This topic describes the elements of policies that are used in Resource Access Management (RAM) to define permissions. The elements are Effect, Action, Resource, and Condition.

Element Description
Effect Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action Describes one or more API operations that are allowed or denied.
Resource Specifies one or more objects that the statement covers.
Condition Specifies the conditions that are required for a policy to take effect.

Effect

  • Valid values are Allow and Deny.
    Note If policies that apply to a request include an Allow statement and a Deny statement, the Deny statement takes precedence over the Allow statement.
  • Example: "Effect": "Allow"

Action

  • Valid values are the names of operations from Alibaba Cloud services. This element can contain one or more values.
    Note In most cases, each Alibaba Cloud service has an exclusive set of API operations. For more information, see the documentation of each Alibaba Cloud service.
  • Format: <ram-code>:<action-name>.
    • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Services that work with RAM.
    • action-name: the name of one or more API operations in the service.
  • Example: "Action": ["oss:ListBuckets", "ecs:Describe*", "rds:Describe*"]

Resource

  • Valid values are the Alibaba Cloud Resource Names (ARNs) of the resources. This element can contain one or more values.
  • Format: acs:<ram-code>:<region>:<account-id>:<relative-id>, which complies with the format of ARNs.
    • acs: the acronym of Alibaba Cloud Service.
    • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Services that work with RAM.
    • region: the information about a region. If the statement covers a global resource, leave this field empty. A global resource can be accessed without the need to specify a region. For more information, see Regions and zones.
    • account-id: the ID of the Alibaba Cloud account. For example, you can enter 123456789012****.
    • relative-id: the identifier of the service-related resource. The meaning of this element varies based on services. The format of the relative-id element is similar to a file path. For example, relative-id = "mybucket/dir1/object1.jpg" indicates an Object Storage Service (OSS) object.
  • Example: "Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002", "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*"]

Condition

A condition block contains one or more conditions. Each condition consists of operators, keys, and values. Condition block
  • Evaluation logic
    • You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
    • A condition can have multiple keys that are attached to a single conditional operator. The condition of this type is met only if all requirements for the keys are met.
    • A condition block is met only if all of its conditions are met.
  • Conditional operators

    Conditional operators can be classified into the following categories: string, number, date and time, Boolean, and IP address.

    Category Conditional operator
    String
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    Number
    • NumericEquals
    • NumericNotEquals
    • NumericLessThan
    • NumericLessThanEquals
    • NumericGreaterThan
    • NumericGreaterThanEquals
    Date and time
    • DateEquals
    • DateNotEquals
    • DateLessThan
    • DateLessThanEquals
    • DateGreaterThan
    • DateGreaterThanEquals
    Boolean Bool
    IP address
    • IpAddress
    • NotIpAddress
  • Condition keys
    • The format of common condition keys is acs:<condition-key>.
      Common condition key Category Description
      acs:CurrentTime Date and time The time at which a request is received by the web server. Specify the time in the ISO 8601 format. Example: 2012-11-11T23:59:59Z.
      acs:SecureTransport Boolean Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
      acs:SourceIp IP address The IP address of the client that sends a request.
      Note If you specify only one value for the acs:SourceIp condition key, the value must be an IP address, such as 10.0.0.1. CIDR blocks such as 10.0.0.1/32 cannot be used.
      acs:MFAPresent Boolean Specifies whether multi-factor authentication (MFA) is used during user logon.
      acs:PrincipalARN String Specifies the identity of an object that performs an operation. The condition key can be used only in access control policies of resource directories. Example: acs:ram:*:*:role/*resourcedirectory*.
      Note You can specify an ARN only for a specified RAM role. The name can contain only lowercase letters. You can view the ARN of a RAM role on the role details page in the RAM console.
    • The format of a condition key that is specific to an Alibaba Cloud service is <ram-code>:<condition-key>.
      Condition key specific to an Alibaba Cloud service Service Category Description
      ecs:tag/<tag-key> ECS String The tag key of Elastic Compute Service (ECS) resources. This key can be customized.
      Note <tag-key> indicates a tag key. Replace <tag-key> with the actual tag key.
      rds:ResourceTag/<tag-key> RDS String The tag key of ApsaraDB RDS resources. This key can be customized.
      Note <tag-key> indicates a tag key. Replace <tag-key> with the actual tag key.
      oss:Delimiter OSS String The delimiter that is used to categorize OSS object names.
      oss:Prefix OSS String The prefix of an OSS object name.