AttachPolicy - - Alibaba Cloud Documentation Center

Attaches a policy to an object, which can be a RAM user, RAM user group, or RAM role. After you attach a policy to an object, the object has the operation permissions on the resources in a specific resource group or within a specific Alibaba Cloud account.

Usage notes

In this example, the policy AdministratorAccess is attached to the RAM user alice@demo.onaliyun.com and takes effect only for resources in the rg-9gLOoK**** resource group.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	AttachPolicy	The operation that you want to perform. Set the value to AttachPolicy.
ResourceGroupId	String	Yes	rg-9gLOoK****	The effective scope of the policy. You can set this parameter to one of the following items: ID of a resource group: indicates that the policy takes effect for the resources in the resource group. ID of the Alibaba Cloud account to which the authorized object belongs: indicates that the policy takes effect for the resources within the Alibaba Cloud account.
PolicyType	String	Yes	System	The type of the policy. Valid values: Custom: custom policy System: system policy
PolicyName	String	Yes	AdministratorAccess	The name of the policy. The name must be 1 to 128 characters in length and can contain letters, digits, and hyphens (-).
PrincipalType	String	Yes	IMSUser	The type of the object to which you want to attach the policy. Valid values: IMSUser: RAM user IMSGroup: RAM user group ServiceRole: RAM role
PrincipalName	String	Yes	alice@demo.onaliyun.com	The name of the object to which you want to attach the policy. If you want to attach the policy to a RAM user, specify the name in the <UserName>@<AccountAlias>.onaliyun.com format. <UserName> indicates the name of the RAM user, and <AccountAlias> indicates the alias of the Alibaba Cloud account to which the RAM user belongs. If you want to attach the policy to a RAM user group, specify the name in the <GroupName>@group.<AccountAlias>.onaliyun.com format. <GroupName> indicates the name of the RAM user group, and <AccountAlias> indicates the alias of the Alibaba Cloud account to which the RAM user group belongs. If you want to attach the policy to a RAM role, specify the name in the <RoleName>@role.<AccountAlias>.onaliyun.com format. <RoleName> indicates the name of the RAM role, and <AccountAlias> indicates the alias of the Alibaba Cloud account to which the RAM role belongs. Note The alias of an Alibaba Cloud account is a part of the default domain name. You can call the GetDefaultDomain operation to obtain the alias of an Alibaba Cloud account.

For more information about common request parameters, see Common parameters.

Response parameters


Parameter	Type	Example	Description
RequestId	String	697852FB-50D7-44D9-9774-530C31EAC572	The ID of the request.

Examples

Sample requests

https://resourcemanager.aliyuncs.com/?Action=AttachPolicy
&PolicyName=AdministratorAccess
&PolicyType=System
&PrincipalName=alice@demo.onaliyun.com
&PrincipalType=IMSUser
&ResourceGroupId=rg-9gLOoK****
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<?xml version="1.0" encoding="UTF-8" ?>
<AttachPolicyToUserResponse>
    <RequestId>697852FB-50D7-44D9-9774-530C31EAC572</RequestId>
</AttachPolicyToUserResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "697852FB-50D7-44D9-9774-530C31EAC572"
}

Error codes


HTTP status code	Error code	Error message	Description
400	InvalidParameter.PolicyType	The specified policy type is invalid.	The error message returned because the policy type is invalid.
404	EntityNotExist.Policy	The policy does not exist.	The error message returned because the policy does not exist.
404	EntityNotExists.ResourceGroup	The specified resource group does not exist. You must first create a resource group.	The error message returned because the resource group does not exist. Create such a resource group first.
409	Invalid.ResourceGroup.Status	You cannot perform an operation on a resource group that is being created or deleted.	The error message returned because you cannot perform the operation on a resource group that is being created or deleted.

For a list of error codes, visit the API Error Center.