All Products
Search
Document Center

Resource Orchestration Service:RAM authorization

Last Updated:Apr 10, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by ROS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ROS is ros. You can grant permissions on ROS at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

ROS defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
ros:CancelUpdateStackCancelUpdateStackWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ContinueCreateStackContinueCreateStackWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:CreateChangeSetCreateChangeSetWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/*
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:CreateStackCreateStackWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/*
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:CreateStackGroupCreateStackGroupWrite
All Resources
*
NoneNone
ros:CreateStackInstancesCreateStackInstancesWrite
All Resources
*
NoneNone
ros:CreateTemplateCreateTemplateWrite
template
acs:ros:{#regionId}:{#accountId}:template/*
NoneNone
ros:CreateTemplateScratchCreateTemplateScratchWrite
All Resources
*
NoneNone
ros:DeleteChangeSetDeleteChangeSetWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:DeleteStackDeleteStackWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:DeleteStackGroupDeleteStackGroupWrite
All Resources
*
NoneNone
ros:DeleteStackInstancesDeleteStackInstancesWrite
All Resources
*
NoneNone
ros:DeleteTemplateDeleteTemplateWrite
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:DeleteTemplateScratchDeleteTemplateScratchRead
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:DetectStackDriftDetectStackDriftWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:DetectStackGroupDriftDetectStackGroupDriftWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
stack_group
acs:ros:{#regionId}:{#accountId}:stack_group/*
NoneNone
ros:DetectStackResourceDriftDetectStackResourceDriftWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ExecuteChangeSetExecuteChangeSetWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GenerateTemplateByScratchGenerateTemplateByScratchWrite
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:GenerateTemplatePolicyGenerateTemplatePolicyWrite
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:GetChangeSetGetChangeSetRead
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackGetStackRead
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackDriftDetectionStatusGetStackDriftDetectionStatusRead
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackGroupGetStackGroupRead
stack_group
acs:ros:{#regionId}:{#accountId}:stack_group/*
NoneNone
ros:GetStackGroupOperationGetStackGroupOperationRead
All Resources
*
NoneNone
ros:GetStackInstanceGetStackInstanceRead
All Resources
*
NoneNone
ros:GetStackPolicyGetStackPolicyRead
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackResourceGetStackResourceRead
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetTemplateGetTemplateRead
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:GetTemplateEstimateCostGetTemplateEstimateCostRead
All Resources
*
NoneNone
ros:GetTemplateScratchGetTemplateScratchRead
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:GetTemplateSummaryGetTemplateSummaryRead
All Resources
*
NoneNone
ros:ListChangeSetsListChangeSetsList
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStackEventsListStackEventsList
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStackGroupOperationResultsListStackGroupOperationResultsList
All Resources
*
NoneNone
ros:ListStackGroupOperationsListStackGroupOperationsRead
All Resources
*
NoneNone
ros:ListStackGroupsListStackGroupsList
stack_group
acs:ros:{#regionId}:{#accountId}:stack_group/*
NoneNone
ros:ListStackInstancesListStackInstancesList
All Resources
*
NoneNone
ros:ListStackOperationRisksListStackOperationRisksList
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStackResourceDriftsListStackResourceDriftsList
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStackResourcesListStackResourcesList
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStacksListStacksList
stack
acs:ros:{#regionId}:{#accountId}:stack/*
NoneNone
ros:ListTagKeysListTagKeysList
tag
acs:ros:{#regionId}:{#accountId}:tag/*
NoneNone
ros:ListTagResourcesListTagResourcesList
tag
acs:ros:{#regionId}:{#accountId}:tag/*
NoneNone
ros:ListTagValuesListTagValuesList
tag
acs:ros:{#regionId}:{#accountId}:tag/*
NoneNone
ros:ListTemplateScratchesListTemplateScratchesRead
All Resources
*
NoneNone
ros:ListTemplateVersionsListTemplateVersionsList
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
NoneNone
ros:ListTemplatesListTemplatesList
template
acs:ros:{#regionId}:{#accountId}:template/*
NoneNone
ros:MoveResourceGroupMoveResourceGroupRead
All Resources
*
NoneNone
ros:PreviewStackPreviewStackRead
stack
acs:ros:{#regionId}:{#accountId}:stack/*
NoneNone
ros:SetDeletionProtectionSetDeletionProtectionWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:SetStackPolicySetStackPolicyWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:SetTemplatePermissionSetTemplatePermissionWrite
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
NoneNone
ros:TagResourcesTagResourcesWrite
tag
acs:ros:{#regionId}:{#accountId}:tag/*
NoneNone
ros:UntagResourcesUntagResourcesWrite
tag
acs:ros:{#regionId}:{#accountId}:tag/*
NoneNone
ros:UpdateStackUpdateStackWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:UpdateStackGroupUpdateStackGroupWrite
All Resources
*
NoneNone
ros:UpdateStackInstancesUpdateStackInstancesWrite
All Resources
*
NoneNone
ros:UpdateStackTemplateByResourcesUpdateStackTemplateByResourcesWrite
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:UpdateTemplateUpdateTemplateWrite
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:UpdateTemplateScratchUpdateTemplateScratchWrite
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:ValidateTemplateValidateTemplateRead
All Resources
*
NoneNone

Resource

ROS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
Templateacs:{#ramcode}:{#regionId}:{#accountId}:template/{#TemplateId}
StackGroupacs:{#ramcode}:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
StackInstanceacs:{#ramcode}:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
TemplateScratchacs:{#ramcode}:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}

Condition

ROS does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: