Before using a RAM user to call the trusted ledger database API operations, you must grant the RAM user corresponding permissions by using your Alibaba cloud account. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).

Resource authorization

By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you use a RAM user to call an API, you must grant the RAM user account the permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.

When you create an authorization policy, you can use Arns (Alibaba Cloud Resource Name) to specify which resources you want to authorize. An ARN is a global Alibaba Cloud resource name that Alibaba Cloud defines for each resource.

The ARN format is as follows:
acs:service-name:region:account-id:resource-relative-id

The following section describes the two concepts involved in the figure:

  • acs: the abbreviation for Alibaba Cloud Service.
  • service-name: the name of an Alibaba Cloud service, such as ecs, oss, and slb.
  • region: the region where the service resides. If this option is not supported, use the asterisk (*) wildcard instead.
  • account-id: the ID of the user account, such as 1234567890123456.
  • resource-relative-id: the resource description.
Example:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
            "Effect": "Allow"
        }
    ]
}

Authorized trusted ledger database resource types

The following table lists the trusted ledger database resources that are authorized by the RAM sub-account.

Resource ARN format in the permission policy
Ledger acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid
acs:ledgerdb:$regionid:$accountid:ledger/*
Member acs:ledgerdb:$regionid:$accountid:member/$memberid
acs:ledgerdb:$regionid:$accountid:member/*

Authorizable trusted ledger database interfaces

The following table lists the API operations that can be authorized and their corresponding Arn formats.

API Resource description
CreateLedger acs:ledgerdb:$regionid:$accountid:ledger/*
DeleteLedger acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid
DescribeLedger acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid
DescribeLedgers acs:ledgerdb:$regionid:$accountid:ledger/*
ModifyLedgerAttribute acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid
AcceptMember acs:ledgerdb:$regionid:$accountid:member/*
CreateMember acs:ledgerdb:$regionid:$accountid:member/*
DeleteMember acs:ledgerdb:$regionid:$accountid:member/$memberid
DisableMember acs:ledgerdb:$regionid:$accountid:member/$memberid
EnableMember acs:ledgerdb:$regionid:$accountid:member/$memberid
GetMember acs:ledgerdb:$regionid:$accountid:member/$memberid
GetMemberKey acs:ledgerdb:$regionid:$accountid:member/*
InviteMember acs:ledgerdb:$regionid:$accountid:member/*
ListMembers acs:ledgerdb:$regionid:$accountid:member/*
ModifyMemberACLs acs:ledgerdb:$regionid:$accountid:member/$memberid
ModifyMemberKey acs:ledgerdb:$regionid:$accountid:member/*