:RAM user authorization

Resource authorization

By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you use a RAM user to call an API, you must grant the RAM user account the permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.

When you create an authorization policy, you can use Arns (Alibaba Cloud Resource Name) to specify which resources you want to authorize. An ARN is a global Alibaba Cloud resource name that Alibaba Cloud defines for each resource.

acs:service-name:region:account-id:resource-relative-id

The following section describes the two concepts involved in the figure:

• acs: the abbreviation for Alibaba Cloud Service.
• service-name: the name of an Alibaba Cloud service, such as ecs, oss, and slb.
• region: the region where the service resides. If this option is not supported, use the asterisk (*) wildcard instead.
• account-id: the ID of the user account, such as 1234567890123456.
• resource-relative-id: the resource description.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
            "Effect": "Allow"
        }
    ]
}

Authorized trusted ledger database resource types

The following table lists the trusted ledger database resources that are authorized by the RAM sub-account.

Authorizable trusted ledger database interfaces

The following table lists the API operations that can be authorized and their corresponding Arn formats.