All Products
Search
Document Center

Resource Orchestration Service:RAM authorization

Last Updated:Sep 12, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by ROS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ROS is ros. You can grant permissions on ROS at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

ROS defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
ros:DetectStackResourceDriftDetectStackResourceDriftdelete
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStackResourcesListStackResourcesget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:CancelUpdateStackCancelUpdateStackupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListResourceTypeRegistrationsListResourceTypeRegistrationsget
All Resources
*
NoneNone
ros:DeleteDiagnosticDeleteDiagnosticdelete
All Resources
*
NoneNone
ros:ListTemplateVersionsListTemplateVersionsget
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
NoneNone
ros:PreviewStackPreviewStackget
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
NoneNone
ros:ListResourceTypeVersionsListResourceTypeVersionsget
All Resources
*
NoneNone
ros:GetServiceProvisionsGetServiceProvisionslist
All Resources
*
NoneNone
ros:DeleteTemplateScratchDeleteTemplateScratchdelete
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:TagResourcesTagResourcesupdate
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}
NoneNone
ros:StopStackGroupOperationStopStackGroupOperationupdate
StackGroupOperation
acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}
NoneNone
ros:GetStackGroupOperationGetStackGroupOperationget
StackGroupOperation
acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}
NoneNone
ros:ContinueCreateStackContinueCreateStackupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackInstanceGetStackInstanceget
StackInstance
acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
NoneNone
ros:GetTemplateParameterConstraintsGetTemplateParameterConstraintsget
All Resources
*
NoneNone
ros:UpdateTemplateUpdateTemplateupdate
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:UpdateStackUpdateStackupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetChangeSetGetChangeSetget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:SetTemplatePermissionSetTemplatePermissionupdate
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
NoneNone
ros:CreateDiagnosticCreateDiagnosticcreate
All Resources
*
NoneNone
ros:ExecuteChangeSetExecuteChangeSetupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetTemplateSummaryGetTemplateSummaryget
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
NoneNone
ros:MoveResourceGroupMoveResourceGroupupdate
All Resources
*
NoneNone
ros:SetDeletionProtectionSetDeletionProtectionupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListResourceTypesListResourceTypesget
All Resources
*
NoneNone
ros:CreateStackGroupCreateStackGroupcreate
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
NoneNone
ros:UpdateTemplateScratchUpdateTemplateScratchupdate
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:ListStackInstancesListStackInstancesget
StackInstance
acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
NoneNone
ros:UpdateStackGroupUpdateStackGroupupdate
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
NoneNone
ros:ListStackResourceDriftsListStackResourceDriftsget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:SetResourceTypeSetResourceTypeupdate
All Resources
*
NoneNone
ros:GetStackDriftDetectionStatusGetStackDriftDetectionStatusget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:DeleteStackInstancesDeleteStackInstancesdelete
StackInstance
acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
NoneNone
ros:ListStackGroupOperationResultsListStackGroupOperationResultsget
StackGroupOperation
acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}
NoneNone
ros:DeleteTemplateDeleteTemplatedelete
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:ListChangeSetsListChangeSetsget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:CreateTemplateScratchCreateTemplateScratchcreate
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/*
NoneNone
ros:DetectStackGroupDriftDetectStackGroupDriftdelete
StackGroup
acs:ros:{#regionId}:{#accountId}:stack_group/{#StackGroupName}
NoneNone
ros:ListStackOperationRisksListStackOperationRisksget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetTemplateGetTemplateget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
template
acs:ros:{#regionId}:{#accountId}:template/{#templateId}
NoneNone
ros:UpdateStackTemplateByResourcesUpdateStackTemplateByResourcesupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:CreateStackCreateStackcreate
Stack
acs:ros:{#regionId}:{#accountId}:stack/*
NoneNone
ros:ListTagKeysListTagKeysget
All Resources
*
NoneNone
ros:GetTemplateEstimateCostGetTemplateEstimateCostget
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
NoneNone
ros:CreateTemplateCreateTemplatecreate
Template
acs:ros:{#regionId}:{#accountId}:template/*
NoneNone
ros:UpdateStackInstancesUpdateStackInstancesupdate
StackInstance
acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
NoneNone
ros:ListTagResourcesListTagResourcesget
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
NoneNone
ros:GetDiagnosticGetDiagnosticlist
All Resources
*
NoneNone
ros:ListTagValuesListTagValuesget
All Resources
*
NoneNone
ros:CreateChangeSetCreateChangeSetcreate
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
NoneNone
ros:RegisterResourceTypeRegisterResourceTypecreate
All Resources
*
NoneNone
ros:DeleteStackGroupDeleteStackGroupdelete
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
NoneNone
ros:GetResourceTypeGetResourceTypeget
All Resources
*
NoneNone
ros:CancelStackOperationCancelStackOperationdelete
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
NoneNone
ros:DeregisterResourceTypeDeregisterResourceTypedelete
All Resources
*
NoneNone
ros:DeleteChangeSetDeleteChangeSetdelete
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:DetectStackDriftDetectStackDriftdelete
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:ListStackEventsListStackEventsget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GenerateTemplatePolicyGenerateTemplatePolicylist
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
NoneNone
ros:DeleteStackDeleteStackdelete
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackPolicyGetStackPolicyget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:UnTagResourcesUntagResourcesupdate
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
Template
acs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}
Stack
acs:ros:{#regionId}:{#accountId}:stack/{#StackId}
NoneNone
ros:ListStackGroupsListStackGroupsget
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/*
NoneNone
ros:GetResourceTypeTemplateGetResourceTypeTemplateget
All Resources
*
NoneNone
ros:CreateStackInstancesCreateStackInstancescreate
StackInstance
acs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
NoneNone
ros:ListStackGroupOperationsListStackGroupOperationsget
StackGroupOperation
acs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}
NoneNone
ros:GetTemplateScratchGetTemplateScratchget
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:GetStackResourceGetStackResourceget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackGetStackget
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GenerateTemplateByScratchGenerateTemplateByScratchlist
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
NoneNone
ros:ListDiagnosticsListDiagnosticslist
All Resources
*
NoneNone
ros:ListTemplatesListTemplatesget
Template
acs:ros:{#regionId}:{#accountId}:template/*
NoneNone
ros:ListTemplateScratchesListTemplateScratchesget
TemplateScratch
acs:ros:{#regionId}:{#accountId}:templatescratch/*
NoneNone
ros:ListStacksListStacksget
Stack
acs:ros:{#regionId}:{#accountId}:stack/*
NoneNone
ros:SignalResourceSignalResourceupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:SetStackPolicySetStackPolicyupdate
stack
acs:ros:{#regionId}:{#accountId}:stack/{#stackId}
NoneNone
ros:GetStackGroupGetStackGroupget
StackGroup
acs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
NoneNone

Resource

ROS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
stackacs:ros:{#regionId}:{#accountId}:stack/{#stackId}
Templateacs:ros:{#regionId}:{#accountId}:template/{#TemplateId}
Stackacs:ros:{#regionId}:{#accountId}:stack/{#StackId}
TemplateScratchacs:ros:{#regionId}:{#accountId}:templatescratch/{#templatescratchId}
StackGroupacs:ros:{#regionId}:{#accountId}:stackgroup/{#StackGroupName}
TemplateScratchacs:ros:{#regionId}:{#accountId}:templatescratch/{#TemplateScratchId}
StackGroupOperationacs:ros:{#regionId}:{#accountId}:stackgroupoperation/{#OperationId}
StackInstanceacs:ros:{#regionId}:{#accountId}:stackinstance/{#StackGroupName}/{#StackInstanceAccountId}/{#StackInstanceRegionId}
templateacs:ros:{#regionId}:{#accountId}:template/{#templateId}
TemplateScratchacs:ros:{#regionId}:{#accountId}:templatescratch/*
StackGroupacs:ros:{#regionId}:{#accountId}:stack_group/{#StackGroupName}
Stackacs:ros:{#regionId}:{#accountId}:stack/*
tagacs:ros:{#regionId}:{#accountId}:tag/*
Templateacs:ros:{#regionId}:{#accountId}:template/*
StackGroupacs:ros:{#regionId}:{#accountId}:stackgroup/*

Condition

ROS does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: