RAM用户调用IMS API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。

本文用到的字段含义如下,请在使用时替换为实际值。

  • <account-id>:阿里云账号(主账号)ID。
  • <user-name>:RAM用户名称。
  • <group-name>:RAM用户组名称。
  • <saml-provider-name>:身份提供商名称。
  • <serial-number>:虚拟MFA设备序列号。

用户管理鉴权列表

下表列举了用户管理中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:CreateUser acs:ram:*:<account-id>:user/*
ram:GetUser acs:ram:*:<account-id>:user/<user-name>
ram:UpdateUser acs:ram:*:<account-id>:user/<user-name>
ram:DeleteUser acs:ram:*:<account-id>:user/<user-name>
ram:ListUsers acs:ram:*:<account-id>:user/*
ram:ListUserBasicInfos acs:ram:*:<account-id>:user/*
ram:CreateLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:GetLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:UpdateLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:DeleteLoginProfile acs:ram:*:<account-id>:user/<user-name>
ram:CreateAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:UpdateAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:DeleteAccessKey acs:ram:*:<account-id>:user/<user-name>
ram:ListAccessKeys acs:ram:*:<account-id>:user/<user-name>
ram:GetAccessKeyLastUsed acs:ram:*:<account-id>:user/<user-name>
ram:CreateVirtualMFADevice acs:ram:*:<account-id>:mfa/*
ram:ListVirtualMFADevices acs:ram:*:<account-id>:mfa/*
ram:DeleteVirtualMFADevice acs:ram:*:<account-id>:mfa/<serial-number>
ram:DisableVirtualMFA acs:ram:*:<account-id>:user/<user-name>
ram:BindMFADevice acs:ram:*:<account-id>:user/<user-name>
ram:UnbindMFADevice acs:ram:*:<account-id>:user/<user-name>
ram:GetAccountMFAInfo acs:ram:*:<account-id>:*
ram:GetUserMFAInfo acs:ram:*:<account-id>:user/<user-name>
ram:GetAccountSummary acs:ram:*:<account-id>:*

用户组管理鉴权列表

下表列举了用户组管理中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:CreateGroup acs:ram:*:<account-id>:group/*
ram:GetGroup acs:ram:*:<account-id>:group/<group-name>
ram:UpdateGroup acs:ram:*:<account-id>:group/<group-name>
ram:DeleteGroup acs:ram:*:<account-id>:group/<group-name>
ram:ListGroups acs:ram:*:<account-id>:group/*
ram:AddUserToGroup
  • acs:ram:*:<account-id>:user/<user-name>
  • acs:ram:*:<account-id>:group/<group-name>
ram:RemoveUserFromGroup
  • acs:ram:*:<account-id>:user/<user-name>
  • acs:ram:*:<account-id>:group/<group-name>
ram:ListUsersForGroup acs:ram:*:<account-id>:group/<group-name>
ram:ListGroupsForUser acs:ram:*:<account-id>:user/<user-name>

单点登录(SSO)管理鉴权列表

下表列举了单点登录(SSO)管理中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:SetUserSsoSettings acs:ram:*:<account-id>:*
ram:GetUserSsoSettings acs:ram:*:<account-id>:*
ram:CreateSAMLProvider acs:ram:*:<account-id>:saml-provider/*
ram:GetSAMLProvider acs:ram:*:<account-id>:saml-provider/<saml-provider-name>
ram:UpdateSAMLProvider acs:ram:*:<account-id>:saml-provider/<saml-provider-name>
ram:ListSAMLProviders acs:ram:*:<account-id>:saml-provider/*
ram:DeleteSAMLProvider acs:ram:*:<account-id>:saml-provider/<saml-provider-name>

安全设置鉴权列表

下表列举了安全设置中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:SetPasswordPolicy acs:ram:*:<account-id>:*
ram:GetPasswordPolicy acs:ram:*:<account-id>:*
ram:SetSecurityPreference acs:ram:*:<account-id>:*
ram:GetSecurityPreference acs:ram:*:<account-id>:*
ram:SetDefaultDomain acs:ram:*:<account-id>:*
ram:GetDefaultDomain acs:ram:*:<account-id>:*
ram:GenerateCredentialReport acs:ram:*:<account-id>:*
ram:GetCredentialReport acs:ram:*:<account-id>:*
ram:GetAccountSecurityPracticeReport acs:ram:*:<account-id>:*