentRun |
List knowledge bases |
|
ListWorkspaces |
Bailian |
Retrieve the list of Model Studio workspaces. |
|
CreateUser |
Bailian |
Create Model Studio user |
|
ListRoles |
Bailian |
Obtain the Model Studio role list |
|
ListUsers |
Bailian |
Get Model Studio user list |
|
AttachWorkspaceToUser |
Bailian |
Associate workspace with user |
24. Invoke Agent and Sandbox
|
API name |
Product/Service |
Description |
|
InvokeRuntime |
AgentRun |
Invoke Agent |
|
InvokeSandbox |
AgentRun |
Invoke Sandbox |
These two APIs are used to invoke Agent instances and Sandbox instances through the AgentRun service. They are invocation actions. When creating a custom policy, include the agentrun:InvokeRuntime and agentrun:InvokeSandbox actions.