RAM authorization - Resource Orchestration Service - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Resource Orchestration Service for RAM permission policies. The RAM code (RamCode) for Resource Orchestration Service is ros , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Resource Orchestration Service. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
ros:GetStackGroupOperation	GetStackGroupOperation	get	*StackGroupOperation `acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}`	None	None
ros:GetStackInstance	GetStackInstance	get	*StackInstance `acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}`	None	None
ros:GetTemplateScratch	GetTemplateScratch	get	*TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}`	None	None
ros:ListDiagnostics	ListDiagnostics	list	All Resource ``	None	None
ros:ExecuteChangeSet	ExecuteChangeSet	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:UnTagResources	UntagResources	update	StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}` TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}` Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}`	None	None
ros:ListResourceTypes	ListResourceTypes	get	All Resource ``	None	None
ros:GetResourceType	GetResourceType	get	All Resource ``	None	None
ros:ListStackGroups	ListStackGroups	get	StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/`	None	None
ros:EnableServices	EnableServices	none	All Resource ``	None	None
ros:StopStackGroupOperation	StopStackGroupOperation	update	*StackGroupOperation `acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}`	None	None
ros:GetTemplateParameterConstraints	GetTemplateParameterConstraints	get	All Resource ``	None	None
ros:GetStackResource	GetStackResource	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:ListTagValues	ListTagValues	get	All Resource ``	None	None
ros:CreateTemplate	CreateTemplate	create	Template `acs:ros:{#regionId}:{#accountId}:template/`	None	None
ros:ListResourceTypeRegistrations	ListResourceTypeRegistrations	get	All Resource ``	None	None
ros:DeleteTemplate	DeleteTemplate	delete	*template `acs:ros:{#regionId}:{#accountId}:template/{#templateId}`	None	None
ros:ListChangeSets	ListChangeSets	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:CreateAITask	CreateAITask	create	All Resource ``	None	None
ros:DetectStackResourceDrift	DetectStackResourceDrift	delete	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:ListTemplates	ListTemplates	list	Template `acs:ros:{#regionId}:{#accountId}:template/`	None	None
ros:SetResourceType	SetResourceType	update	All Resource ``	None	None
ros:TagResources	TagResources	update	Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}` StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}` *TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}`	None	None
ros:GetStackGroup	GetStackGroup	get	*StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}`	None	None
ros:ListSummaries	ListSummaries	get	All Resource ``	None	None
ros:UpdateStackInstances	UpdateStackInstances	update	*StackInstance `acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}`	None	None
ros:CancelStackOperation	CancelStackOperation	delete	*Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}`	None	None
ros:ListTemplateVersions	ListTemplateVersions	get	Template `acs:ros::{#accountId}:template/{#TemplateId}`	None	None
ros:DeleteStackInstances	DeleteStackInstances	delete	*StackInstance `acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}`	None	None
ros:GetChangeSet	GetChangeSet	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:DetectStackDrift	DetectStackDrift	delete	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:DeleteTemplateScratch	DeleteTemplateScratch	delete	*TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}`	None	None
ros:GetDiagnostic	GetDiagnostic	list	All Resource ``	None	None
ros:PreviewStack	PreviewStack	get	*Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:ListResourceTypeVersions	ListResourceTypeVersions	get	All Resource ``	None	None
ros:EnableServiceAccess	EnableServiceAccess		All Resource ``	None	None
ros:DeregisterResourceType	DeregisterResourceType	delete	All Resource ``	None	None
ros:CreateDiagnostic	CreateDiagnostic	create	All Resource ``	None	None
ros:ListAITasks	ListAITasks	list	All Resource ``	None	None
ros:GetStackPolicy	GetStackPolicy	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:GetStack	GetStack	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:CreateStackGroup	CreateStackGroup	create	*StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:DeleteChangeSet	DeleteChangeSet	delete	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:ListStackEvents	ListStackEvents	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:DeleteDiagnostic	DeleteDiagnostic	delete	All Resource ``	None	None
ros:ListStackGroupOperations	ListStackGroupOperations	get	*StackGroupOperation `acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}`	None	None
ros:ImportStacksToStackGroup	ImportStacksToStackGroup	create	*StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}`	None	None
ros:GetTemplateRecommendParameters	GetTemplateRecommendParameters		All Resource ``	None	None
ros:CreateTemplateScratch	CreateTemplateScratch	create	TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/`	None	None
ros:UpdateStack	UpdateStack	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:GetTemplateSummary	GetTemplateSummary	get	Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}`	None	None
ros:ListStackOperationRisks	ListStackOperationRisks	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:SignalResource	SignalResource	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:ContinueCreateStack	ContinueCreateStack	update	All Resource ``	None	None
ros:ListAITaskEvents	ListAITaskEvents	list	All Resource ``	None	None
ros:ListTemplateScratches	ListTemplateScratches	get	TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/`	None	None
ros:ListStackResourceDrifts	ListStackResourceDrifts	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:DisableServiceAccess	DisableServiceAccess	delete	All Resource ``	None	None
ros:CreateStackInstances	CreateStackInstances	create	*StackInstance `acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}`	None	None
ros:DetectStackGroupDrift	DetectStackGroupDrift	delete	*StackGroup `acs:ros:{#regionId}:{#accountId}:stack_group/{#StackGroupName}`	None	None
ros:GetResourceTypeRecommendedTemplate	GetResourceTypeRecommendedTemplate	get	All Resource ``	None	None
ros:GetTemplate	GetTemplate	get	stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}` template `acs:ros:*:{#accountId}:template/{#templateId}`	None	None
ros:ListTagKeys	ListTagKeys	get	All Resource ``	None	None
ros:GetServiceProvisions	GetServiceProvisions	list	All Resource ``	None	None
ros:CancelUpdateStack	CancelUpdateStack	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:SetStackPolicy	SetStackPolicy	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:GenerateTemplateByScratch	GenerateTemplateByScratch	list	*TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}`	None	None
ros:DeleteStack	DeleteStack	delete	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:GenerateTemplatePolicy	GenerateTemplatePolicy	list	Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:GetTemplateEstimateCost	GetTemplateEstimateCost	get	All Resource ``	None	None
ros:RegisterResourceType	RegisterResourceType	create	All Resource ``	None	None
ros:GetAITask	GetAITask	get	All Resource ``	None	None
ros:CreateChangeSet	CreateChangeSet	create	*Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:UpdateStackGroup	UpdateStackGroup	update	*StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:MoveResourceGroup	MoveResourceGroup	update	All Resource ``	None	None
ros:DeleteStackGroup	DeleteStackGroup	delete	*StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}`	None	None
ros:ListTagResources	ListTagResources	get	Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}` StackGroup `acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}` TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}` Stack `acs:ros:{#regionId}:{#accountId}:stack/{#StackId}`	None	None
ros:UpdateTemplate	UpdateTemplate	update	*template `acs:ros:{#regionId}:{#accountId}:template/{#templateId}`	None	None
ros:GetStackDriftDetectionStatus	GetStackDriftDetectionStatus	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:SetTemplatePermission	SetTemplatePermission	update	*Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:ListStackResources	ListStackResources	get	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:GetServiceAccess	GetServiceAccess	get	All Resource ``	None	None
ros:CreateStack	CreateStack	create	Stack `acs:ros:{#regionId}:{#accountId}:stack/` Template `acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}`	None	None
ros:ListStackInstances	ListStackInstances	get	*StackInstance `acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}`	None	None
ros:ListStackGroupOperationResults	ListStackGroupOperationResults	get	*StackGroupOperation `acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}`	None	None
ros:GetResourceTypeTemplate	GetResourceTypeTemplate	get	All Resource ``	None	None
ros:ListStacks	ListStacks	get	Stack `acs:ros:{#regionId}:{#accountId}:stack/`	None	None
ros:UpdateTemplateScratch	UpdateTemplateScratch	update	*TemplateScratch `acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}`	None	None
ros:SetDeletionProtection	SetDeletionProtection	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None
ros:UpdateStackTemplateByResources	UpdateStackTemplateByResources	update	*stack `acs:ros:{#regionId}:{#accountId}:stack/{#stackId}`	None	None

Resource

The following table lists the resources defined by Resource Orchestration Service. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
StackGroupOperation	acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}
StackInstance	acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
TemplateScratch	acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
stack	acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
StackGroup	acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
Template	acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
Stack	acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
StackGroup	acs:ros:{#regionId}:{#accountId}:stackgroup/*
tag	acs:ros:{#regionId}:{#accountId}:tag/*
Template	acs:ros:{#regionId}:{#accountId}:template/*
template	acs:ros:{#regionId}:{#accountId}:template/{#templateId}
Template	acs:ros:*:{#accountId}:template/{#TemplateId}
TemplateScratch	acs:ros:{#regionId}:{#accountId}:templatescratch/*
StackGroup	acs:ros:{#regionId}:{#accountId}:stack_group/{#StackGroupName}
template	acs:ros:*:{#accountId}:template/{#templateId}
Stack	acs:ros:{#regionId}:{#accountId}:stack/*

Condition

Resource Orchestration Service does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: