RAM authorization - Global Accelerator - Alibaba Cloud ドキュメントセンター

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Global Accelerator for RAM permission policies. The RAM code (RamCode) for Global Accelerator is ga , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Global Accelerator. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
ga:DeleteAcl	DeleteAcl	delete	*Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}`	None	None
ga:BandwidthPackageAddAccelerator	BandwidthPackageAddAccelerator	update	BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:ListCommonAreas	ListCommonAreas	list	All Resource ``	None	None
ga:ListIpSets	ListIpSets	list	IpSet `acs:ga:{#regionId}:{#accountId}:ipset/`	None	None
ga:ListSystemSecurityPolicies	ListSystemSecurityPolicies	list	SystemSecurityPolicy `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:UntagResources	UntagResources	update	Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#basicGaId}` EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId}` Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}` BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}`	None	None
ga:UpdateCustomRoutingEndpointGroupAttribute	UpdateCustomRoutingEndpointGroupAttribute	update	*CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId}`	None	None
ga:DisableApplicationMonitor	DisableApplicationMonitor	update	*ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/{#sitemonitorId}`	None	None
ga:UpdateBandwidthPackagaAutoRenewAttribute	UpdateBandwidthPackagaAutoRenewAttribute	update	*BandwidthPackage `acs:ga:{#regionId}:{#accountId}:ga/{#BandwidthPackageId}`	None	None
ga:DeleteEndpointGroups	DeleteEndpointGroups	delete	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId}`	None	None
ga:UpdateLogStoreConfig	UpdateLogStoreConfig	update	All Resource ``	None	None
ga:DeleteBandwidthPackage	DeleteBandwidthPackage	delete	*BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}`	None	None
ga:AssociateAclsWithListener	AssociateAclsWithListener	update	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#ListenerId}`	None	None
ga:ListBasicAccelerateIps	ListBasicAccelerateIps	list	*BasicAccelerateIp `acs:ga:{#regionId}:{#accountId}:ipset/{#IpSetId}`	None	None
ga:DeleteBasicAccelerateIp	DeleteBasicAccelerateIp	delete	*BasicAccelerateIp `acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId}`	None	None
ga:UpdateAccelerator	UpdateAccelerator	update	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:ConfigEndpointProbe	ConfigEndpointProbe	update	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointGroupId}`	None	None
ga:DescribeCustomRoutingEndpointGroupDestinations	DescribeCustomRoutingEndpointGroupDestinations	get	*CustomRoutingEndpointGroupDestination `acs:ga:{#regionId}:{#accountId}:destination/{#DestinationId}`	None	None
ga:DeleteBasicAccelerator	DeleteBasicAccelerator	delete	*BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#BasicAcceleratorId}`	None	None
ga:UpdateServiceManagedControl	UpdateServiceManagedControl	update	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:CreateSpareIps	CreateSpareIps	create	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:UpdateDomainState	UpdateDomainState	update	All Resource ``	None	None
ga:UpdateBasicAccelerator	UpdateBasicAccelerator	update	*BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#BasicAcceleratorId}`	None	None
ga:GetBasicAccelerator	GetBasicAccelerator	get	*BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#BasicAcceleratorId}`	None	None
ga:DescribeBandwidthPackageAutoRenewAttribute	DescribeBandwidthPackageAutoRenewAttribute	get	*BandwidthPackage `acs:ga:{#regionId}:{#accountId}:ga/{#BandwidthPackageId}`	None	None
ga:DescribeCustomRoutingEndPointTrafficPolicy	DescribeCustomRoutingEndPointTrafficPolicy	get	*CustomRoutingEndpointTrafficPolicy `acs:ga:{#regionId}:{#accountId}:trafficpolicy/{#trafficpolicyId}`	None	None
ga:CreateEndpointGroup	CreateEndpointGroup	create	EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/` Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	ga:AcceleratorMainland	None
ga:DeleteCustomRoutingEndpointGroupDestinations	DeleteCustomRoutingEndpointGroupDestinations	delete	*CustomRoutingEndpointGroupDestination `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId}`	None	None
ga:QueryCrossBorderApprovalStatus	QueryCrossBorderApprovalStatus	get	All Resource ``	None	None
ga:ListBandwidthPackages	ListBandwidthPackages	list	BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/`	None	None
ga:ListAcls	ListAcls	list	Acl `acs:ga:{#regionId}:{#accountId}:acl/`	None	None
ga:UpdateIpSet	UpdateIpSet	update	*IpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#ipSetId}`	None	None
ga:DeleteBasicEndpointGroup	DeleteBasicEndpointGroup	delete	*BasicEndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#BasicEndpointGroupId}`	None	None
ga:ListAvailableBusiRegions	ListAvailableBusiRegions	list	All Resource ``	None	None
ga:GetSpareIp	GetSpareIp	get	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:DescribeCommodityPrice	DescribeCommodityPrice	get	All Resource ``	None	None
ga:EnableApplicationMonitor	EnableApplicationMonitor	update	*ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/{#sitemonitorId}`	None	None
ga:ListCustomRoutingEndpointGroups	ListCustomRoutingEndpointGroups	list	CustomRoutingEndpointGroup `acs:ga::{#accountId}:ga/{#gaId}`	None	None
ga:UpdateAclAttribute	UpdateAclAttribute	update	*Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}`	None	None
ga:DeleteAccelerator	DeleteAccelerator	delete	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:UpdateCustomRoutingEndpointTrafficPolicies	UpdateCustomRoutingEndpointTrafficPolicies	update	*CustomRoutingEndpointTrafficPolicy `acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#CustomRoutingEndpointTrafficPolicyId}`	None	None
ga:DeleteCustomRoutingEndpointGroups	DeleteCustomRoutingEndpointGroups	delete	*CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId}` CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId}`	None	None
ga:DescribeAccelerator	DescribeAccelerator	get	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:UpdateAcceleratorConfirm	UpdateAcceleratorConfirm	update	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:DescribeAcceleratorAutoRenewAttribute	DescribeAcceleratorAutoRenewAttribute	get	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:ListListeners	ListListeners	list	Listener `acs:ga:{#regionId}:{#accountId}:listener/`	None	None
ga:ListEndpointGroups	ListEndpointGroups	list	EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/`	None	None
ga:CreateBasicEndpoints	CreateBasicEndpoints	create	BasicEndpoint `acs:ga:{#regionId}:{#accountId}:basicendpoint/`	None	None
ga:ListBusiRegions	ListBusiRegions	list	BusiRegion `acs:ga:{#regionId}:{#accountId}:region/`	None	None
ga:CreateBasicAccelerateIpEndpointRelation	CreateBasicAccelerateIpEndpointRelation	update	BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId}` *BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:basicendpoint/{#basicendpointId}`	None	None
ga:ListBasicAccelerateIpEndpointRelations	ListBasicAccelerateIpEndpointRelations	list	*BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:ListCustomRoutingPortMappings	ListCustomRoutingPortMappings	list	CustomRoutingPortMapping `acs:ga::{#accountId}:ga/{#gaId}`	None	None
ga:UpdateBasicEndpointGroup	UpdateBasicEndpointGroup	update	*BasicEndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#BasicEndpointGroupId}`	None	None
ga:UpdateBasicEndpoint	UpdateBasicEndpoint	update	*BasicEndpoint `acs:ga:{#regionId}:{#accountId}:basicendpoint/{#EndPointId}`	None	None
ga:CreateDomain	CreateDomain	create	Domain `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:CreateBasicAccelerateIp	CreateBasicAccelerateIp	create	BasicAccelerateIp `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` BasicAccelerateIp `acs:ga:{#regionId}:{#accountId}:ipset/*`	None	None
ga:DetachDdosFromAccelerator	DetachDdosFromAccelerator	delete	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:DissociateAdditionalCertificatesFromListener	DissociateAdditionalCertificatesFromListener	update	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:ListAccelerators	ListAccelerators	list	Accelerator `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:UpdateCustomRoutingEndpointGroupDestinations	UpdateCustomRoutingEndpointGroupDestinations	update	*CustomRoutingEndpointGroupDestination `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customroutingendpointgroupId}`	None	None
ga:CreateForwardingRules	CreateForwardingRules	create	Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:UpdateEndpointGroups	UpdateEndpointGroups	update	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId}`	None	None
ga:ListCustomRoutingEndpointTrafficPolicies	ListCustomRoutingEndpointTrafficPolicies	list	CustomRoutingEndpointTrafficPolicy `acs:ga::{#accountId}:ga/{#gaId}`	None	None
ga:CreateAccelerator	CreateAccelerator	create	Accelerator `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:UpdateAcceleratorCrossBorderMode	UpdateAcceleratorCrossBorderMode	update	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:UpdateDomain	UpdateDomain	update	All Resource ``	None	None
ga:DescribeEndpointGroup	DescribeEndpointGroup	get	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointGroupId}`	None	None
ga:UpdateListener	UpdateListener	update	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:DescribeCustomRoutingEndpointGroup	DescribeCustomRoutingEndpointGroup	get	*CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customroutingendpointgroupId}`	None	None
ga:GetIpsetsBandwidthLimit	GetIpsetsBandwidthLimit	get	All Resource ``	None	None
ga:AssociateAdditionalCertificatesWithListener	AssociateAdditionalCertificatesWithListener	update	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:DeleteBasicEndpoint	DeleteBasicEndpoint	create	*BasicEndpoint `acs:ga:{#regionId}:{#accountId}:basicendpoint/{#basicendpointId}`	None	None
ga:CreateBandwidthPackage	CreateBandwidthPackage	create	BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/`	ga:BandwidthPackageType	None
ga:DeleteDomainAcceleratorRelation	DeleteDomainAcceleratorRelation	delete	*Domain `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:CreateAcl	CreateAcl	create	Acl `acs:ga:{#regionId}:{#accountId}:acl/`	None	None
ga:DescribeBandwidthPackage	DescribeBandwidthPackage	get	*BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}`	None	None
ga:ListDomains	ListDomains	list	Domain `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:DetectApplicationMonitor	DetectApplicationMonitor	update	*ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/{#TaskId}`	None	None
ga:AddEntriesToAcl	AddEntriesToAcl	update	*Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}`	None	None
ga:ListAccelerateAreas	ListAccelerateAreas	list	AccelerateArea `acs:ga:{#regionId}:{#accountId}:region/`	None	None
ga:ListBasicEndpoints	ListBasicEndpoints	list	*BasicEndpoint `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#EndpointGroupId}`	None	None
ga:DeleteIpSets	DeleteIpSets	delete	*IpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#ipSetId}`	None	None
ga:CreateIpSets	CreateIpSets	create	IpSet `acs:ga:{#regionId}:{#accountId}:ipset/` *Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	ga:AcceleratorMainland	None
ga:DescribeApplicationMonitor	DescribeApplicationMonitor	get	*ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/{#TaskId}`	None	None
ga:DeleteBasicAccelerateIpEndpointRelation	DeleteBasicAccelerateIpEndpointRelation	delete	BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId}` *BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:basicendpoint/{#basicendpointId}`	None	None
ga:CreateBasicEndpointGroup	CreateBasicEndpointGroup	create	BasicEndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/`	None	None
ga:DeleteEndpointGroup	DeleteEndpointGroup	delete	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointGroupId}`	None	None
ga:DescribeLogStoreOfEndpointGroup	DescribeLogStoreOfEndpointGroup	get	*AccessLog `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId}`	None	None
ga:GetBasicAccelerateIpEndpointRelation	GetBasicAccelerateIpEndpointRelation	get	BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:basicendpoint/{#basicendpointId}` BasicAccelerateIp `acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId}`	None	None
ga:CreateEndpointGroups	CreateEndpointGroups	create	EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}` Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	ga:AcceleratorMainland	None
ga:ListListenerCertificates	ListListenerCertificates	list	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:DeleteIpSet	DeleteIpSet	delete	*IpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#ipSetId}`	None	None
ga:ChangeResourceGroup	ChangeResourceGroup	update	Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}` BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthpackageId}` BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#basicGaId}`	None	None
ga:DescribeListener	DescribeListener	get	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:GetHealthStatus	GetHealthStatus	get	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:GetAcl	GetAcl	get	*Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}`	None	None
ga:GetBasicAccelerateIpIdleCount	GetBasicAccelerateIpIdleCount	get	All Resource ``	None	None
ga:GetBasicEndpointGroup	GetBasicEndpointGroup	get	*BasicEndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#BasicEndpointGroupId}`	None	None
ga:ListCustomRoutingEndpoints	ListCustomRoutingEndpoints	list	CustomRoutingEndpoint `acs:ga::{#accountId}:ga/{#gaId}`	None	None
ga:DescribeIpSet	DescribeIpSet	get	*IpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#ipSetId}`	None	None
ga:UpdateAcceleratorAutoRenewAttribute	UpdateAcceleratorAutoRenewAttribute	update	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:DeleteForwardingRules	DeleteForwardingRules	delete	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:CreateBasicAccelerator	CreateBasicAccelerator	create	BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:ListApplicationMonitorDetectResult	ListApplicationMonitorDetectResult	list	All Resource ``	None	None
ga:DescribeRegions	DescribeRegions	get	*BusiRegion `acs:ga:{#regionId}:{#accountId}:region/{#regionId}`	None	None
ga:DeleteBasicIpSet	DeleteBasicIpSet	delete	*BasicIpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#BasicIpSetId}`	None	None
ga:DeleteCustomRoutingEndpoints	DeleteCustomRoutingEndpoints	delete	*CustomRoutingEndpoint `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customRoutingEndpointGroupId}`	None	None
ga:UpdateApplicationMonitor	UpdateApplicationMonitor	update	*ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/{#TaskId}`	None	None
ga:GetBasicAccelerateIp	GetBasicAccelerateIp	get	*BasicAccelerateIp `acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId}`	None	None
ga:AssociateResources	AssociateResources	create	All Resource ``	None	None
ga:UpdateEndpointGroupAttribute	UpdateEndpointGroupAttribute	update	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointGroupId}`	None	None
ga:CreateApplicationMonitor	CreateApplicationMonitor	create	ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/*`	None	None
ga:GetInvalidDomainCount	GetInvalidDomainCount	get	All Resource ``	None	None
ga:ListAvailableAccelerateAreas	ListAvailableAccelerateAreas	list	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:ListCustomRoutingEndpointGroupDestinations	ListCustomRoutingEndpointGroupDestinations	list	*CustomRoutingEndpointGroupDestination `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:ReplaceBandwidthPackage	ReplaceBandwidthPackage	update	*BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}`	None	None
ga:ListSpareIps	ListSpareIps	list	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:CreateBasicEndpoint	CreateBasicEndpoint	create	BasicEndpoint `acs:ga:{#regionId}:{#accountId}:basicendpoint/`	None	None
ga:ListIspTypes	ListIspTypes	list	All Resource ``	None	None
ga:UpdateEndpointGroup	UpdateEndpointGroup	update	*EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointGroupId}`	None	None
ga:DeleteSpareIps	DeleteSpareIps	delete	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:CreateCustomRoutingEndpointGroupDestinations	CreateCustomRoutingEndpointGroupDestinations	create	*CustomRoutingEndpointGroupDestination `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customroutingendpointgroupId}`	None	None
ga:DescribeCustomRoutingEndpoint	DescribeCustomRoutingEndpoint	get	*CustomRoutingEndpoint `acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#CustomRoutingEndpointId}`	None	None
ga:UpdateBandwidthPackage	UpdateBandwidthPackage	update	*BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}`	None	None
ga:DescribeCommodity	DescribeCommodity	get	All Resource ``	None	None
ga:GetBasicEndpoint	GetBasicEndpoint	get	*BasicEndpoint `acs:ga:{#regionId}:{#accountId}:basicendpoint/{#EndPointId}`	None	None
ga:GetGlobalAcceleratorResources	GetGlobalAcceleratorResources	get	All Resource ``	None	None
ga:UpdateAcceleratorCrossBorderStatus	UpdateAcceleratorCrossBorderStatus	update	Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:ListApplicationMonitor	ListApplicationMonitor	list	ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/`	None	None
ga:AttachDdosToAccelerator	AttachDdosToAccelerator	update	*Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:ListBandwidthackages	ListBandwidthackages	list	All Resource ``	None	None
ga:UpdateAdditionalCertificateWithListener	UpdateAdditionalCertificateWithListener	update	*AdditionalCertificate `acs:ga:{#regionId}:{#accountId}:listener/{#ListenerId}`	None	None
ga:UpdateIpSets	UpdateIpSets	update	*IpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#ipSetId}`	None	None
ga:CreateBasicAccelerateIpEndpointRelations	CreateBasicAccelerateIpEndpointRelations	update	*BasicAccelerateIpEndpointRelation `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:ListBasicAccelerators	ListBasicAccelerators	list	BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/`	None	None
ga:OpenAcceleratorService	OpenAcceleratorService	none	All Resource ``	None	None
ga:ListForwardingRules	ListForwardingRules	list	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:ListCustomRoutingPortMappingsByDestination	ListCustomRoutingPortMappingsByDestination	list	CustomRoutingEndpoint `acs:ga::{#accountId}:customroutingendpoint/{#customroutingendpointId}`	None	None
ga:CreateListener	CreateListener	create	Listener `acs:ga:{#regionId}:{#accountId}:listener/` *Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	ga:TLSVersion	None
ga:DescribeAcceleratorServiceStatus	DescribeAcceleratorServiceStatus	none	All Resource ``	None	None
ga:TagResources	TagResources	update	Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}` Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}` BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthpackageId}` BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#basicGaId}` EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#EndpointGroupId}`	None	None
ga:DeleteCustomRoutingEndpointTrafficPolicies	DeleteCustomRoutingEndpointTrafficPolicies	delete	*CustomRoutingEndpointTrafficPolicy `acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#customroutingendpointId}`	None	None
ga:DeleteListener	DeleteListener	delete	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:CreateCustomRoutingEndpointGroups	CreateCustomRoutingEndpointGroups	create	*CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:ga/{#gaId}`	None	None
ga:UpdateBasicIpSet	UpdateBasicIpSet	update	*BasicIpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#ipsetId}`	None	None
ga:GetBasicIpSet	GetBasicIpSet	get	*BasicIpSet `acs:ga:{#regionId}:{#accountId}:ipset/{#BasicIpSetId}`	None	None
ga:DeleteApplicationMonitor	DeleteApplicationMonitor	delete	*ApplicationMonitor `acs:ga:{#regionId}:{#accountId}:sitemonitor/{#TaskId}`	None	None
ga:DetachLogStoreFromEndpointGroup	DetachLogStoreFromEndpointGroup	update	EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId}` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:CreateCustomRoutingEndpoints	CreateCustomRoutingEndpoints	create	*CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customroutingendpointgroupId}`	None	None
ga:UpdateCustomRoutingEndpoints	UpdateCustomRoutingEndpoints	update	*CustomRoutingEndpointGroup `acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId}`	None	None
ga:CreateCustomRoutingEndpointTrafficPolicies	CreateCustomRoutingEndpointTrafficPolicies	create	*CustomRoutingEndpointTrafficPolicy `acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#CustomRoutingEndpointId}`	None	None
ga:BandwidthPackageRemoveAccelerator	BandwidthPackageRemoveAccelerator	update	BandwidthPackage `acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId}` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:DissociateAclsFromListener	DissociateAclsFromListener	update	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:UpdateForwardingRules	UpdateForwardingRules	update	*Listener `acs:ga:{#regionId}:{#accountId}:listener/{#listenerId}`	None	None
ga:AttachLogStoreToEndpointGroup	AttachLogStoreToEndpointGroup	update	EndpointGroup `acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endPointGroupId}` Accelerator `acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId}`	None	None
ga:DisassociateResources	DisassociateResources	delete	All Resource ``	None	None
ga:ListTagResources	ListTagResources	list	All Resource ``	None	None
ga:CreateBasicIpSet	CreateBasicIpSet	create	BasicAccelerator `acs:ga:{#regionId}:{#accountId}:ga/{#BasicAcceleratorId}` BasicIpSet `acs:ga:{#regionId}:{#accountId}:ipset/*`	None	None
ga:RemoveEntriesFromAcl	RemoveEntriesFromAcl	update	*Acl `acs:ga:{#regionId}:{#accountId}:acl/{#aclId}`	None	None
ga:ListEndpointGroupIpAddressCidrBlocks	ListEndpointGroupIpAddressCidrBlocks	get	All Resource ``	None	None

Resource

The following table lists the resources defined by Global Accelerator. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
Acl	acs:ga:{#regionId}:{#accountId}:acl/{#aclId} acs:ga:{#regionId}:{#accountId}:acl/*
BandwidthPackage	acs:ga:{#regionId}:{#accountId}:bandwidthpackage/{#bandwidthPackageId} acs:ga:{#regionId}:{#accountId}:ga/{#BandwidthPackageId} acs:ga:{#regionId}:{#accountId}:bandwidthpackage/*
Accelerator	acs:ga:{#regionId}:{#accountId}:ga/{#acceleratorId} acs:ga:{#regionId}:{#accountId}:ga/{#gaId} acs:ga:{#regionId}:{#accountId}:ga/* acs:ga:{#regionId}:{#accountId}:accelerator/{#AcceleratorId}
IpSet	acs:ga:{#regionId}:{#accountId}:ipset/* acs:ga:{#regionId}:{#accountId}:ipset/{#ipSetId}
SystemSecurityPolicy	acs:ga:{#regionId}:{#accountId}:ga/*
BasicAccelerator	acs:ga:{#regionId}:{#accountId}:ga/{#basicGaId} acs:ga:{#regionId}:{#accountId}:ga/{#BasicAcceleratorId} acs:ga:{#regionId}:{#accountId}:ga/* acs:ga:{#regionId}:{#accountId}:ga/{#gaId}
EndpointGroup	acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId} acs:ga:{#regionId}:{#accountId}:endpointgroup/*
CustomRoutingEndpointGroup	acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId} acs:ga:*:{#accountId}:ga/{#gaId} acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customroutingendpointgroupId} acs:ga:{#regionId}:{#accountId}:ga/{#gaId}
ApplicationMonitor	acs:ga:{#regionId}:{#accountId}:sitemonitor/{#sitemonitorId} acs:ga:{#regionId}:{#accountId}:sitemonitor/{#TaskId} acs:ga:{#regionId}:{#accountId}:sitemonitor/* acs:ga:{#regionId}:{#accountId}:ga/{#gaId}
Listener	acs:ga:{#regionId}:{#accountId}:listener/{#ListenerId} acs:ga:{#regionId}:{#accountId}:listener/*
BasicAccelerateIp	acs:ga:{#regionId}:{#accountId}:ipset/{#IpSetId} acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId} acs:ga:{#regionId}:{#accountId}:ga/{#gaId} acs:ga:{#regionId}:{#accountId}:ipset/*
CustomRoutingEndpointGroupDestination	acs:ga:{#regionId}:{#accountId}:destination/{#DestinationId} acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#EndpointGroupId} acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customroutingendpointgroupId} acs:ga:{#regionId}:{#accountId}:ga/{#gaId}
Domain	acs:ga:{#regionId}:{#accountId}:ga/* acs:ga:{#regionId}:{#accountId}:ga/{#gaId}
CustomRoutingEndpointTrafficPolicy	acs:ga:{#regionId}:{#accountId}:trafficpolicy/{#trafficpolicyId} acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#CustomRoutingEndpointTrafficPolicyId} acs:ga:*:{#accountId}:ga/{#gaId} acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#customroutingendpointId}
BasicEndpointGroup	acs:ga:{#regionId}:{#accountId}:endpointgroup/{#BasicEndpointGroupId} acs:ga:{#regionId}:{#accountId}:endpointgroup/*
BasicEndpoint	acs:ga:{#regionId}:{#accountId}:basicendpoint/* acs:ga:{#regionId}:{#accountId}:basicendpoint/{#EndPointId} acs:ga:{#regionId}:{#accountId}:basicendpoint/{#basicendpointId} acs:ga:{#regionId}:{#accountId}:endpointgroup/{#EndpointGroupId}
BusiRegion	acs:ga:{#regionId}:{#accountId}:region/* acs:ga:{#regionId}:{#accountId}:region/{#regionId}
BasicAccelerateIpEndpointRelation	acs:ga:{#regionId}:{#accountId}:ga/{#gaId} acs:ga:{#regionId}:{#accountId}:basicgaip/{#basicgaipId} acs:ga:{#regionId}:{#accountId}:basicendpoint/{#basicendpointId}
CustomRoutingPortMapping	acs:ga:*:{#accountId}:ga/{#gaId}
AccelerateArea	acs:ga:{#regionId}:{#accountId}:region/*
AccessLog	acs:ga:{#regionId}:{#accountId}:endpointgroup/{#endpointgroupId}
CustomRoutingEndpoint	acs:ga::{#accountId}:ga/{#gaId} acs:ga:{#regionId}:{#accountId}:customroutingendpointgroup/{#customRoutingEndpointGroupId} acs:ga:{#regionId}:{#accountId}:customroutingendpoint/{#CustomRoutingEndpointId} acs:ga::{#accountId}:customroutingendpoint/{#customroutingendpointId}
BasicIpSet	acs:ga:{#regionId}:{#accountId}:ipset/{#BasicIpSetId} acs:ga:{#regionId}:{#accountId}:ipset/{#ipsetId} acs:ga:{#regionId}:{#accountId}:ipset/*
AdditionalCertificate	acs:ga:{#regionId}:{#accountId}:listener/{#ListenerId}

Condition

The following table lists the product-level condition keys defined by Global Accelerator. You can also use Alibaba Cloud's Common condition keys. Specify these keys in the Condition element of RAM policy statements to define granular authorization rules. In the condition key, specify the condition values in the Condition_value element of the policy.

Each condition key has a specific data type, such as string, number, Boolean, or IP address. The data type determines which conditional operators can be used to compare the request values against policy values. You must specify the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition operator for valid combinations.

Condition key	Description	Data type
ga:AcceleratorMainland	Acceleration area	String
ga:BandwidthPackageType	Bandwidth Package Type	String
ga:TLSVersion	TLS version support	String

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: