RAM authorization - Resource Access Management - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by RAM. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate RAM is ram,sts. You can grant permissions on RAM at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

RAM defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
ram:ChangePassword	ChangePassword	update	All Resources *	None	None
ram:ClearAccountAlias	ClearAccountAlias	update	All Resources *	None	None
ram:CreateUser	CreateUser	create	User acs:ram::{#accountId}:user/	None	None
ram:UpdateRole	UpdateRole	update	Role acs:ram:*:{#accountId}:role/{#RoleName}	ram:TrustedPrincipalTypes ram:ServiceNames	None
ram:CreatePolicy	CreatePolicy	create	Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:CreateGroup	CreateGroup	create	Group acs:ram::{#accountId}:group/	None	None
ram:CreatePolicyVersion	CreatePolicyVersion	create	Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:GetPolicyVersion	GetPolicyVersion	get	Policy acs:ram::{#accountId}:policy/{#PolicyName} Policy acs:ram::system:policy/{#PolicyName}	None	None
ram:GetLoginProfile	GetLoginProfile	get	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:ListUsers	ListUsers	get	User acs:ram::{#accountId}:user/	None	None
ram:DeleteLoginProfile	DeleteLoginProfile	delete	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:DeletePolicy	DeletePolicy	delete	Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:GetGroup	GetGroup	get	Group acs:ram:*:{#accountId}:group/{#GroupName}	None	None
ram:ListPoliciesForGroup	ListPoliciesForGroup	get	Group acs:ram:*:{#accountId}:group/{#GroupName}	None	None
ram:ListPoliciesForUser	ListPoliciesForUser	get	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:UnbindMFADevice	UnbindMFADevice	update	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:DeleteUser	DeleteUser	delete	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:SetAccountAlias	SetAccountAlias	update	All Resources *	None	None
ram:ListVirtualMFADevices	ListVirtualMFADevices	get	MFADevice acs:ram::{#accountId}:mfa/	None	None
ram:SetSecurityPreference	SetSecurityPreference	update	All Resources *	None	None
ram:GetSecurityPreference	GetSecurityPreference	get	All Resources *	None	None
ram:ListGroups	ListGroups	get	Group acs:ram::{#accountId}:group/	None	None
ram:SetPasswordPolicy	SetPasswordPolicy	update	All Resources *	None	None
ram:ListUsersForGroup	ListUsersForGroup	get	Group acs:ram:*:{#accountId}:group/{#GroupName}	None	None
ram:GetPasswordPolicy	GetPasswordPolicy	get	All Resources *	None	None
ram:AttachPolicyToGroup	AttachPolicyToGroup	update	Group acs:ram::{#accountId}:group/{#GroupName} Policy acs:ram::{#accountId}:policy/{#PolicyName} Policy acs:ram:*:system:policy/{#PolicyName}	None	None
ram:UpdateAccessKey	UpdateAccessKey	update	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:ListEntitiesForPolicy	ListEntitiesForPolicy	get	Policy acs:ram::system:policy/{#PolicyName} Policy acs:ram::{#accountId}:policy/{#PolicyName}	None	None
ram:DeletePolicyVersion	DeletePolicyVersion	delete	Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:AttachPolicyToUser	AttachPolicyToUser	update	Policy acs:ram::{#accountId}:policy/{#PolicyName} User acs:ram::{#accountId}:user/{#UserName} Policy acs:ram:*:system:policy/{#PolicyName}	None	None
ram:UpdatePolicyDescription	UpdatePolicyDescription	update	Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:ListGroupsForUser	ListGroupsForUser	get	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:ListPolicyVersions	ListPolicyVersions	get	Policy acs:ram::{#accountId}:policy/{#PolicyName} Policy acs:ram::system:policy/{#PolicyName}	None	None
ram:AttachPolicyToRole	AttachPolicyToRole	update	Policy acs:ram::{#accountId}:policy/{#PolicyName} Role acs:ram::{#accountId}:role/{#RoleName} Policy acs:ram:*:system:policy/{#PolicyName}	ram:TrustedPrincipalTypes ram:ServiceNames	None
ram:ListRoles	ListRoles	get	Role acs:ram::{#accountId}:role/	None	None
ram:BindMFADevice	BindMFADevice	Write	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:UpdateGroup	UpdateGroup	update	Group acs:ram:*:{#accountId}:group/{#GroupName}	None	None
ram:DetachPolicyFromGroup	DetachPolicyFromGroup	update	Group acs:ram::{#accountId}:group/{#GroupName} Policy acs:ram::system:policy/{#PolicyName} Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:GetUserMFAInfo	GetUserMFAInfo	get	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:GetRole	GetRole	get	Role acs:ram:*:{#accountId}:role/{#RoleName}	None	None
ram:CreateVirtualMFADevice	CreateVirtualMFADevice	create	MFADevice acs:ram::{#accountId}:mfa/	None	None
ram:DetachPolicyFromRole	DetachPolicyFromRole	update	Policy acs:ram::{#accountId}:policy/{#PolicyName} Role acs:ram::{#accountId}:role/{#RoleName} Policy acs:ram:*:system:policy/{#PolicyName}	ram:TrustedPrincipalTypes ram:ServiceNames	None
ram:RemoveUserFromGroup	RemoveUserFromGroup	update	Group acs:ram::{#accountId}:group/{#GroupName} User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:UpdateUser	UpdateUser	update	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:AddUserToGroup	AddUserToGroup	create	Group acs:ram::{#accountId}:group/{#GroupName} User acs:ram::{#accountId}:user/{#UserName}	None	None
ram:CreateRole	CreateRole	create	Role acs:ram:*:{#accountId}:role/{#RoleName}	ram:TrustedPrincipalTypes ram:ServiceNames	None
ram:SetDefaultPolicyVersion	SetDefaultPolicyVersion	update	Policy acs:ram:*:{#accountId}:policy/{#PolicyName}	None	None
ram:ListPolicies	ListPolicies	get	Policy acs:ram::{#accountId}:policy/	None	None
ram:DecodeDiagnosticMessage	DecodeDiagnosticMessage	get	All Resources *	None	None
ram:CreateLoginProfile	CreateLoginProfile	create	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:ListAccessKeys	ListAccessKeys	get	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:DetachPolicyFromUser	DetachPolicyFromUser	update	Policy acs:ram::{#accountId}:policy/{#PolicyName} User acs:ram::{#accountId}:user/{#UserName} Policy acs:ram:*:system:policy/{#PolicyName}	None	None
ram:ListPoliciesForRole	ListPoliciesForRole	get	Role acs:ram:*:{#accountId}:role/{#RoleName}	None	None
ram:DeleteRole	DeleteRole	delete	Role acs:ram:*:{#accountId}:role/{#RoleName}	ram:TrustedPrincipalTypes ram:ServiceNames	None
ram:UpdateLoginProfile	UpdateLoginProfile	update	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:DeleteGroup	DeleteGroup	delete	Group acs:ram:*:{#accountId}:group/{#GroupName}	None	None
ram:GetPolicy	GetPolicy	get	Policy acs:ram::system:policy/{#PolicyName} Policy acs:ram::{#accountId}:policy/{#PolicyName}	None	None
ram:GetAccountAlias	GetAccountAlias	get	All Resources *	None	None
ram:CreateAccessKey	CreateAccessKey	create	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:GetUser	GetUser	get	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:DeleteAccessKey	DeleteAccessKey	delete	User acs:ram:*:{#accountId}:user/{#UserName}	None	None
ram:DeleteVirtualMFADevice	DeleteVirtualMFADevice	delete	MFADevice acs:ram:*:{#accountId}:mfa/{#SerialNumber}	None	None

Resource

RAM defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
User	acs:ram:*:{#accountId}:user/{#UserName}
Unrestricted	acs:ram::{#accountId}:
User	acs:ram::{#accountId}:user/{#UserName}
User	acs:ram::{#accountId}:user/
Role	acs:ram:*:{#accountId}:role/{#RoleName}
Policy	acs:ram:*:{#accountId}:policy/{#PolicyName}
Group	acs:ram::{#accountId}:group/
Policy	acs:ram:*:system:policy/{#PolicyName}
Group	acs:ram:*:{#accountId}:group/{#GroupName}
User	{#Arn}
MFADevice	acs:ram::{#accountId}:mfa/
Role	acs:ram::{#accountId}:role/
Policy	acs:ram::{#accountId}:policy/
MFADevice	acs:ram:*:{#accountId}:mfa/{#SerialNumber}

Condition

RAM defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to RAM. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type
acs:Service	Specifies the service principal which a role can be passed. This condition key applies to only the PassRole action in a policy. Example: actiontrail.aliyuncs.com	String
ram:TrustedPrincipalTypes	Specifies the type of trusted entities for the role. Multivalued.	String
ram:ServiceNames	Specifies the trusted service principals for service role. Multivalued. Example: ["ecs.aliyun.com","rds.aliyuncs.com"]	String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: