Sebelum menggunakan pengguna RAM untuk memanggil operasi API Resource Management guna mengakses sumber daya yang dimiliki oleh akun Alibaba Cloud, Anda harus membuat dan melampirkan kebijakan yang diperlukan ke pengguna RAM menggunakan akun Alibaba Cloud. Dalam kebijakan tersebut, Anda dapat menentukan operasi API yang diizinkan pada elemen Action dan sumber daya yang diizinkan pada elemen Resource. Setiap sumber daya diidentifikasi oleh Nama Sumber Daya Alibaba Cloud (ARN)-nya.
Daftar berikut menjelaskan variabel yang terlibat dalam elemen Resource dari suatu kebijakan. Gantikan variabel dengan nilai sebenarnya.
<account_id>: ID akun Alibaba Cloud.
<resourcegroup_id>: ID grup sumber daya.
<policy_name>: nama kebijakan.
<role_name>: nama Peran RAM.
<resource_type>: tipe sumber daya.
<resource_id>: ID sumber daya.
<region_id>: ID wilayah.
<product>: kode layanan.
<handshake_id>: ID undangan.
<policy_id>: ID kebijakan kontrol akses.
<resource_directory_path>: RDPath folder atau anggota, yang menunjukkan lokasi folder atau anggota dalam direktori sumber daya.
<contact_id>: ID kontak.
Tipe sumber daya yang diperlukan ditampilkan dalam huruf tebal.
Grup Sumber Daya
Tabel berikut mencantumkan operasi API Grup Sumber Daya yang dapat Anda tentukan dalam elemen Action serta format ARN yang digunakan dalam elemen Resource.
Action | Resource |
ram:CreateResourceGroup | acs:ram:*:<account_id>:resourcegroup/* |
ram:DeleteResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
ram:UpdateResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
ram:CreatePolicy | acs:ram:*:<account_id>:policy/* |
ram:DeletePolicy | acs:ram:*:<account_id>:policy/<policy_name> |
ram:ListPolicies | acs:ram:*:<account_id>:policy/* |
ram:GetPolicy | acs:ram:*:<account_id>:policy/<policy_name> |
ram:CreatePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:DeletePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:ListPolicyVersions | acs:ram:*:<account_id>:policy/<policy_name> |
ram:GetPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:SetDefaultPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:AttachPolicy |
|
ram:DetachPolicy |
|
ram:ListPolicyAttachments | acs:ram:*:<account_id>:* |
ram:CreateRole | acs:ram:*:<account_id>:role/* |
ram:GetRole | acs:ram:*:<account_id>:role/<role_name> |
ram:ListRoles | acs:ram:*:<account_id>:role/* |
ram:UpdateRole | acs:ram:*:<account_id>:role/<role_name> |
ram:DeleteRole | acs:ram:*:<account_id>:role/<role_name> |
ram:CreateServiceLinkedRole | acs:ram:*:<account_id>:role/* |
ram:DeleteServiceLinkedRole | acs:ram:*:<account_id>:role/<role_name> |
ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:<account_id>:role/<role_name> |
Direktori Sumber Daya
Tabel berikut mencantumkan operasi API Direktori Sumber Daya yang dapat Anda tentukan dalam elemen Action serta format ARN yang digunakan dalam elemen Resource.
Action | Resource |
resourcemanager:AcceptHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:AttachControlPolicy |
|
resourcemanager:BindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:CancelHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:CheckAccountDelete | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:CreateCloudAccount | acs:resourcemanager:*:<account_id>:* |
resourcemanager:CreateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:CreateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:CreateResourceAccount | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:DeclineHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:DeleteAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:DeleteControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:DeleteFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:DeregisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:DetachControlPolicy |
|
resourcemanager:DisableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:EnableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:EnableResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:GetAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetAccountDeletionCheckResult | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetAccountDeletionStatus | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:GetControlPolicyEnablementStatus | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:GetFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:GetHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:GetPayerForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:InviteAccountToResourceDirectory |
|
resourcemanager:ListAccounts | acs:resourcemanager:*:<account_id>:account/* |
resourcemanager:ListAccountsForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:ListAncestors | acs:resourcemanager:*:<account_id>:folder/* |
resourcemanager:ListControlPolicies | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:ListControlPolicyAttachmentsForTarget |
|
resourcemanager:ListDelegatedAdministrators | acs:resourcemanager:*:<account_id>:account/* |
resourcemanager:ListDelegatedServicesForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:ListFoldersForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:<account_id>:handshake/* |
resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:<account_id>:handshake/* |
resourcemanager:ListTagKeys | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTagValues | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTargetAttachmentsForControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:<account_id>:* |
resourcemanager:MoveAccount |
|
resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:<account_id>:* |
resourcemanager:RegisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:SendVerificationCodeForBindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:SendVerificationCodeForEnableRD | acs:resourcemanager:*:<account_id>:* |
resourcemanager:TagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:UntagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:UpdateAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:UpdateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:UpdateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:AddMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/* |
resourcemanager:CancelMessageContactUpdate | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:DeleteMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:GetMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:GetMessageContactDeletionStatus | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:ListMessageContacts | acs:resourcemanager:*:<account_id>:messagecontact/* |
resourcemanager:ListMessageContactVerifications | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:SendEmailVerificationForMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:SendPhoneVerificationForMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:UpdateMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:AssociateMembers |
|
resourcemanager:DisassociateMembers |
|
resourcemanager:CancelChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:ChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:RetryChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:PrecheckForConsolidatedBillingAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
Berbagi Sumber Daya
Tabel berikut mencantumkan operasi API Berbagi Sumber Daya yang dapat Anda tentukan dalam elemen Action serta format ARN yang digunakan dalam elemen Resource.
Action | Resource |
resourcesharing:EnableSharingWithResourceDirectory | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:CreateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:UpdateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DeleteResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShares | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AssociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DisassociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShareAssociations | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListSharedResources | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListSharedTargets | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DescribeRegions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShareInvitations | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AcceptResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:RejectResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AssociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DisassociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceSharePermissions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:GetPermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListPermissionVersions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListPermissions | acs:resourcesharing:<region_id>:<account_id>:* |
Tag
Tabel berikut mencantumkan operasi API Tag yang dapat Anda tentukan dalam elemen Action serta format ARN yang digunakan dalam elemen Resource.
Action | Resource |
tag:ListTagResources | acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id> |
tag:TagResources |
|
tag:UntagResources |
|
tag:ListTagKeys | acs:tag:<region_id>:<account_id>:*/* |
tag:ListTagValues | acs:tag:<region_id>:<account_id>:*/* |
tag:CreateTags | acs:tag:<region_id>:<account_id>:*/* |
tag:DeleteTag | acs:tag:<region_id>:<account_id>:*/* |