Before using a RAM user to call the trusted ledger database API operations, you must grant the RAM user corresponding permissions by using your Alibaba cloud account. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).
Resource authorization
By default, a RAM user is not authorized to call Alibaba Cloud APIs to create or modify cloud resources. Before you use a RAM user to call an API, you must grant the RAM user account the permission to call the API by creating an authorization policy and attaching the policy to the RAM user account.
When you create an authorization policy, you can use Arns (Alibaba Cloud Resource Name) to specify which resources you want to authorize. An ARN is a global Alibaba Cloud resource name that Alibaba Cloud defines for each resource.
acs:service-name:region:account-id:resource-relative-id
The following section describes the two concepts involved in the figure:
- acs: the abbreviation for Alibaba Cloud Service.
- service-name: the name of an Alibaba Cloud service, such as ecs, oss, and slb.
- region: the region where the service resides. If this option is not supported, use the asterisk (*) wildcard instead.
- account-id: the ID of the user account, such as 1234567890123456.
- resource-relative-id: the resource description.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:[ECS RAM Action]",
"ecs:DescribeInstances"
],
"Resource": [
"[ECS RAM Action Resource]",
"acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
],
"Effect": "Allow"
}
]
}
Authorized trusted ledger database resource types
The following table lists the trusted ledger database resources that are authorized by the RAM sub-account.
Resource | ARN format in the permission policy |
---|---|
Ledger | acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid |
acs:ledgerdb:$regionid:$accountid:ledger/* | |
Member | acs:ledgerdb:$regionid:$accountid:member/$memberid |
acs:ledgerdb:$regionid:$accountid:member/* |
Authorizable trusted ledger database interfaces
The following table lists the API operations that can be authorized and their corresponding Arn formats.
API | Resource description |
---|---|
CreateLedger | acs:ledgerdb:$regionid:$accountid:ledger/* |
DeleteLedger | acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid |
DescribeLedger | acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid |
DescribeLedgers | acs:ledgerdb:$regionid:$accountid:ledger/* |
ModifyLedgerAttribute | acs:ledgerdb:$regionid:$accountid:ledger/$ledgerid |
AcceptMember | acs:ledgerdb:$regionid:$accountid:member/* |
CreateMember | acs:ledgerdb:$regionid:$accountid:member/* |
DeleteMember | acs:ledgerdb:$regionid:$accountid:member/$memberid |
DisableMember | acs:ledgerdb:$regionid:$accountid:member/$memberid |
EnableMember | acs:ledgerdb:$regionid:$accountid:member/$memberid |
GetMember | acs:ledgerdb:$regionid:$accountid:member/$memberid |
GetMemberKey | acs:ledgerdb:$regionid:$accountid:member/* |
InviteMember | acs:ledgerdb:$regionid:$accountid:member/* |
ListMembers | acs:ledgerdb:$regionid:$accountid:member/* |
ModifyMemberACLs | acs:ledgerdb:$regionid:$accountid:member/$memberid |
ModifyMemberKey | acs:ledgerdb:$regionid:$accountid:member/* |