All Products
Search
Document Center

Resource Access Management:Validate policies

Last Updated:Jun 02, 2026

When you create a policy, RAM validates the policy document against syntax rules and security best practices. Check results are classified as Error, Security Warning, General Warning, or Suggestion, each with a recommended solution.

Error: Data type mismatch

Error code: Data type mismatch

Error message: Data type mismatch

Solution: Use JSON format for the policy document.

Error: Invalid action format

Error code: Invalid action format

Error message: Invalid action format

Solution: Use the format <ram-code>:<action-name> for the Action element.

Error: Invalid ARN prefix

Error code: Invalid ARN prefix

Error message: Invalid Alibaba Cloud Resource Name (ARN) prefix

Solution: Ensure the ARN starts with the acs prefix. An ARN uniquely identifies an Alibaba Cloud resource.

Error: Invalid condition key format

Error code: Invalid condition key format

Error message: Invalid condition key format

Solution: Use the format <ram-code>:<condition-key> for the condition key.

Error: Invalid condition multiple Boolean

Error code: Invalid condition multiple Boolean

Error message: Multiple Boolean values for a condition

Solution: Ensure the condition key contains only one Boolean value.

Error: Invalid condition operator

Error code: Invalid condition operator

Error message: Invalid condition operator

Solution: Use a valid conditional operator. Supported operators are listed in Condition.

Error: Invalid effect

Error code: Invalid effect

Error message: Invalid effect

Solution: Set the Effect element to Allow or Deny.

Error: Invalid policy element

Error code: Invalid policy element

Error message: Invalid policy element

Solution: Use valid policy elements. For more information about supported policy elements, see Permission policy elements.

Error: Invalid version

Error code: Invalid version

Error message: Invalid version

Solution: Set the Version parameter to 1.

Error: Json syntax error

Error code: Json syntax error

Error message: JSON syntax error

Solution: Fix all JSON syntax errors in the policy document. JSON syntax standards are defined in RFC 7159.

Error: Missing action

Error code: Missing action

Error message: Missing action

Solution: Add the Action or NotAction element to the policy document.

Error: Missing ARN field

Error code: Missing ARN field

Error message: Missing ARN field

Solution: Ensure the ARN contains five fields: acs:<ram-code>:<region>:<account-id>:<relative-id>. An ARN uniquely identifies an Alibaba Cloud resource. Field definitions:

  • acs: An acronym for Alibaba Cloud Service. It represents the public cloud platform of Alibaba Cloud.

  • ram-code: The RAM code for a cloud service. For more information, see the RAM Code column in Cloud services that support RAM.

  • region: The information about the region. For global resources (resources that can be accessed without specifying a region), this field is an asterisk (*). For more information, see Regions and Zones.

  • account-id: The ID of your Alibaba Cloud account. For example: 123456789012****.

  • relative-id: The part of a resource description that is related to a cloud service. Its semantics are defined by the specific cloud service. The format of this part supports a tree-like structure (similar to a file path). For example, the format for an OSS object is: relative-id = "mybucket/dir1/object1.jpg".

Error: Missing effect

Error code: Missing effect

Error message: Missing effect

Solution: Add the Effect element. Set the value to Allow or Deny.

Error: Missing qualifier

Error code: Missing qualifier

Error message: Missing qualifier

Solution: Add the ForAllValues or ForAnyValue qualifier to allow bitwise operations on condition keys with multiple values.

Error: Missing resource

Error code: Missing resource

Error message: Missing resource

Solution: Add the Resource element to the policy document.

Error: Missing statement

Error code: Missing statement

Error message: Missing statement

Solution: Add at least one statement block to the policy document. Each statement must include Effect, Action, and Resource.

Error: Unsupported element combination

Error code: Unsupported element combination

Error message: Unsupported element combination

Solution: Do not use both element1 and element2 in the same statement.

Error: Missing version

Error code: Missing version

Error message: Missing version

Solution: Add the Version parameter and set it to 1.

Error: Type mismatch IP range

Error code: Type mismatch IP range

Error message: IP range mismatch

Solution: Specify a valid IP address range in standard CIDR format.

Error: Empty array action

Error code: Empty array action

Error message: Empty array action

Solution: Specify an action in the statement.

Error: Empty array resource

Error code: Empty array resource

Error message: Empty array resource

Solution: Specify a resource in the statement.

Security Warning: ForAllValues with single valued key

Error code: ForAllValues with single valued key

Error message: ForAllValues used for a single-valued key

Solution: Using ForAllValues with a single-valued key may grant excessive permissions. Remove the ForAllValues qualifier.

General Warning: Wildcard without like operator

Error code: Wildcard without like operator

Error message: Wildcard without the like operator

Solution: Use the like operator when the condition value contains a wildcard (* or ?).

General Warning: Type mismatch Boolean

Error code: Type mismatch Boolean

Error message: Boolean type mismatch

Solution: Set the condition value to true or false.

General Warning: Type mismatch date

Error code: Type mismatch date

Error message: Date type mismatch

Solution: Ensure the condition value uses a valid date format and matches the date-type conditional operator.

General Warning: Type mismatch number

Error code: Type mismatch number

Error message: Number type mismatch

Solution: Specify a valid number for the condition value.

Suggestion: Empty array condition

Error code: Empty array condition

Error message: Empty array condition

Solution: Specify a value for the condition key.

Suggestion: Empty object condition

Error code: Empty object condition

Error message: Empty object condition

Solution: Make sure that the condition block is not empty.

Suggestion: Improve IP range

Error code: Improve IP range

Error message: IP range improvement

Solution: Non-zero host bits are ignored after applying the subnet mask. Specify a correct IP address range.

Suggestion: Wildcard in service name

Error code: Wildcard in service name

Error message: Wildcard in the service name

Solution: Do not use wildcards (* or ?) in the service name. Wildcards in service names may grant unintended access to similarly named services.