RAM用户调用IMS API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。
本文用到的字段含义如下,请在使用时替换为实际值。
- <account-id>:阿里云账号(主账号)ID。
- <user-name>:RAM用户名称。
- <group-name>:RAM用户组名称。
- <saml-provider-name>:身份提供商名称。
- <serial-number>:虚拟MFA设备序列号。
用户管理鉴权列表
下表列举了用户管理中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| ram:CreateUser | acs:ram:*:<account-id>:user/* |
| ram:GetUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:UpdateUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:DeleteUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:ListUsers | acs:ram:*:<account-id>:user/* |
| ram:ListUserBasicInfos | acs:ram:*:<account-id>:user/* |
| ram:CreateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:GetLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:UpdateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:DeleteLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:CreateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
| ram:UpdateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
| ram:DeleteAccessKey | acs:ram:*:<account-id>:user/<user-name> |
| ram:ListAccessKeys | acs:ram:*:<account-id>:user/<user-name> |
| ram:GetAccessKeyLastUsed | acs:ram:*:<account-id>:user/<user-name> |
| ram:CreateVirtualMFADevice | acs:ram:*:<account-id>:mfa/* |
| ram:ListVirtualMFADevices | acs:ram:*:<account-id>:mfa/* |
| ram:DeleteVirtualMFADevice | acs:ram:*:<account-id>:mfa/<serial-number> |
| ram:DisableVirtualMFA | acs:ram:*:<account-id>:user/<user-name> |
| ram:BindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
| ram:UnbindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
| ram:GetAccountMFAInfo | acs:ram:*:<account-id>:* |
| ram:GetUserMFAInfo | acs:ram:*:<account-id>:user/<user-name> |
| ram:GetAccountSummary | acs:ram:*:<account-id>:* |
用户组管理鉴权列表
下表列举了用户组管理中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| ram:CreateGroup | acs:ram:*:<account-id>:group/* |
| ram:GetGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:UpdateGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:DeleteGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:ListGroups | acs:ram:*:<account-id>:group/* |
| ram:AddUserToGroup |
|
| ram:RemoveUserFromGroup |
|
| ram:ListUsersForGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:ListGroupsForUser | acs:ram:*:<account-id>:user/<user-name> |
单点登录(SSO)管理鉴权列表
下表列举了单点登录(SSO)管理中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| ram:SetUserSsoSettings | acs:ram:*:<account-id>:* |
| ram:GetUserSsoSettings | acs:ram:*:<account-id>:* |
| ram:CreateSAMLProvider | acs:ram:*:<account-id>:saml-provider/* |
| ram:GetSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
| ram:UpdateSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
| ram:ListSAMLProviders | acs:ram:*:<account-id>:saml-provider/* |
| ram:DeleteSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
安全设置鉴权列表
下表列举了安全设置中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| ram:SetPasswordPolicy | acs:ram:*:<account-id>:* |
| ram:GetPasswordPolicy | acs:ram:*:<account-id>:* |
| ram:SetSecurityPreference | acs:ram:*:<account-id>:* |
| ram:GetSecurityPreference | acs:ram:*:<account-id>:* |
| ram:SetDefaultDomain | acs:ram:*:<account-id>:* |
| ram:GetDefaultDomain | acs:ram:*:<account-id>:* |
| ram:GenerateCredentialReport | acs:ram:*:<account-id>:* |
| ram:GetCredentialReport | acs:ram:*:<account-id>:* |
| ram:GetAccountSecurityPracticeReport | acs:ram:*:<account-id>:* |