RAM authorization - Microservices Engine - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by MSE. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate MSE is mse,microgw. You can grant permissions on MSE at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

MSE defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
mse:UpdateGatewaySpec	UpdateGatewaySpec	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteNacosService	DeleteNacosService	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:TagResources	TagResources	update	All Resources *	None	None
mse:CreateCluster	CreateCluster	create	Cluster acs:mse:{#regionId}:{#accountId}:instance/*	None	None
mse:ListSSLCert	ListSSLCert	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListGatewayZone	ListGatewayZone	list	All Resources *	None	None
mse:ListMigrationTask	ListMigrationTask	list	All Resources *	None	None
mse:GetGatewayServiceDetail	GetGatewayServiceDetail	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QuerySlbSpec	QuerySlbSpec	list	All Resources *	None	None
mse:UpdateGatewayRouteRetry	UpdateGatewayRouteRetry	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteGatewayAuthConsumer	DeleteGatewayAuthConsumer		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListAnsServiceClusters	ListAnsServiceClusters	list	All Resources *	None	None
mse:GetTagsBySwimmingLaneGroupId	GetTagsBySwimmingLaneGroupId	get	All Resources *	None	None
mse:QueryAllSwimmingLane	QueryAllSwimmingLane	get	GovernanceNamespace acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}	None	None
mse:GetOverview	GetOverview		All Resources *	None	None
mse:UpdateServiceSource	UpdateServiceSource	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:SelectGatewaySlb	SelectGatewaySlb	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayRoute	UpdateGatewayRoute	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UntagResources	UntagResources	delete	All Resources *	None	None
mse:UpdateGatewayRouteHTTPRewrite	UpdateGatewayRouteHTTPRewrite	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:GetServiceListPage	GetServiceListPage	get	All Resources *	None	None
mse:ApplyTagPolicies	ApplyTagPolicies	update	All Resources *	None	None
mse:ListNacosConfigs	ListNacosConfigs	get	All Resources *	None	None
mse:ListGatewayAuthConsumerResource	ListGatewayAuthConsumerResource		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteZnode	DeleteZnode	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:DeleteNacosConfigs	DeleteNacosConfigs	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:QueryClusterSpecification	QueryClusterSpecification		All Resources *	None	None
mse:ListExportZookeeperData	ListExportZookeeperData	list	All Resources *	None	None
mse:CreateNacosConfig	CreateNacosConfig	get	All Resources *	None	None
mse:GetApplicationInstanceList	GetApplicationInstanceList	get	All Resources *	None	None
mse:QueryZnodeDetail	QueryZnodeDetail	get	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:ImportZookeeperData	ImportZookeeperData	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:UpdateGatewayRouteAuth	UpdateGatewayRouteAuth		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateConfig	UpdateConfig	update	All Resources *	None	None
mse:GetApplicationList	GetApplicationList	get	All Resources *	None	None
mse:GetGovernanceKubernetesCluster	GetGovernanceKubernetesCluster	get	All Resources *	None	None
mse:DeleteGatewayService	DeleteGatewayService	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteGatewayServiceVersion	DeleteGatewayServiceVersion	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:GetGatewayDomainDetail	GetGatewayDomainDetail	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayDomain	UpdateGatewayDomain	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QueryGovernanceKubernetesCluster	QueryGovernanceKubernetesCluster	get	All Resources *	None	None
mse:DeleteGatewayDomain	DeleteGatewayDomain	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateImage	UpdateImage	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:AddServiceSource	AddServiceSource	create	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListSecurityGroup	ListSecurityGroup	list	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:CloneNacosConfig	CloneNacosConfig	create	All Resources *	None	None
mse:GetBlackWhiteList	GetBlackWhiteList	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListServiceSource	ListServiceSource	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QueryClusterDiskSpecification	QueryClusterDiskSpecification	get	All Resources *	None	None
mse:GetGatewayAuthConsumerDetail	GetGatewayAuthConsumerDetail	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:AddGatewayRoute	AddGatewayRoute	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteGatewayRoute	DeleteGatewayRoute	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayAuthConsumer	UpdateGatewayAuthConsumer		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateZnode	UpdateZnode	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:OrderClusterHealthCheckRiskNotice	OrderClusterHealthCheckRiskNotice	get	All Resources *	None	None
mse:ExportNacosConfig	ExportNacosConfig	get	Cluster acs:mse:{#regionId}:{#AccountId}:instance/{#InstanceId}	None	None
mse:UpdateClusterSpec	UpdateClusterSpec	update	All Resources *	None	None
mse:CreateEngineNamespace	CreateEngineNamespace	Write	All Resources *	None	None
mse:CreateOrUpdateSwimmingLaneGroup	CreateOrUpdateSwimmingLaneGroup	update	GovernanceNamespace acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}	None	None
mse:GetServiceList	GetServiceList	get	All Resources *	None	None
mse:ListConfigTrack	ListConfigTrack	list	All Resources *	None	None
mse:ListZkTrack	ListZkTrack	list	All Resources *	None	None
mse:GetZookeeperDataImportUrl	GetZookeeperDataImportUrl	get	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:GetMseSource	GetMseSource	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:PullServices	PullServices	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListClusterTypes	ListClusterTypes		All Resources *	None	None
mse:CreateNacosInstance	CreateNacosInstance	Write	All Resources *	None	None
mse:ImportServices	ImportServices	create	All Resources *	None	None
mse:QueryAllSwimmingLaneGroup	QueryAllSwimmingLaneGroup	get	GovernanceNamespace acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}	None	None
mse:GetEngineNamepace	GetEngineNamepace	get	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:ListGatewayDomain	ListGatewayDomain	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateMessageQueueRoute	UpdateMessageQueueRoute	get	All Resources *	None	None
mse:GetNacosConfig	GetNacosConfig	get	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:UpdateBlackWhiteList	UpdateBlackWhiteList	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateNacosService	UpdateNacosService	Write	All Resources *	None	None
mse:GetNacosHistoryConfig	GetNacosHistoryConfig	get	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:ListInstanceCount	ListInstanceCount	get	All Resources *	None	None
mse:UpdateMigrationTask	UpdateMigrationTask	update	All Resources *	None	None
mse:AddBlackWhiteList	AddBlackWhiteList	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteGatewaySlb	DeleteGatewaySlb	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:FetchLosslessRuleList	FetchLosslessRuleList	get	All Resources *	None	None
mse:UpdateCluster	UpdateCluster	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:AddGatewayServiceVersion	AddGatewayServiceVersion	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListGatewayService	ListGatewayService	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayRouteHeaderOp	UpdateGatewayRouteHeaderOp	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:GetGateway	GetGateway	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:GetLosslessRuleByApp	GetLosslessRuleByApp	get	All Resources *	None	None
mse:ListAppBySwimmingLaneGroupTags	ListAppBySwimmingLaneGroupTags	list	All Resources *	None	None
mse:ListGatewayRouteOnAuth	ListGatewayRouteOnAuth	list	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListClusterConnectionTypes	ListClusterConnectionTypes	get	All Resources *	None	None
mse:ListAnsInstances	ListAnsInstances	get	All Resources *	None	None
mse:DeleteEngineNamespace	DeleteEngineNamespace	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:CreateOrUpdateSwimmingLane	CreateOrUpdateSwimmingLane	create	GovernanceNamespace acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}	None	None
mse:DeleteAuthResource	DeleteAuthResource	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:AddSecurityGroupRule	AddSecurityGroupRule	create	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:PutClusterHealthCheckTask	PutClusterHealthCheckTask	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:UpdateAcl	UpdateAcl	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:DeleteServiceSource	DeleteServiceSource	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListAppBySwimmingLaneGroupTag	ListAppBySwimmingLaneGroupTag	get	All Resources *	None	None
mse:DeleteGatewayAuthConsumerResource	DeleteGatewayAuthConsumerResource		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayServiceTrafficPolicy	UpdateGatewayServiceTrafficPolicy	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListGatewayAuthConsumer	ListGatewayAuthConsumer	list	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateNacosInstance	UpdateNacosInstance	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:DeleteSecurityGroupRule	DeleteSecurityGroupRule	delete	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QuerySwimmingLaneById	QuerySwimmingLaneById	get	GovernanceNamespace acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}	None	None
mse:UpdatePluginConfig	UpdatePluginConfig	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteSwimmingLane	DeleteSwimmingLane	delete	All Resources *	None	None
mse:CreateCircuitBreakerRule	CreateCircuitBreakerRule	create	All Resources *	None	None
mse:UpdateGatewayName	UpdateGatewayName	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListSecurityGroupRule	ListSecurityGroupRule	list	All Resources *	None	None
mse:ApplyGatewayRoute	ApplyGatewayRoute	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayRouteWafStatus	UpdateGatewayRouteWafStatus	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QueryClusterInfo	QueryClusterInfo	get	All Resources *	None	None
mse:UpdateGatewayAuthConsumerResource	UpdateGatewayAuthConsumerResource	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:CreateNacosService	CreateNacosService	get	All Resources *	None	None
mse:UpdateNacosCluster	UpdateNacosCluster	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:AddGatewayDomain	AddGatewayDomain	create	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:CloneSentinelRuleFromAhas	CloneSentinelRuleFromAhas	create	All Resources *	None	None
mse:OfflineGatewayRoute	OfflineGatewayRoute	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListEngineNamespaces	ListEngineNamespaces	get	All Resources *	None	None
mse:AddGatewayAuthConsumer	AddGatewayAuthConsumer	create	All Resources *	None	None
mse:UpdateSSLCert	UpdateSSLCert	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QueryNamespace	QueryNamespace	get	All Resources *	None	None
mse:ListListenersByIp	ListListenersByIp	get	All Resources *	None	None
mse:GetPluginConfig	GetPluginConfig	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:GetServiceListeners	GetServiceListeners	get	All Resources *	None	None
mse:QueryInstancesInfo	QueryInstancesInfo	get	All Resources *	None	None
mse:DeleteGateway	DeleteGateway	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayAuthConsumerResourceStatus	UpdateGatewayAuthConsumerResourceStatus		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteMigrationTask	DeleteMigrationTask	delete	All Resources *	None	None
mse:GetImage	GetImage	get	All Resources *	None	None
mse:UpdateFlowRule	UpdateFlowRule	update	All Resources *	None	None
mse:GetImportFileUrl	GetImportFileUrl	get	All Resources *	None	None
mse:ListTagResources	ListTagResources	get	All Resources *	None	None
mse:AddGateway	AddGateway	create	Gateway acs:mse:{#regionId}:{#accountId}:instance/*	None	None
mse:UpdateGatewayOption	UpdateGatewayOption	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteCluster	DeleteCluster	delete	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:ListCircuitBreakerRules	ListCircuitBreakerRules	list	All Resources *	None	None
mse:CreateZnode	CreateZnode	Write	All Resources *	None	None
mse:ListGateway	ListGateway	get	All Resources *	None	None
mse:RestartCluster	RestartCluster	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:GetKubernetesSource	GetKubernetesSource	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListAnsServices	ListAnsServices	list	All Resources *	None	None
mse:AddMigrationTask	AddMigrationTask	create	All Resources *	None	None
mse:UpdateAuthPolicy	UpdateAuthPolicy	get	All Resources *	None	None
mse:DeleteFlowRules	DeleteFlowRules	delete	All Resources *	None	None
mse:ListAuthPolicy	ListAuthPolicy	get	All Resources *	None	None
mse:ListClusterVersions	ListClusterVersions		All Resources *	None	None
mse:QueryConfig	QueryConfig	get	All Resources *	None	None
mse:EnableHttp2	EnableHttp2	get	All Resources *	None	None
mse:ListZnodeChildren	ListZnodeChildren	get	All Resources *	None	None
mse:DeleteNacosInstance	DeleteNacosInstance	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:ModifyGovernanceKubernetesCluster	ModifyGovernanceKubernetesCluster	update	All Resources *	None	None
mse:ListGatewaySlb	ListGatewaySlb	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListFlowRules	ListFlowRules	list	All Resources *	None	None
mse:AddSSLCert	AddSSLCert	Write	All Resources *	None	None
mse:ListGatewayRoute	ListGatewayRoute	get	All Resources *	None	None
mse:ListClusters	ListClusters	get	All Resources *	None	None
mse:CreateGatewayFlowRule	CreateGatewayFlowRule	create	All Resources *	None	None
mse:DeleteNacosConfig	DeleteNacosConfig	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:RetryCluster	RetryCluster	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:UpdateGatewayAuthConsumerStatus	UpdateGatewayAuthConsumerStatus		Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:GetGatewayRouteDetail	GetGatewayRouteDetail	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:AddAuthResource	AddAuthResource	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListNacosHistoryConfigs	ListNacosHistoryConfigs	get	All Resources *	None	None
mse:QueryClusterDetail	QueryClusterDetail	get	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:UpdateCircuitBreakerRule	UpdateCircuitBreakerRule	update	All Resources *	None	None
mse:ListNamingTrack	ListNamingTrack	get	All Resources *	None	None
mse:UpdateGatewayServiceCheck	UpdateGatewayServiceCheck	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListApplicationsWithTagRules	ListApplicationsWithTagRules	get	All Resources *	None	None
mse:UpdateGatewayRouteTimeout	UpdateGatewayRouteTimeout	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:ListListenersByConfig	ListListenersByConfig	get	All Resources *	None	None
mse:PreserveHeaderFormat	PreserveHeaderFormat	get	All Resources *	None	None
mse:GetPlugins	GetPlugins	get	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:QueryMonitor	QueryMonitor	get	All Resources *	None	None
mse:ListClusterHealthCheckTask	ListClusterHealthCheckTask	get	All Resources *	None	None
mse:GetAppMessageQueueRoute	GetAppMessageQueueRoute	get	All Resources *	None	None
mse:ExportZookeeperData	ExportZookeeperData	get	All Resources *	None	None
mse:CreateFlowRule	CreateFlowRule	create	All Resources *	None	None
mse:AddGatewaySlb	AddGatewaySlb	Write	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteCircuitBreakerRules	DeleteCircuitBreakerRules	delete	All Resources *	None	None
mse:ImportNacosConfig	ImportNacosConfig	create	All Resources *	None	None
mse:UpdateGatewayRouteCORS	UpdateGatewayRouteCORS	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:UpdateGatewayServiceVersion	UpdateGatewayServiceVersion	Write	All Resources *	None	None
mse:EnableProxyProtocol	EnableProxyProtocol	update	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None
mse:DeleteSwimmingLaneGroup	DeleteSwimmingLaneGroup	get	All Resources *	None	None
mse:UpdateEngineNamespace	UpdateEngineNamespace	Write	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:UpdateNacosConfig	UpdateNacosConfig	update	Cluster acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}	None	None
mse:AddGatewayAuth	AddGatewayAuth	create	Gateway acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}	None	None

Resource

MSE defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
Gateway	acs:mse:{#regionId}:{#accountId}:instance/*
Gateway	acs:mse:{#regionId}:{#accountId}:instance/{#GatewayUniqueId}
Cluster	acs:mse:{#regionId}:{#accountId}:instance/{#InstanceId}
Cluster	acs:mse:{#regionId}:{#accountId}:instance/*
GovernanceApplication	acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}/application/{#AppName}
GovernanceNamespace	acs:mse:{#regionId}:{#accountId}:namespace/{#Namespace}
GovernanceApplication	acs:mse:{#Region}:{#AccountId}:namespace/{#Namespace}/application/{#AppName}
Cluster	acs:mse:{#regionId}:{#accountId}:cluster/{#InstanceId}
GovernanceNamespace	acs:mse:{#Region}:{#AccountId}:namespace/{#Namespace}
Cluster	acs:mse:{#regionId}:{#AccountId}:instance/{#InstanceId}
Gateway	acs:mse:{#Region}:{#AccountId}:instance/{#GatewayUniqueId}
Gateway	acs:mse:{#regionId}:{#accountId}:gateway/{#GatewayUniqueId}
EngineNamespace	acs:mse:*:{#accountId}:enginenamespace/{#InstanceId}/{#Namespace}

Condition

MSE does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: