Before you call the API operations provided by Cloud Config as a RAM user, you must use your Alibaba Cloud account to create a custom policy and attach the policy to the RAM user to grant permissions. Alibaba Cloud Resource Names (ARNs) are used to specify resources in policies.

ARN format

ARN format: acs:config:*:{AccountId}:*

The following table describes the fields in the ARN format.
FieldDescription
acsThe acronym of Alibaba Cloud Service.
configThe alias of Cloud Config.
*The region to which the policy applies. In Cloud Config, you must specify this field as an asterisk (*).
{AccountId}The account ID of the RAM user to which the policy is attached. Example: 171322098523****.
*The description of the resources on which permissions are granted to the RAM user. In Cloud Config, you must specify this field as an asterisk (*).

Note

The following list shows the formats required when you set the Action and Resource fields in a custom policy for Cloud Config.
  • Action: config:API operation name
  • Resource: acs:config:*:{AccountId}:*

For example, to authorize a RAM user to call the CreateConfigRule operation, you must set the Action field to config:CreateConfigRule and the Resource field to acs:config:*:{AccountId}:* in the policy.