Before you call the API operations provided by Cloud Config as a RAM user, you must use your Alibaba Cloud account to create a custom policy and attach the policy to the RAM user to grant permissions. Alibaba Cloud Resource Names (ARNs) are used to specify resources in policies.
ARN format
ARN format: acs:config:*:{AccountId}:*
The following table describes the fields in the ARN format.
| Field | Description |
|---|---|
acs | The acronym of Alibaba Cloud Service. |
config | The alias of Cloud Config. |
* | The region to which the policy applies. In Cloud Config, you must specify this field as an asterisk (*). |
{AccountId} | The account ID of the RAM user to which the policy is attached. Example: 171322098523****. |
* | The description of the resources on which permissions are granted to the RAM user. In Cloud Config, you must specify this field as an asterisk (*). |
Note
The following list shows the formats required when you set the Action and Resource fields in a custom policy for Cloud Config.
- Action:
config:API operation name - Resource:
acs:config:*:{AccountId}:*
For example, to authorize a RAM user to call the CreateConfigRule operation, you must set the Action field to config:CreateConfigRule and the Resource field to acs:config:*:{AccountId}:* in the policy.