Before you call an Alibaba Cloud API as a Resource Access Management (RAM) user, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.
Resource authorization
By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you call an API as a RAM user, you must grant the RAM user the permissions to call the API by creating an authorization policy and attaching the policy to the RAM user.
acs:service-name:region:account-id:resource-relative-id
- acs: the abbreviation for Alibaba Cloud Service.
- service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Resource Orchestration Service (ROS).
-
region: the region where the service resides. If this option is not supported, use the asterisk (
*
) instead. - account-id: the ID of the Alibaba Cloud account, such as 123456789012****.
- resource-relative-id: the specific description of a resource. The description varies by service. For more
information, see the documentation of each service.
For example,
acs:oss:123456789012****:sample_bucket/file1.txt
indicates a resource named sample_bucket/file1.txt in OSS, and123456789012****
indicates the ID of the user to which the resource belongs.
Types of ROS resources that can be authorized
Resource type | ARN format in the authorization policy |
---|---|
Stack | acs:ros:$regionid:$accountid:stack/$stackid |
acs:ros:$regionid:$accountid:stack/* | |
Template | acs:ros:$regionid:$accountid:template/$templateid |
acs:ros:$regionid:$accountid:template/* | |
StackGroup | acs:ros:$regionid:$accountid:stack_group/* |
ROS API operations that can be authorized
- Stack operations
API operation Action ARN format PreviewStack ros:PreviewStack acs:ros:cn-hangzhou:$accountid:stack/* CreateStack ros:CreateStack cs:ros:cn-hangzhou:$accountid:stack/* ContinueCreateStack ros:ContinueCreateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid SetDeletionProtection ros:SetDeletionProtection acs:ros:cn-hangzhou:$accountid:stack/$stackid UpdateStack ros:UpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CancelUpdateStack ros:CancelUpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStack ros:GetStack acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStacks ros:ListStacks acs:ros:cn-hangzhou:$accountid:stack/* ListStackEvents ros:ListStackEvents acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStackOperationRisks ros:ListStackOperationRisks acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteStack ros:DeleteStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CreateChangeSet ros:CreateChangeSet - When ChangeSetType is set to CREATE: acs:ros:cn-hangzhou:$accountid:stack/*
- When ChangeSetType is set to UPDATE: acs:ros:cn-hangzhou:$accountid:stack/$stackid
- When ChangeSetType is set to IMPORT: acs:ros:cn-hangzhou:$accountid:stack/*
ExecuteChangeSet ros:ExecuteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid GetChangeSet ros:GetChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid ListChangeSets ros:ListChangeSets acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteChangeSet ros:DeleteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid - Resource operations
API operation Action ARN format GetResourceTypeTemplate ros:GetResourceTypeTemplate No authentication required ListStackResources ros:ListStackResources acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackResource ros:GetStackResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetResourceType ros:GetResourceType No authentication required ListResourceTypes ros:ListResourceTypes No authentication required MoveResourceGroup ros:MoveResourceGroup - When ResourceType is set to stack: acs:ros:cn-hangzhou:$accountid:stack/*
- When ResourceType is set to stackgroup: acs:ros:cn-hangzhou:$accountid:stack_group/*
- When ResourceType is set to template: acs:ros:cn-hangzhou:$accountid:template/*
- Stack group operations
API operation Action ARN format CreateStackGroup ros:CreateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* UpdateStackGroup ros:UpdateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid GetStackGroup ros:GetStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid ListStackGroups ros:ListStackGroups acs:ros:cn-hangzhou:$accountid:stack_group/* DeleteStackGroup ros:DeleteStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/$stackid CreateStackInstances ros:CreateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* UpdateStackInstances ros:UpdateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackInstance ros:GetStackInstance acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStackInstances ros:ListStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* DeleteStackInstances ros:DeleteStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackGroupOperation ros:GetStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperations ros:ListStackGroupOperations acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperationResults ros:ListStackGroupOperationResults acs:ros:cn-hangzhou:$accountid:stack_group_operation/* StopStackGroupOperation ros:StopStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* - Template operations
API operation Action ARN format GenerateTemplatePolicy ros:GenerateTemplatePolicy acs:ros:cn-hangzhou:$accountid:template/$templateid Note If the TemplateId parameter is specified, authentication is required.CreateTemplate ros:CreateTemplate acs:ros:cn-hangzhou:$accountid:template/* ValidateTemplate ros:ValidateTemplate No authentication required UpdateTemplate ros:UpdateTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid GetTemplate ros:GetTemplate - acs:ros:cn-hangzhou:$accountid:stack/$stackid
- acs:ros:$regionid:$accountid:stack_group/*
- acs:ros:cn-hangzhou:$accountid:template/$templateid
GetTemplateEstimateCost ros:GetTemplateEstimateCost acs:ros:cn-hangzhou:$accountid:* GetTemplateSummary ros:GetTemplateSummary acs:ros:cn-hangzhou:$accountid:template/$templateid Note If the TemplateId parameter is specified, authentication is required.ListTemplates ros:ListTemplates acs:ros:cn-hangzhou:$accountid:template/* ListTemplateVersions ros:ListTemplateVersions acs:ros:cn-hangzhou:$accountid:template/$templateid SetTemplatePermission ros:SetTemplatePermission acs:ros:cn-hangzhou:$accountid:* DeleteTemplate ros:DeleteTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid - Tag operations
API operation Action ARN format ListTagResources ros:ListTagResources acs:ros:cn-hangzhou:$accountid:tag/* ListTagKeys ros:ListTagKeys acs:ros:cn-hangzhou:$accountid:tag/* ListTagValues ros:ListTagValues acs:ros:cn-hangzhou:$accountid:tag/* UntagResources ros:UntagResources acs:ros:cn-hangzhou:$accountid:tag/* - Other operations
API operation Action ARN format DescribeRegions ros:DescribeRegions No authentication required SignalResource ros:SignalResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackPolicy ros:GetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid SetStackPolicy ros:SetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid