Before you use a RAM user to call the API operations of Resource Management to access the resources that belong to an Alibaba Cloud account, you must use the Alibaba Cloud account to create and attach the required policy to the RAM user. In the policy, you can specify the authorized API operations in the Action element and authorized resources in the Resource element. Each resource is indicated by its Alibaba Cloud Resource Name (ARN).
The following list describes the variables that are involved in the Resource element of a policy. Replace the variables with actual values.
<account_id>: the ID of an Alibaba Cloud account.
<resourcegroup_id>: the ID of a resource group.
<policy_name>: the name of a policy.
<role_name>: the name of a RAM role.
<resource_type>: the type of a resource.
<resource_id>: the ID of a resource.
<region_id>: the region ID.
<product>: the code of a service.
<handshake_id>: the ID of an invitation.
<policy_id>: the ID of an access control policy.
<resource_directory_path>: the RDPath of a folder or member, which indicates the location of a folder or member in a resource directory.
<contact_id>: the ID of a contact.
The required resource types are displayed in bold.
Resource Group
The following table lists the Resource Group API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
ram:CreateResourceGroup | acs:ram:*:<account_id>:resourcegroup/* |
ram:DeleteResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
ram:UpdateResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
ram:CreatePolicy | acs:ram:*:<account_id>:policy/* |
ram:DeletePolicy | acs:ram:*:<account_id>:policy/<policy_name> |
ram:ListPolicies | acs:ram:*:<account_id>:policy/* |
ram:GetPolicy | acs:ram:*:<account_id>:policy/<policy_name> |
ram:CreatePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:DeletePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:ListPolicyVersions | acs:ram:*:<account_id>:policy/<policy_name> |
ram:GetPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:SetDefaultPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:AttachPolicy |
|
ram:DetachPolicy |
|
ram:ListPolicyAttachments | acs:ram:*:<account_id>:* |
ram:CreateRole | acs:ram:*:<account_id>:role/* |
ram:GetRole | acs:ram:*:<account_id>:role/<role_name> |
ram:ListRoles | acs:ram:*:<account_id>:role/* |
ram:UpdateRole | acs:ram:*:<account_id>:role/<role_name> |
ram:DeleteRole | acs:ram:*:<account_id>:role/<role_name> |
ram:CreateServiceLinkedRole | acs:ram:*:<account_id>:role/* |
ram:DeleteServiceLinkedRole | acs:ram:*:<account_id>:role/<role_name> |
ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:<account_id>:role/<role_name> |
Resource Directory
The following table lists the Resource Directory API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
resourcemanager:AcceptHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:AttachControlPolicy |
|
resourcemanager:BindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:CancelHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:CheckAccountDelete | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:CreateCloudAccount | acs:resourcemanager:*:<account_id>:* |
resourcemanager:CreateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:CreateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:CreateResourceAccount | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:DeclineHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:DeleteAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:DeleteControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:DeleteFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:DeregisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:DetachControlPolicy |
|
resourcemanager:DisableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:EnableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:EnableResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:GetAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetAccountDeletionCheckResult | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetAccountDeletionStatus | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:GetControlPolicyEnablementStatus | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:GetFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:GetHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:GetPayerForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:InviteAccountToResourceDirectory |
|
resourcemanager:ListAccounts | acs:resourcemanager:*:<account_id>:account/* |
resourcemanager:ListAccountsForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:ListAncestors | acs:resourcemanager:*:<account_id>:folder/* |
resourcemanager:ListControlPolicies | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:ListControlPolicyAttachmentsForTarget |
|
resourcemanager:ListDelegatedAdministrators | acs:resourcemanager:*:<account_id>:account/* |
resourcemanager:ListDelegatedServicesForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:ListFoldersForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:<account_id>:handshake/* |
resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:<account_id>:handshake/* |
resourcemanager:ListTagKeys | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTagValues | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTargetAttachmentsForControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:<account_id>:* |
resourcemanager:MoveAccount |
|
resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:<account_id>:* |
resourcemanager:RegisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:SendVerificationCodeForBindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:SendVerificationCodeForEnableRD | acs:resourcemanager:*:<account_id>:* |
resourcemanager:TagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:UntagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:UpdateAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:UpdateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:UpdateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:AddMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/* |
resourcemanager:CancelMessageContactUpdate | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:DeleteMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:GetMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:GetMessageContactDeletionStatus | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:ListMessageContacts | acs:resourcemanager:*:<account_id>:messagecontact/* |
resourcemanager:ListMessageContactVerifications | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:SendEmailVerificationForMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:SendPhoneVerificationForMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:UpdateMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:AssociateMembers |
|
resourcemanager:DisassociateMembers |
|
resourcemanager:CancelChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:ChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:RetryChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:PrecheckForConsolidatedBillingAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
Resource Sharing
The following table lists the Resource Sharing API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
resourcesharing:EnableSharingWithResourceDirectory | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:CreateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:UpdateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DeleteResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShares | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AssociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DisassociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShareAssociations | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListSharedResources | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListSharedTargets | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DescribeRegions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShareInvitations | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AcceptResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:RejectResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AssociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DisassociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceSharePermissions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:GetPermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListPermissionVersions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListPermissions | acs:resourcesharing:<region_id>:<account_id>:* |
Tag
The following table lists the Tag API operations that you can specify in the Action element and the ARN formats that are used in the Resource element.
Action | Resource |
tag:ListTagResources | acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id> |
tag:TagResources |
|
tag:UntagResources |
|
tag:ListTagKeys | acs:tag:<region_id>:<account_id>:*/* |
tag:ListTagValues | acs:tag:<region_id>:<account_id>:*/* |
tag:CreateTags | acs:tag:<region_id>:<account_id>:*/* |
tag:DeleteTag | acs:tag:<region_id>:<account_id>:*/* |