RAM用户调用资源管理API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符ARN(Aliyun Resource Name)指定授权资源。
资源(Resource)中用到的字段含义如下,请在使用时替换为实际值。
- <account_id>:阿里云账号(主账号)ID。
- <resourcegroup_id>:资源组ID。
- <policy_name>:权限策略名称。
- <role_name>:RAM角色名称。
- <resource_type>:资源类型。
- <resource_id>:资源ID。
- <region_id>:地域ID。
- <product>:云服务代码。
- <handshake_id>:成员邀请ID。
- <policy_id>:管控策略ID。
- <resource_directory_path>:RDPath,资源夹或成员在资源目录中的位置信息。
对于必选的资源类型,用加粗字体显示。
资源组鉴权列表
下表列举了资源组中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| ram:CreateResourceGroup | acs:ram:*:<account_id>:resourcegroup/* |
| ram:DeleteResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
| ram:UpdateResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
| ram:CreatePolicy | acs:ram:*:<account_id>:policy/* |
| ram:DeletePolicy | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:ListPolicies | acs:ram:*:<account_id>:policy/* |
| ram:GetPolicy | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:CreatePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:DeletePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:ListPolicyVersions | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:GetPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:SetDefaultPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
| ram:AttachPolicy |
|
| ram:DetachPolicy |
|
| ram:ListPolicyAttachments | acs:ram:*:<account_id>:* |
| ram:CreateRole | acs:ram:*:<account_id>:role/* |
| ram:GetRole | acs:ram:*:<account_id>:role/<role_name> |
| ram:ListRoles | acs:ram:*:<account_id>:role/* |
| ram:UpdateRole | acs:ram:*:<account_id>:role/<role_name> |
| ram:DeleteRole | acs:ram:*:<account_id>:role/<role_name> |
| ram:CreateServiceLinkedRole | acs:ram:*:<account_id>:role/* |
| ram:DeleteServiceLinkedRole | acs:ram:*:<account_id>:role/<role_name> |
| ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:<account_id>:role/<role_name> |
资源目录鉴权列表
下表列举了资源目录中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| resourcemanager:AcceptHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
| resourcemanager:AttachControlPolicy |
|
| resourcemanager:BindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:CancelHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
| resourcemanager:CheckAccountDelete | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:CreateCloudAccount | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:CreateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
| resourcemanager:CreateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
| resourcemanager:CreateResourceAccount | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
| resourcemanager:DeclineHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
| resourcemanager:DeleteAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:DeleteControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
| resourcemanager:DeleteFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
| resourcemanager:DeregisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:DetachControlPolicy |
|
| resourcemanager:DisableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
| resourcemanager:EnableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
| resourcemanager:EnableResourceDirectory | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:GetAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:GetAccountDeletionCheckResult | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:GetAccountDeletionStatus | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:GetControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
| resourcemanager:GetControlPolicyEnablementStatus | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
| resourcemanager:GetFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
| resourcemanager:GetHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
| resourcemanager:GetPayerForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:GetResourceDirectory | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:InviteAccountToResourceDirectory |
|
| resourcemanager:ListAccounts | acs:resourcemanager:*:<account_id>:account/* |
| resourcemanager:ListAccountsForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
| resourcemanager:ListAncestors | acs:resourcemanager:*:<account_id>:folder/* |
| resourcemanager:ListControlPolicies | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
| resourcemanager:ListControlPolicyAttachmentsForTarget |
|
| resourcemanager:ListDelegatedAdministrators | acs:resourcemanager:*:<account_id>:account/* |
| resourcemanager:ListDelegatedServicesForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:ListFoldersForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
| resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:<account_id>:handshake/* |
| resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:<account_id>:handshake/* |
| resourcemanager:ListTagKeys | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:ListTagResources | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:ListTagValues | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:ListTargetAttachmentsForControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
| resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:MoveAccount |
|
| resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:RegisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:SendVerificationCodeForBindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:SendVerificationCodeForEnableRD | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:TagResources | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:UntagResources | acs:resourcemanager:*:<account_id>:* |
| resourcemanager:UpdateAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
| resourcemanager:UpdateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
| resourcemanager:UpdateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
资源共享鉴权列表
下表列举了资源共享中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| resourcesharing:EnableSharingWithResourceDirectory | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:CreateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:UpdateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:DeleteResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListResourceShares | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:AssociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:DisassociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListResourceShareAssociations | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListSharedResources | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListSharedTargets | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:DescribeRegions | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListResourceShareInvitations | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:AcceptResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:RejectResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:AssociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:DisassociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListResourceSharePermissions | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:GetPermission | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListPermissionVersions | acs:resourcesharing:<region_id>:<account_id>:* |
| resourcesharing:ListPermissions | acs:resourcesharing:<region_id>:<account_id>:* |
标签鉴权列表
下表列举了标签中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| tag:ListTagResources | acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id> |
| tag:TagResources |
|
| tag:UntagResources |
|
| tag:ListTagKeys | acs:tag:<region_id>:<account_id>:*/* |
| tag:ListTagValues | acs:tag:<region_id>:<account_id>:*/* |
| tag:CreateTags | acs:tag:<region_id>:<account_id>:*/* |
| tag:DeleteTag | acs:tag:<region_id>:<account_id>:*/* |