All Products
Search
Document Center

Tablestore:Authorization policy syntax and elements

Last Updated:Jun 23, 2026

Tablestore uses JSON-formatted authorization policies for fine-grained resource access control. Each policy defines the Action, Resource, and Condition elements and applies to instance policies, RAM policies, and control policies.

Authorization syntax

An authorization policy uses JSON format and consists of a version number (Version) and one or more authorization statements (Statement). Each statement contains the Effect, Action, Resource, and Condition elements.

Syntax structure

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["ots:ActionName"],
            "Resource": ["acs:ots:region:account-id:instance-and-resource-path"],
            "Condition": {
                "ConditionOperator": {
                    "ConditionKey": ["ConditionValue"]
                }
            }
        }
    ]
}

Field description

Field

Description

Required

Version

The version number of the authorization policy. The value is fixed to 1.

Yes

Statement

The body of the authorization. You can configure one or more statements.

Yes

Effect

The authorization effect. Valid values: Allow and Deny.

Yes

Action

The operations to allow or deny. For more information, see Action.

Yes

Resource

The resources to authorize. For more information, see Resource.

Yes

Condition

The conditions under which the authorization takes effect. For more information, see Condition.

No

Action

Action specifies the operations to allow or deny on a resource. Each action must be prefixed with ots:, and multiple actions are separated by commas (,). The asterisk (*) wildcard supports both prefix and suffix matching. Common action definitions:

A single API operation

"Action": "ots:GetRow"

Multiple API operations

"Action": [
    "ots:PutRow",
    "ots:GetRow"
]

All read-only API operations

"Action": [
    "ots:BatchGet*",
    "ots:Describe*",
    "ots:Get*",
    "ots:List*",
    "ots:Consume*",
    "ots:Search",
    "ots:ComputeSplitPointsBySize"
]

All read and write API operations

"Action": "ots:*"

All SQL API operations

"Action": "ots:SQL*"

Resource

Resource specifies the scope of accessible resources and consists of fields such as product, region, account ID, instance name, and table name. Each field supports the asterisk (*) wildcard for both prefix and suffix matching. The format is as follows:

acs:ots:[region]:[user_id]:instance/[instance_name]/table/[table_name]

The product is fixed to ots. [region] is the region ID where the resource resides, such as cn-hangzhou. [user_id] is the Alibaba Cloud account ID. [instance_name] and [table_name] are the instance and table names. Replace these placeholders with your actual values.

For Tunnel operations, the Resource can only be specified at the instance level. The format is as follows:

acs:ots:[region]:[user_id]:instance/[instance_name]

Usage notes

  • Instance names in Tablestore are case-insensitive. Specify [instance_name] in lowercase in a Resource definition.

  • Action and Resource are verified by string matching, and the asterisk (*) wildcard distinguishes between prefix and suffix matching. For example, a Resource definition of acs:ots:*:*:instance/abc does not match acs:ots:*:*:instance/abc/table/xyz.

  • To manage instance resources in the Tablestore console, the console must obtain the instance list. Therefore, grant the user read permissions on the acs:ots:[region]:[user_id]:instance/* resource.

  • For batch operation API operations (such as BatchGetRow and BatchWriteRow), Tablestore authorizes each accessed table separately. The operation runs only if all tables pass authorization. Otherwise, a permission error is returned.

Typical Resource definitions

  • All resources of all accounts in all regions.

    "Resource": "acs:ots:*:*:*"
  • All instances and their tables in account 123456 in the China (Hangzhou) region.

    "Resource": "acs:ots:cn-hangzhou:123456:instance*"
  • The instance named abc and all its tables in account 123456 in the China (Hangzhou) region.

    "Resource": [
        "acs:ots:cn-hangzhou:123456:instance/abc",
        "acs:ots:cn-hangzhou:123456:instance/abc/table*"
    ]
  • All instances whose names start with abc and all their tables.

    "Resource": "acs:ots:*:*:instance/abc*"
  • All tables whose names start with xyz in all instances whose names start with abc (excluding the instance resource, which does not match acs:ots:*:*:instance/abc*).

    "Resource": "acs:ots:*:*:instance/abc*/table/xyz*"

API types and resources

Tablestore API operations fall into two categories: instance management operations and table/data read-write operations. The resource configuration for each type is as follows:

Resources accessed by management API operations

Management API operations handle instance-level tasks and are called by both the console and OpenAPI. The resources below omit the acs:ots:[region]:[user_id]: prefix and show only the instance part.

API operation

Action

Accessed resource

CreateInstance

ots:InsertInstance

instance/[instance_name]

UpdateInstance

ots:UpdateInstance

instance/[instance_name]

GetInstance

ots:GetInstance

instance/[instance_name]

DeleteInstance

ots:DeleteInstance

instance/[instance_name]

ListInstances

ots:ListInstance

instance/*

ChangeResourceGroup

ots:UpdateInstance

instance/[instance_name]

ListTagResources

ots:ListTagResourcesCustomTags

instance/*

TagResources

ots:TagResourcesCustomTags

instance/[instance_name]

UntagResources

ots:UntagResourcesCustomTags

instance/[instance_name]

UpdateInstancePolicy

ots:UpdateInstancePolicy

instance/[instance_name]

DeleteInstancePolicy

ots:DeleteInstancePolicy

instance/[instance_name]

CheckInstancePolicy

ots:CheckInstancePolicy

instance/[instance_name]

UpdateInstanceElasticVCUUpperLimit

ots:UpdateInstanceElasticVCUUpperLimit

instance/[instance_name]

Resources accessed by data API operations

Data API operations handle table-level and row-level tasks, called by both the console and SDKs. The Action and Resource definitions affect the console user experience. The resources below omit the acs:ots:[region]:[user_id]: prefix and show only the instance and table parts.

API operation

Action

Accessed resource

ListTable

ots:ListTable

instance/[instance_name]/table*

CreateTable

ots:CreateTable

instance/[instance_name]/table/[table_name]

UpdateTable

ots:UpdateTable

instance/[instance_name]/table/[table_name]

DescribeTable

ots:DescribeTable

instance/[instance_name]/table/[table_name]

DeleteTable

ots:DeleteTable

instance/[instance_name]/table/[table_name]

CreateGlobalTable

ots:CreateGlobalTable, ots:UpdateTable, ots:CreateTunnel, ots:DescribeTunnel, ots:ListTunnel, ots:TunnelReadRecords, ots:BatchWriteRow

instance/[instance_name]/table/[table_name]

DescribeGlobalTable

ots:DescribeGlobalTable

instance/[instance_name]/table/[table_name]

UpdateGlobalTable

ots:UpdateGlobalTable, ots:UpdateTable, ots:CreateTunnel, ots:DescribeTunnel, ots:ListTunnel, ots:TunnelReadRecords, ots:BatchWriteRow

instance/[instance_name]/table/[table_name]

BindGlobalTable

ots:BindGlobalTable, ots:UpdateTable, ots:CreateTunnel, ots:DescribeTunnel, ots:ListTunnel, ots:TunnelReadRecords, ots:BatchWriteRow

instance/[instance_name]/table/[table_name]

UnbindGlobalTable

ots:UnbindGlobalTable, ots:UpdateTable, ots:DeleteTunnel

instance/[instance_name]/table/[table_name]

AddDefinedColumn

ots:AddDefinedColumn

instance/[instance_name]/table/[table_name]

DeleteDefinedColumn

ots:DeleteDefinedColumn

instance/[instance_name]/table/[table_name]

GetRow

ots:GetRow

instance/[instance_name]/table/[table_name]

PutRow

ots:PutRow

instance/[instance_name]/table/[table_name]

UpdateRow

ots:UpdateRow

instance/[instance_name]/table/[table_name]

DeleteRow

ots:DeleteRow

instance/[instance_name]/table/[table_name]

GetRange

ots:GetRange

instance/[instance_name]/table/[table_name]

BatchGetRow

ots:BatchGetRow

instance/[instance_name]/table/[table_name]

BatchWriteRow

ots:BatchWriteRow

instance/[instance_name]/table/[table_name]

ComputeSplitPointsBySize

ots:ComputeSplitPointsBySize

instance/[instance_name]/table/[table_name]

StartLocalTransaction

ots:StartLocalTransaction

instance/[instance_name]/table/[table_name]

CommitTransaction

ots:CommitTransaction

instance/[instance_name]/table/[table_name]

AbortTransaction

ots:AbortTransaction

instance/[instance_name]/table/[table_name]

CreateIndex

ots:CreateIndex

instance/[instance_name]/table/[table_name]

DropIndex

ots:DropIndex

instance/[instance_name]/table/[table_name]

CreateSearchIndex

ots:CreateSearchIndex

instance/[instance_name]/table/[table_name]

UpdateSearchIndex

ots:UpdateSearchIndex

instance/[instance_name]/table/[table_name]

DeleteSearchIndex

ots:DeleteSearchIndex

instance/[instance_name]/table/[table_name]

ListSearchIndex

ots:ListSearchIndex

instance/[instance_name]/table/[table_name]

DescribeSearchIndex

ots:DescribeSearchIndex

instance/[instance_name]/table/[table_name]

Search

ots:Search

instance/[instance_name]/table/[table_name]

ComputeSplits

ots:ComputeSplits

instance/[instance_name]/table/[table_name]

ParallelScan

ots:ParallelScan

instance/[instance_name]/table/[table_name]

CreateTunnel

ots:CreateTunnel

instance/[instance_name]/table/[table_name]

DeleteTunnel

ots:DeleteTunnel

instance/[instance_name]/table/[table_name]

ListTunnel

ots:ListTunnel

instance/[instance_name]/table/[table_name]

ConsumeTunnel

ots:ConsumeTunnel

instance/[instance_name]/table/[table_name]

DescribeTunnel

ots:DescribeTunnel

instance/[instance_name]/table/[table_name]

BulkImport

ots:BulkImport

instance/[instance_name]/table/[table_name]

BulkExport

ots:BulkExport

instance/[instance_name]/table/[table_name]

SQL_Select

ots:SQL_Select

instance/[instance_name]/table/[table_name]

SQL_Create

ots:SQL_Create

instance/[instance_name]/table/[table_name]

SQL_DropMapping

ots:SQL_DropMapping

instance/[instance_name]/table/[table_name]

Condition

Condition specifies the constraints under which the authorization takes effect. It consists of a condition operator, a condition key, and a condition value.

Condition operators

A condition operator defines how a condition key is compared with a condition value. Supported types include String, Number, Date and time, Boolean, and IP address. For the complete list, see Conditional operators.

Condition keys

The following table lists the custom and common condition keys that Tablestore supports.

Type

Condition key

Description

Tablestore custom conditions

ots:EncryptionRequired

Applies to the CreateTable and UpdateTable operations. Specifies whether to allow only the creation or update of encrypted tables.

The value type is String. Valid values: true and false.

Configuration example: "ots:EncryptionRequired": "true"

ots:IsFromTrustProxy

Specifies whether to allow only access from a trusted proxy. Access from the console uses a trusted proxy.

The value type is String. Valid values: true and false.

Configuration example: "ots:IsFromTrustProxy": "true"

ots:AllowInstanceInternetAccess

Applies to the CreateInstance and UpdateInstance operations. Specifies whether to allow only the creation of instances that cannot be accessed over the Internet.

The value type is String. Valid values: true and false.

Configuration example: "ots:AllowInstanceInternetAccess": "true"

ots:TLSVersion

Sets the allowed client TLS versions. This also restricts access to the HTTPS protocol only.

The value type is String. Valid values: TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3.

A single condition supports multiple TLS versions. When multiple TLS versions are configured, a client can access Tablestore successfully by using any of the configured TLS versions.

ots:AccessId

Restricts the AccessKey ID (AK) of the request source.

The value type is String. To specify multiple AccessKey IDs, enter one AccessKey ID per line.

Common conditions

acs:SourceIp

Restricts the source IP address or CIDR block of the access.

The value type is String. Valid values: IPv4 or IPv6 IP addresses and CIDR blocks. A single condition supports multiple IP addresses or CIDR blocks.

Important

In an instance policy, if you configure acs:SourceIp, you must also configure acs:SourceVpc to specify the network source of the request. Otherwise, the configuration cannot be submitted. acs:SourceIp matches only the source IP address of the request and does not distinguish whether the IP address comes from the Internet or a VPC, so using acs:SourceIp alone to restrict access may pose a risk of privilege escalation.

acs:SourceVpc

Restricts the source VPC of the access.

The value type is String. Valid values: the source VPC ID and vpc-*. A single condition supports multiple VPC IDs. Make sure the configured VPC IDs are correct.

acs:SecureTransport

Restricts the request protocol, specifically whether access uses secure transport (HTTPS).

The value type is Bool. Valid values:

  • true: Allows only HTTPS requests.

  • false: Allows only HTTP requests.

If acs:SecureTransport is not set, both HTTP and HTTPS requests are allowed.

acs:CurrentTime

Restricts the time when a request arrives at the Tablestore server.

The value type is Date and time, in ISO 8601 format, for example, 2016-01-01T00:00:00+08:00.

acs:MFAPresent

Restricts whether access uses multi-factor authentication (MFA).

The value type is Bool. Valid values: true and false.