RAM authorization - Microservices Engine

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Microservices Engine for RAM permission policies. The RAM code (RamCode) for Microservices Engine is mse,microgw , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Microservices Engine. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
mse:CreateIsolationRule	CreateIsolationRule	create	All Resource ``	None	None
mse:ListGatewayRoute	ListGatewayRoute	get	All Resource ``	None	None
mse:AddMockRule	AddMockRule		All Resource ``	None	None
mse:UpdateGatewayAuth	UpdateGatewayAuth	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetServiceMethodPage	GetServiceMethodPage	get	All Resource ``	None	None
mse:ListMigrationTask	ListMigrationTask	list	All Resource ``	None	None
mse:CreateWebFlowRule	CreateWebFlowRule	update	All Resource ``	None	None
mse:DeleteZnode	DeleteZnode	delete	All Resource ``	None	None
mse:GetImage	GetImage	get	All Resource ``	None	None
mse:AddGatewayAuth	AddGatewayAuth	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayRouteWafStatus	UpdateGatewayRouteWafStatus	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:AddAuthResource	AddAuthResource	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetOverview	GetOverview		All Resource ``	None	None
mse:ListSSLCert	ListSSLCert	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayName	UpdateGatewayName	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:AddSecurityGroupRule	AddSecurityGroupRule	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateCircuitBreakerRule	CreateCircuitBreakerRule	create	All Resource ``	None	None
mse:CreateEngineNamespace	CreateEngineNamespace	create	All Resource ``	None	None
mse:DeleteBlackWhiteList	DeleteBlackWhiteList	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryClusterDiskSpecification	QueryClusterDiskSpecification	get	All Resource ``	None	None
mse:ListApplicationsWithTagRules	ListApplicationsWithTagRules	get	All Resource ``	None	None
mse:FetchLosslessRuleList	FetchLosslessRuleList	get	All Resource ``	None	None
mse:UpdateAuthPolicy	UpdateAuthPolicy	get	All Resource ``	None	None
mse:EnableHttp2	EnableHttp2	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetGatewayAuthDetail	GetGatewayAuthDetail	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteNacosInstance	DeleteNacosInstance	delete	All Resource ``	None	None
mse:QueryClusterDetail	QueryClusterDetail	get	All Resource ``	None	None
mse:CloneSentinelRuleFromAhas	CloneSentinelRuleFromAhas	create	All Resource ``	None	None
mse:GetServiceListeners	GetServiceListeners	get	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:AddAuthPolicy	AddAuthPolicy	update	All Resource ``	None	None
mse:TagResources	TagResources	update	All Resource ``	None	None
mse:RestartCluster	RestartCluster	update	*Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
mse:DeleteGatewayServiceVersion	DeleteGatewayServiceVersion	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryZnodeDetail	QueryZnodeDetail	get	All Resource ``	None	None
mse:ApplyTagPolicies	ApplyTagPolicies	update	All Resource ``	None	None
mse:DeleteGatewayService	DeleteGatewayService	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteNacosService	DeleteNacosService	update	All Resource ``	None	None
mse:QuerySlbSpec	QuerySlbSpec	list	All Resource ``	None	None
mse:DeletePluginConfig	DeletePluginConfig	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ApplyGatewayRoute	ApplyGatewayRoute	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListGatewayService	ListGatewayService	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:EnableProxyProtocol	EnableProxyProtocol	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayAuthConsumer	UpdateGatewayAuthConsumer		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:OrderClusterHealthCheckRiskNotice	OrderClusterHealthCheckRiskNotice	get	All Resource ``	None	None
mse:ListGatewayAuth	ListGatewayAuth	get	All Resource ``	None	None
mse:ListConfigTrack	ListConfigTrack	list	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:ListGatewayAuthConsumer	ListGatewayAuthConsumer	list	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateMseServiceApplication	CreateMseServiceApplication	get	All Resource ``	None	None
mse:ListNacosHistoryConfigs	ListNacosHistoryConfigs	get	All Resource ``	None	None
mse:UpdateGatewayAuthConsumerResource	UpdateGatewayAuthConsumerResource	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListEngineNamespaces	ListEngineNamespaces	list	All Resource ``	None	None
mse:QueryClusterSpecification	QueryClusterSpecification		All Resource ``	None	None
mse:ListEurekaServices	ListEurekaServices	get	All Resource ``	None	None
mse:GetPluginConfig	GetPluginConfig	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateZnode	CreateZnode	create	All Resource ``	None	None
mse:ListSecurityGroup	ListSecurityGroup	list	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryInstancesInfo	QueryInstancesInfo	get	All Resource ``	None	None
mse:UpdateGatewayServiceVersion	UpdateGatewayServiceVersion	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateNacosService	CreateNacosService	get	All Resource ``	None	None
mse:ListNacosMcpServers	ListNacosMcpServers	list	All Resource ``	None	None
mse:AddGatewaySlb	AddGatewaySlb	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryMonitor	QueryMonitor	get	All Resource ``	None	None
mse:GetNacosMcpServer	GetNacosMcpServer	get	All Resource ``	None	None
mse:CreateOrUpdateSwimmingLaneGroup	CreateOrUpdateSwimmingLaneGroup	update	*GovernanceNamespace `acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}`	None	None
mse:ListSecurityGroupRule	ListSecurityGroupRule	list	All Resource ``	None	None
mse:ListClusterTypes	ListClusterTypes		All Resource ``	None	None
mse:GetMseSource	GetMseSource	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ImportZookeeperData	ImportZookeeperData	update	All Resource ``	None	None
mse:DeleteGatewayCircuitBreakerRule	DeleteGatewayCircuitBreakerRule	delete	All Resource ``	None	None
mse:GetTagsBySwimmingLaneGroupId	GetTagsBySwimmingLaneGroupId	get	All Resource ``	None	None
mse:DeleteGatewayRoute	DeleteGatewayRoute	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetEngineNamepace	GetEngineNamepace	get	All Resource ``	None	None
mse:DeleteNamespace	DeleteNamespace	delete	All Resource ``	None	None
mse:CreateNacosMcpServer	CreateNacosMcpServer	create	All Resource ``	None	None
mse:GetBlackWhiteList	GetBlackWhiteList	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetKubernetesSource	GetKubernetesSource	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateImage	UpdateImage	update	*Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
mse:ListNamespaces	ListNamespaces	list	All Resource ``	None	None
mse:AddMigrationTask	AddMigrationTask	create	All Resource ``	None	None
mse:CreateGatewayCircuitBreakerRule	CreateGatewayCircuitBreakerRule	create	All Resource ``	None	None
mse:PutClusterHealthCheckTask	PutClusterHealthCheckTask		*Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
mse:AddGatewayDomain	AddGatewayDomain	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayAuthConsumerStatus	UpdateGatewayAuthConsumerStatus		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteFlowRules	DeleteFlowRules	delete	All Resource ``	None	None
mse:ListGatewayDomain	ListGatewayDomain	list	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateMigrationTask	UpdateMigrationTask	update	All Resource ``	None	None
mse:GetLocalityRule	GetLocalityRule	get	All Resource ``	None	None
mse:ListServiceSource	ListServiceSource	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateServiceSource	UpdateServiceSource	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateMessageQueueRoute	UpdateMessageQueueRoute	update	All Resource ``	None	None
mse:UpdatePluginConfig	UpdatePluginConfig	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayRouteCORS	UpdateGatewayRouteCORS	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListZnodeChildren	ListZnodeChildren	list	All Resource ``	None	None
mse:UpdateIsolationRule	UpdateIsolationRule	update	All Resource ``	None	None
mse:RemoveAuthPolicy	RemoveAuthPolicy	get	All Resource ``	None	None
mse:ChangeResourceGroup	ChangeResourceGroup	update	All Resource ``	None	None
mse:UpdateNacosService	UpdateNacosService	update	All Resource ``	None	None
mse:DeleteSecurityGroupRule	DeleteSecurityGroupRule	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListGatewayZone	ListGatewayZone	list	All Resource ``	None	None
mse:UpgradeCluster	UpgradeCluster		All Resource ``	None	None
mse:GetZookeeperDataImportUrl	GetZookeeperDataImportUrl	get	All Resource ``	None	None
mse:PreserveHeaderFormat	PreserveHeaderFormat	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateConfig	UpdateConfig	update	All Resource ``	None	None
mse:CreateNamespace	CreateNamespace	get	All Resource ``	None	None
mse:GetGatewayServiceDetail	GetGatewayServiceDetail	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryGovernanceKubernetesCluster	QueryGovernanceKubernetesCluster	get	All Resource ``	None	None
mse:ListExportZookeeperData	ListExportZookeeperData	list	All Resource ``	None	None
mse:UpdateGatewayRouteRetry	UpdateGatewayRouteRetry	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateSSLCert	UpdateSSLCert	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateLocalityRule	UpdateLocalityRule	get	All Resource ``	None	None
mse:UpdateGatewayServiceTrafficPolicy	UpdateGatewayServiceTrafficPolicy	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ImportNacosConfig	ImportNacosConfig	create	All Resource ``	None	None
mse:DeleteWebFlowRules	DeleteWebFlowRules	delete	All Resource ``	None	None
mse:UpdateGatewayRouteTimeout	UpdateGatewayRouteTimeout	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListListenersByConfig	ListListenersByConfig	get	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:SelectGatewaySlb	SelectGatewaySlb	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetPlugins	GetPlugins	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayRouteHeaderOp	UpdateGatewayRouteHeaderOp	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryAllSwimmingLaneGroup	QueryAllSwimmingLaneGroup	get	All Resource ``	None	None
mse:DeleteNacosConfigs	DeleteNacosConfigs	delete	All Resource ``	None	None
mse:CloneNacosConfig	CloneNacosConfig	create	All Resource ``	None	None
mse:DeleteSwimmingLaneGroup	DeleteSwimmingLaneGroup	get	All Resource ``	None	None
mse:QueryConfig	QueryConfig	get	All Resource ``	None	None
mse:GetImportFileUrl	GetImportFileUrl	get	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:UpdateGatewayOption	UpdateGatewayOption	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListWebFlowRules	ListWebFlowRules	list	All Resource ``	None	None
mse:ListClusterConnectionTypes	ListClusterConnectionTypes	get	All Resource ``	None	None
mse:QueryAllSwimmingLane	QueryAllSwimmingLane	get	*GovernanceNamespace `acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}`	None	None
mse:GetGatewayDomainDetail	GetGatewayDomainDetail	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateZnode	UpdateZnode	update	All Resource ``	None	None
mse:CreateApplication	CreateApplication	create	All Resource ``	None	None
mse:UpdateGatewayCircuitBreakerRule	UpdateGatewayCircuitBreakerRule	update	All Resource ``	None	None
mse:DeleteGatewaySlb	DeleteGatewaySlb	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QuerySwimmingLaneById	QuerySwimmingLaneById	get	*GovernanceNamespace `acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}`	None	None
mse:DeleteGatewayAuthConsumerResource	DeleteGatewayAuthConsumerResource		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateWebFlowRule	UpdateWebFlowRule	update	All Resource ``	None	None
mse:UpdateCircuitBreakerRule	UpdateCircuitBreakerRule	update	All Resource ``	None	None
mse:GetMseFeatureSwitch	GetMseFeatureSwitch	get	All Resource ``	None	None
mse:UpdateGatewayIsolationRule	UpdateGatewayIsolationRule	update	All Resource ``	None	None
mse:DeleteGatewayAuth	DeleteGatewayAuth	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetAppMessageQueueRoute	GetAppMessageQueueRoute	get	All Resource ``	None	None
mse:GetNacosConfig	QueryNacosGrayConfig	get	All Resource ``	None	None
mse:GetApplicationList	GetApplicationList	get	All Resource ``	None	None
mse:UpdateGatewayDomain	UpdateGatewayDomain	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ExportNacosConfig	ExportNacosConfig	get	Cluster `acs:mse:{#regionId}:{#AccountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:DeleteGatewayIsolationRule	DeleteGatewayIsolationRule	delete	All Resource ``	None	None
mse:ListGatewaySlb	ListGatewaySlb	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetGatewayOption	GetGatewayOption	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateNacosInstance	CreateNacosInstance	create	All Resource ``	None	None
mse:CreatePluginConfig	CreatePluginConfig	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateAcl	UpdateAcl	update	All Resource ``	None	None
mse:ListListenersByIp	ListListenersByIp	get	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:DeleteCircuitBreakerRules	DeleteCircuitBreakerRules	delete	All Resource ``	None	None
mse:CreateSentinelBlockFallbackDefinition	CreateSentinelBlockFallbackDefinition	update	All Resource ``	None	None
mse:AddBlackWhiteList	AddBlackWhiteList	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListIsolationRules	ListIsolationRules	list	All Resource ``	None	None
mse:ListFlowRules	ListFlowRules	list	All Resource ``	None	None
mse:ModifyLosslessRule	ModifyLosslessRule	get	All Resource ``	None	None
mse:ModifyGovernanceKubernetesCluster	ModifyGovernanceKubernetesCluster	update	All Resource ``	None	None
mse:InitializeServiceLinkRole	InitializeServiceLinkRole	get	All Resource ``	None	None
mse:PullServices	PullServices	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateNacosConfig	CreateNacosConfig	get	All Resource ``	None	None
mse:ListInstanceCount	ListInstanceCount	get	All Resource ``	None	None
mse:GetApplicationInstanceList	GetApplicationInstanceList	get	All Resource ``	None	None
mse:ListAnsServiceClusters	ListAnsServiceClusters	list	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:QueryGatewayType	QueryGatewayType	get	All Resource ``	None	None
mse:ListTagResources	ListTagResources	get	All Resource ``	None	None
mse:UpdateClusterSpec	UpdateClusterSpec	update	All Resource ``	None	None
mse:CreateFlowRule	CreateFlowRule	create	All Resource ``	None	None
mse:DeleteMigrationTask	DeleteMigrationTask	delete	All Resource ``	None	None
mse:GetNacosHistoryConfig	GetNacosHistoryConfig	get	All Resource ``	None	None
mse:DeleteGateway	DeleteGateway	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ImportServices	ImportServices	create	All Resource ``	None	None
mse:RemoveApplication	RemoveApplication	delete	All Resource ``	None	None
mse:RetryCluster	RetryCluster	update	*Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
mse:ListSentinelBlockFallbackDefinitions	ListSentinelBlockFallbackDefinitions	list	All Resource ``	None	None
mse:QueryClusterInfo	QueryClusterInfo	get	All Resource ``	None	None
mse:BindSentinelBlockFallbackDefinition	BindSentinelBlockFallbackDefinition	update	*GovernanceApplication `acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}/application/{#AppName}`	None	None
mse:GetGatewayAuthConsumerDetail	GetGatewayAuthConsumerDetail	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListNacosConfigs	ListNacosConfigs	get	All Resource ``	None	None
mse:GetServiceListPage	GetServiceListPage	get	All Resource ``	None	None
mse:AddGateway	AddGateway	create	Gateway `acs:mse:{#regionId}:{#accountId}:instance/`	None	None
mse:GetGovernanceKubernetesCluster	GetGovernanceKubernetesCluster	get	All Resource ``	None	None
mse:DeleteGatewayFlowRule	DeleteGatewayFlowRule	delete	All Resource ``	None	None
mse:QueryNamespace	QueryNamespace	get	All Resource ``	None	None
mse:ListNamingTrack	ListNamingTrack	get	*Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}`	None	None
mse:ListAnsServices	ListAnsServices	list	All Resource ``	None	None
mse:UpdateNacosConfig	UpdateNacosGrayConfig	update	All Resource ``	None	None
mse:OfflineGatewayRoute	OfflineGatewayRoute		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetGatewayConfig	GetGatewayConfig	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListClusterVersions	ListClusterVersions		All Resource ``	None	None
mse:ListEurekaInstances	ListEurekaInstances	get	All Resource ``	None	None
mse:UpdateGatewayAuthConsumerResourceStatus	UpdateGatewayAuthConsumerResourceStatus		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayRouteAuth	UpdateGatewayRouteAuth		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:AddGatewayServiceVersion	AddGatewayServiceVersion	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListGatewayIsolationRule	ListGatewayIsolationRule	list	All Resource ``	None	None
mse:DeleteGatewayAuthConsumer	DeleteGatewayAuthConsumer		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteNacosConfig	DeleteNacosConfig	delete	All Resource ``	None	None
mse:ExportZookeeperData	ExportZookeeperData	get	All Resource ``	None	None
mse:ListGateway	ListGateway	get	All Resource ``	None	None
mse:CreateGatewayFlowRule	CreateGatewayFlowRule	create	All Resource ``	None	None
mse:AddGatewayAuthConsumer	AddGatewayAuthConsumer	create	All Resource ``	None	None
mse:ListAppBySwimmingLaneGroupTag	ListAppBySwimmingLaneGroupTag	get	All Resource ``	None	None
mse:UpdateGatewayService	UpdateGatewayService	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewaySpec	UpdateGatewaySpec	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateBlackWhiteList	UpdateBlackWhiteList	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateOrUpdateSwimmingLane	CreateOrUpdateSwimmingLane	create	*GovernanceNamespace `acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}`	None	None
mse:AddSSLCert	AddSSLCert	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateFlowRule	UpdateFlowRule	update	All Resource ``	None	None
mse:ListZkTrack	ListZkTrack	list	All Resource ``	None	None
mse:DeleteCluster	DeleteCluster	delete	All Resource ``	None	None
mse:UpdateCluster	UpdateCluster	update	All Resource ``	None	None
mse:DeleteNacosMcpServer	DeleteNacosMcpServer	delete	All Resource ``	None	None
mse:DeleteSwimmingLane	DeleteSwimmingLane	delete	All Resource ``	None	None
mse:UpdateGatewayRouteHTTPRewrite	UpdateGatewayRouteHTTPRewrite	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GatewayBlackWhiteList	GatewayBlackWhiteList	get	All Resource ``	None	None
mse:ListAppBySwimmingLaneGroupTags	ListAppBySwimmingLaneGroupTags	list	All Resource ``	None	None
mse:AddGatewayRoute	AddGatewayRoute	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayConfig	UpdateGatewayConfig	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:CreateCluster	CreateCluster	create	Cluster `acs:mse:{#regionId}:{#accountId}:instance/`	None	None
mse:ListGatewayAuthConsumerResource	ListGatewayAuthConsumerResource		*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateNacosConfig	UpdateNacosConfig	update	All Resource ``	None	None
mse:ListAuthPolicy	ListAuthPolicy	get	All Resource ``	None	None
mse:AddServiceSource	AddServiceSource	create	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetLosslessRuleByApp	GetLosslessRuleByApp	get	All Resource ``	None	None
mse:ListCircuitBreakerRules	ListCircuitBreakerRules	list	All Resource ``	None	None
mse:ListClusterHealthCheckTask	ListClusterHealthCheckTask	get	All Resource ``	None	None
mse:UpdateGatewayServiceCheck	UpdateGatewayServiceCheck	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:ListAnsInstances	ListAnsInstances	list	All Resource ``	None	None
mse:GetNacosConfig	GetNacosConfig	get	*EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:UpdateNacosInstance	UpdateNacosInstance	update	All Resource ``	None	None
mse:ListGatewayCircuitBreakerRule	ListGatewayCircuitBreakerRule	list	All Resource ``	None	None
mse:GetServiceList	GetServiceList	get	All Resource ``	None	None
mse:DeleteIsolationRules	DeleteIsolationRules	delete	All Resource ``	None	None
mse:UpdateGatewayFlowRule	UpdateGatewayFlowRule	update	All Resource ``	None	None
mse:DeleteGatewayDomain	DeleteGatewayDomain	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:QueryGatewayRegion	QueryGatewayRegion	get	All Resource ``	None	None
mse:ListGatewayFlowRule	ListGatewayFlowRule	list	All Resource ``	None	None
mse:UpdateNacosCluster	UpdateNacosCluster	update	Cluster `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}` EngineNamespace `acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}`	None	None
mse:ListGatewayRouteOnAuth	ListGatewayRouteOnAuth	list	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteEngineNamespace	DeleteEngineNamespace	delete	All Resource ``	None	None
mse:CreateGatewayIsolationRule	CreateGatewayIsolationRule	create	All Resource ``	None	None
mse:GetGatewayRouteDetail	GetGatewayRouteDetail	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:GetGateway	GetGateway	get	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateGatewayRoute	UpdateGatewayRoute	update	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteServiceSource	DeleteServiceSource	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:DeleteAuthResource	DeleteAuthResource	delete	*Gateway `acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}`	None	None
mse:UpdateEngineNamespace	UpdateEngineNamespace	update	All Resource ``	None	None
mse:ListClusters	ListClusters	get	All Resource ``	None	None

Resource

The following table lists the resources defined by Microservices Engine. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
Gateway	acs:mse:{#regionId}:{#accountId}:instance/* acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId} acs:mse:{#Region}:{#AccountId}:instance/{#GatewayUniqueId}
GovernanceApplication	acs:mse:{#Region}:{#AccountId}:namespace/{#Namespace}/application/{#AppName} acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}/application/{#AppName}
EngineNamespace	acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/* acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}/{#NamespaceId}
Cluster	acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId} acs:mse:{#regionId}:{#accountId}:cluster/{#InstanceId} acs:mse:{#regionId}:{#accountId}:instance/*
NacosInstance	acs:mse:{#regionId}:{#accountId}:nacosinstance/*
NacosService	acs:mse:*:{#accountId}:nacosservice/{#ServiceName}
NacosConfig	acs:mse:*:{#accountId}:nacosconfig/{#DataId} acs:mse::{#accountId}:nacosconfig/{#DataId}
GovernanceNamespace	acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace} acs:mse:{#Region}:{#AccountId}:namespace/{#Namespace}

Condition

Microservices Engine does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: