All Products
Search
Document Center

Resource Access Management:RAM authorization

Last Updated:Jul 15, 2026

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by 访问控制 for RAM permission policies. The RAM code (RamCode) for 访问控制 is ram , and the supported authorization granularity is 资源级 .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}        

The following list describes the fields in the policy:

  • Version: Specifies the policy version number. It is fixed at 1.

  • Statement:

    • Effect: Specifies the authorization result. Valid values: Allow and Deny.

    • Action: Specifies one or more operations that are allowed or denied.

    • Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.

    • Condition: Specifies the conditions for the authorization to take effect. This field is optional.

      • Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.

      • Condition_key: Specifies the condition keys.

      • Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by 访问控制. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

API

Access level

Resource type

Condition key

Dependent action

ram:ClearAccountAlias ClearAccountAlias update

*全部资源

*

None None
ram:ListPublicKeys ListPublicKeys list

*User

acs:ram::{#accountId}:user/{#UserName}

None None
ram:UploadPublicKey UploadPublicKey create

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:SetSecurityPreference SetSecurityPreference update

*全部资源

*

None None
ram:ListVirtualMFADevices ListVirtualMFADevices get

*MFADevice

acs:ram:*:{#accountId}:mfa/*

None None
ram:GetPolicy GetPolicy get

Policy

acs:ram:*:system:policy/{#PolicyName}

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:CreatePolicy CreatePolicy create

*Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:DeleteGroup DeleteGroup delete

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

None None
ram:SetAccountAlias SetAccountAlias update

*全部资源

*

None None
ram:GetPolicyVersion GetPolicyVersion get

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

Policy

acs:ram:*:system:policy/{#PolicyName}

None None
ram:CreateAccessKey CreateAccessKey create

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:ListPoliciesForRole ListPoliciesForRole get

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

None None
ram:DeactivateService DeactivateService update

*全部资源

*

None None
ram:BindMFADevice BindMFADevice

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:ListRoles ListRoles get

*Role

acs:ram:*:{#accountId}:role/*

None None
ram:GetSecurityPreference GetSecurityPreference get

*全部资源

*

None None
ram:ListUsers ListUsers get

*User

acs:ram:*:{#accountId}:user/*

None None
ram:UpdateAccessKey UpdateAccessKey update

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:AttachPolicyToUser AttachPolicyToUser update

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

*User

acs:ram:*:{#accountId}:user/{#UserName}

Policy

acs:ram:*:system:policy/{#PolicyName}

None None
ram:DeleteRole DeleteRole delete

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

ram:TrustedPrincipalTypes

ram:ServiceNames

None
ram:GetServiceLinkedRoleDeletionStatus GetServiceLinkedRoleDeletionStatus get

*ServiceLinkedRole

acs:ram:*:{#accountId}:role/{#RoleName}

ram:ServiceName

None
ram:CreateRole CreateRole create

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

ram:TrustedPrincipalTypes

ram:ServiceNames

None
ram:DeleteLoginProfile DeleteLoginProfile delete

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:ListGroupsForUser ListGroupsForUser get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:UpdateUser UpdateUser update

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:ActivateService ActivateService update

*全部资源

*

None None
ram:DetachPolicyFromGroup DetachPolicyFromGroup update

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

Policy

acs:ram:*:system:policy/{#PolicyName}

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:DecodeDiagnosticMessage DecodeDiagnosticMessage get

*全部资源

*

None None
ram:ListEntitiesForPolicy ListEntitiesForPolicy get

Policy

acs:ram:*:system:policy/{#PolicyName}

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:GetServiceLastAccessedDetails GetServiceLastAccessedDetails get

*全部资源

*

None None
ram:GetUser GetUser get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:GetGroup GetGroup get

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

None None
ram:ListPolicies ListPolicies get

*Policy

acs:ram:*:{#accountId}:policy/*

None None
ram:UpdateRole UpdateRole update

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

ram:TrustedPrincipalTypes

ram:ServiceNames

None
ram:AttachPolicyToRole AttachPolicyToRole update

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

Policy

acs:ram:*:system:policy/{#PolicyName}

ram:TrustedPrincipalTypes

ram:ServiceNames

None
ram:GetPasswordPolicy GetPasswordPolicy get

*全部资源

*

None None
ram:AttachPolicyToGroup AttachPolicyToGroup update

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

Policy

acs:ram:*:system:policy/{#PolicyName}

None None
ram:DeleteServiceLinkedRole DeleteServiceLinkedRole delete

*ServiceLinkedRole

acs:ram:*:{#accountId}:role/{#RoleName}

ram:ServiceName

None
ram:DetachPolicyFromRole DetachPolicyFromRole update

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

Policy

acs:ram:*:system:policy/{#PolicyName}

ram:TrustedPrincipalTypes

ram:ServiceNames

None
ram:UpdatePolicyDescription UpdatePolicyDescription update

*Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:ListRoles ListRolesForService list

*Role

acs:ram:*:{#accountId}:role/*

None None
ram:CreateLoginProfile CreateLoginProfile create

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:UpdateLoginProfile UpdateLoginProfile update

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:DeletePolicyVersion DeletePolicyVersion delete

*Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:UntagResources UntagResources delete

*全部资源

*

None None
ram:RemoveUserFromGroup RemoveUserFromGroup update

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:ListTagResources ListTagResources list

*全部资源

*

None None
ram:GetRole GetRole get

*Role

acs:ram:*:{#accountId}:role/{#RoleName}

None None
ram:GetLoginProfile GetLoginProfile get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:CreateServiceLinkedRole CreateServiceLinkedRole create

*全部资源

*

ram:ServiceName

None
ram:ListUsersForGroup ListUsersForGroup get

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

None None
ram:GenerateServiceLastAccessedDetails GenerateServiceLastAccessedDetails create

*全部资源

*

None None
ram:TagResources TagResources create

*全部资源

*

None None
ram:DeleteUser DeleteUser delete

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:DeletePolicy DeletePolicy delete

*Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:AddUserToGroup AddUserToGroup create

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:GetAccountAlias GetAccountAlias get

*全部资源

*

None None
ram:UnbindMFADevice UnbindMFADevice update

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:DeleteVirtualMFADevice DeleteVirtualMFADevice delete

*MFADevice

acs:ram:*:{#accountId}:mfa/{#SerialNumber}

None None
ram:CreateUser CreateUser create

*User

acs:ram:*:{#accountId}:user/*

None None
ram:DeletePublicKey DeletePublicKey delete

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:CreateGroup CreateGroup create

*Group

acs:ram:*:{#accountId}:group/*

None None
ram:UpdateGroup UpdateGroup update

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

None None
ram:ListAccessKeys ListAccessKeys get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:GetAccountSummary GetAccountSummary get

*全部资源

*

None None
ram:ListPolicyVersions ListPolicyVersions get

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

Policy

acs:ram:*:system:policy/{#PolicyName}

None None
ram:CreateVirtualMFADevice CreateVirtualMFADevice create

*MFADevice

acs:ram:*:{#accountId}:mfa/*

None None
ram:SetDefaultPolicyVersion SetDefaultPolicyVersion update

*Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:ListPoliciesForGroup ListPoliciesForGroup get

*Group

acs:ram:*:{#accountId}:group/{#GroupName}

None None
ram:GetPublicKey GetPublicKey get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:DeleteAccessKey DeleteAccessKey delete

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:GetServiceStatus GetServiceStatus get

*全部资源

*

None None
ram:ChangePassword ChangePassword update

*全部资源

*

None None
ram:DetachPolicyFromUser DetachPolicyFromUser update

Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

*User

acs:ram:*:{#accountId}:user/{#UserName}

Policy

acs:ram:*:system:policy/{#PolicyName}

None None
ram:ListPoliciesForUser ListPoliciesForUser get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:GetUserMFAInfo GetUserMFAInfo get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:CreatePolicyVersion CreatePolicyVersion create

*Policy

acs:ram:*:{#accountId}:policy/{#PolicyName}

None None
ram:SetPasswordPolicy SetPasswordPolicy update

*全部资源

*

None None
ram:GetAccessKeyLastUsed GetAccessKeyLastUsed get

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:UpdatePublicKey UpdatePublicKey update

*User

acs:ram:*:{#accountId}:user/{#UserName}

None None
ram:ListGroups ListGroups get

*Group

acs:ram:*:{#accountId}:group/*

None None

Resource

The following table lists the resources defined by 访问控制. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

  • acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.

  • {#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.

  • {#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).

  • {#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).

  • {#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type

ARN

Unrestricted
  • acs:ram:*:{#accountId}:*
User
  • acs:ram::{#accountId}:user/{#UserName}
  • acs:ram:*:{#accountId}:user/{#UserName}
  • acs:ram:*:{#accountId}:user/*
  • {#Arn}
MFADevice
  • acs:ram:*:{#accountId}:mfa/*
  • acs:ram:*:{#accountId}:mfa/{#SerialNumber}
Policy
  • acs:ram:*:system:policy/{#PolicyName}
  • acs:ram:*:{#accountId}:policy/{#PolicyName}
  • acs:ram:*:{#accountId}:policy/*
  • acs:ram::{#accountId}:policy/{#PolicyName}
Group
  • acs:ram:*:{#accountId}:group/{#GroupName}
  • acs:ram:*:{#accountId}:group/*
Role
  • acs:ram:*:{#accountId}:role/{#RoleName}
  • acs:ram:*:{#accountId}:role/*
  • acs:ram::{#accountId}:role/{#RoleName}
ServiceLinkedRole
  • acs:ram:*:{#accountId}:role/{#RoleName}
  • acs:ram:*:{#accountId}:role/*

Condition

The following table lists the product-level condition keys defined by 访问控制. You can also use Alibaba Cloud's Common condition keys. Specify these keys in the Condition element of RAM policy statements to define granular authorization rules. In the condition key, specify the condition values in the Condition_value element of the policy.

Each condition key has a specific data type, such as string, number, Boolean, or IP address. The data type determines which conditional operators can be used to compare the request values against policy values. You must specify the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition operator for valid combinations.

Condition key

Description

Data type

acs:Service The identity to which a role can be passed to a cloud service. This condition applies only to the PassRole operation. Example value: actiontrail.aliyuncs.com. String
ram:ServiceNames The trusted cloud service identities for a service role. This condition supports multiple values. Example value: [\"ecs.aliyun.com\",\"rds.aliyuncs.com\"]. Array
ram:TrustedPrincipalTypes The types of trusted entities for a role. This condition supports multiple values. Array

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: