All Products
Search
Document Center

Resource Orchestration Service:Use RAM to control resource access

Last Updated:May 29, 2026

Resource Access Management (RAM) is an Alibaba Cloud service that lets you manage user identities and resource access permissions. If multiple users in your organization need to collaborate on resources, use RAM to avoid sharing your Alibaba Cloud account keys. You can assign permissions to users based on the principle of least privilege. This practice helps reduce security risks for your business.

Create a RAM user and grant permissions

Grant a system policy to a RAM user

  1. Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account.

  2. In the navigation pane on the left, click Settings to configure initial settings for RAM.

    You can configure security settings for RAM users. For more information, see Set security policies for RAM users.

  3. In the navigation pane on the left, choose Identity Management > Users. Create a RAM user and set a logon password and an AccessKey for the user.

    For more information, see Create a RAM user.

  4. On the Users page, grant a system policy to the target RAM user.

    Note
    • If you want the RAM user to have read-only permissions for Resource Orchestration Service (ROS) resources, attach the AliyunROSReadOnlyAccess policy to the RAM user.

    • If you want the RAM user to have permissions to manage all ROS operations, attach the AliyunROSFullAccess policy to the RAM user.

Grant a custom policy to a RAM user

  1. In the navigation pane on the left, choose Permission Management > Policies to create a custom policy.

    A custom policy is an authorization policy that defines the operations a RAM user can perform on a stack. For more information, see Create a custom policy.

    An access policy can contain multiple statements. Each statement must include an Action and a Resource. For more information about the Actions and Resources that ROS supports, see Authorizable resource types of ROS.

  2. In the navigation pane on the left, choose Identity Management > Users to grant the custom policy to the target RAM user.

    Note

    You can grant a custom policy to a user group. After you grant the policy to the group, all RAM users in that group inherit the permissions.

Examples of ROS custom policies

  • Example 1: View a list of stacks

    The following policy allows a RAM user to view the list and details of all stacks in the China (Beijing) region. The asterisk (*) is a wildcard character that represents all stacks in the China (Beijing) region.

    {
      "Statement": [
        {
          "Action": [
            "ros:DescribeStacks",
            "ros:DescribeStackDetail"
          ],
          "Effect": "Allow",
          "Resource": "acs:ros:cn-beijing:*:stack/*"
        }
      ],
      "Version": "1"
    }                                                        
  • Example 2: Create and view stacks

    The following policy allows a RAM user to create and view stacks in all regions.

    {
      "Statement": [
        {
          "Action": [
            "ros:CreateStack",
            "ros:DescribeStacks",
            "ros:DescribeStackDetail",
            "ros:ValidateTemplate"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }                                                      
  • Example 3: Update a stack

    The following policy allows the RAM user 12345**** to update the stack 94dd5431-2df6-4415-81ca-732a7082****.

    {
      "Statement": [
        {
          "Action": [
            "ros:UpdateStack"
          ],
          "Effect": "Allow",
          "Resource": "acs:ros:cn-beijing:12345****:stack/94dd5431-2df6-4415-81ca-732a7082****"
        }
      ],
      "Version": "1"
    }                                                        
  • Example 4: Access all ROS features and resources

    This policy applies regardless of whether ROS uses Alibaba Cloud Security Token Service (STS) for temporary authorization. The policy allows a RAM user to access all ROS features and resources, but not other Alibaba Cloud services. This is only allowed if the user accesses the Alibaba Cloud Management Console or an API over HTTPS from the 42.120.XX.XX/24 CIDR block. Note:

    • acs:SourceIp is set to 42.120.XX.XX/24. This means access to Alibaba Cloud must originate from the specified CIDR block (42.120.XX.XX/24).

    • acs:SecureTransport is set to true. This means access to Alibaba Cloud must use HTTPS.

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "ros:*",
          "Resource": "*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.XX.XX/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ],
      "Version": "1"
    }
  • Example 5: Access all ROS features and resources and configure access to Elastic Compute Service (ECS)

    • If ROS uses STS for temporary authorization: The `acs:SourceIp` and `acs:SecureTransport` conditions cannot be passed through in STS scenarios. Therefore, this policy allows a RAM user to access all ROS features and resources, but not other services, including ECS. This is only allowed if the user accesses the Alibaba Cloud Management Console or an API over HTTPS from the 42.120.XX.XX/24 CIDR block.

    • If ROS does not use STS for temporary authorization: This policy allows a RAM user to access all features and resources of ROS and ECS, but not other services. This is only allowed if the user accesses the Alibaba Cloud Management Console or an API over HTTPS from the 42.120.XX.XX/24 CIDR block.

      Note

      If ROS does not use STS for temporary authorization, the services that support `acs:SourceIp` and `acs:SecureTransport` pass-through are: Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), ApsaraDB RDS (RDS), Tair (Redis OSS-compatible), PrivateZone, Container Service for Kubernetes (ACK), Function Compute (FC), Object Storage Service (OSS), Simple Log Service (SLS), API Gateway, and ActionTrail.

      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ros:*",
              "ecs:*"
            ],
            "Resource": "*",
            "Condition": {
              "IpAddress": {
                "acs:SourceIp": "42.120.XX.XX/24"
              },
              "Bool": {
                "acs:SecureTransport": "true"
              }
            }
          }
        ],
        "Version": "1"
      }
  • Example 6: Use tag-based authentication to access and operate ROS resources

    The following policy allows a RAM user to manage ROS resources that have the tag key-value pair {"Environment": "TEST"}.

    {
      "Statement": [
        {
          "Action": "ros:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "acs:ResourceTag/Enviroment": "TEST"
            }
          }
        }
      ],
      "Version": "1"
    }