All Products
Search

This Product

    Resource Management:Languages of access control policies

    Document Center

    Resource Management:Languages of access control policies

    Last Updated:Feb 07, 2024

    Before you create or update a custom access control policy, you must understand the basic elements of an access control policy. An access control policy consists of four basic elements: Effect, Action, Resource, and Condition.

    Element

    Description

    Effect

    Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

    Action

    Describes one or more API operations that are allowed or denied.

    Resource

    Specifies one or more objects that the statement covers.

    Condition

    Specifies the conditions that are required for a policy to take effect.

    Effect

    The Effect element specifies whether a statement result is an explicit allow or an explicit deny. This element is required. Valid values: Allow and Deny.

    Note

    If a RAM policy includes an Allow statement and a Deny statement at the same time, the Deny statement takes precedence over the Allow statement.

    Example:

    "Effect": "Allow"

    Action

    The Action element describes one or more API operations that are allowed or denied. This element is required. Valid values: names of operations from Alibaba Cloud services.

    Format: <ram-code>:<action-name>.

    • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Services that work with RAM.

    • action-name: the name of one or more API operations in the service.

    In most cases, the value of the Action element is not case-sensitive. However, we recommend that you specify <ram-code> and <action-name> based on the documents for permissions on Alibaba Cloud services. This helps ensure consistency.

    Example:

    "Action": [
  "oss:ListBuckets",
  "ecs:Describe*",
  "rds:Describe*"
]

    Resource

    The Resource element specifies one or more objects that the statement covers. This element is required and available only for identity-based policies. Valid values: Alibaba Cloud Resource Names (ARNs) of resources.

    The Resource element is in the acs:<ram-code>:<region>:<account-id>:<relative-id> format. Make sure that you specify ARNs based on the documents for permissions on Alibaba Cloud services. The Resource element contains the following fields:

    • acs: the initialism of Alibaba Cloud Service, which indicates the public cloud of Alibaba Cloud.

    • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Services that work with RAM.

    • region: information about the region. If the statement covers a global resource, set this field to an asterisk (*). A global resource can be accessed without the need to specify a region. For more information, see Regions and zones.

    • account-id: the ID of the Apsara Stack tenant account. For example, you can enter 123456789012****.

    • relative-id: the identifier of the service-related resource. The meaning of this element varies based on services. The format of the relative-id element is similar to a file path. For example, relative-id = "mybucket/dir1/object1.jpg" indicates an Object Storage Service (OSS) object.

    Example:

    "Resource": [
  "acs:ecs:*:*:instance/inst-001",
  "acs:ecs:*:*:instance/inst-002",
  "acs:oss:*:*:mybucket",
  "acs:oss:*:*:mybucket/*"
]

    Condition

    The Condition element specifies the conditions that are required for a policy to take effect. This element is optional. The Condition element is considered a condition block, which contains one or more conditions. Each condition consists of conditional operators, condition keys, and condition values.

    条件块判断逻辑

    Note

    The Condition element is optional. The system does not check whether the Condition element is specified. If you want to specify a value for the Condition element, make sure that the spelling and capitalization are correct.

    Condition keys are case-sensitive. Case sensitivity for condition values varies based on the conditional operators that you use. If the condition key is of the string type and you use the StringEquals conditional operator, the system performs a case-sensitive match by comparing the value in a request with the condition value. If the key is of the string type and you use the StringEqualsIgnoreCase conditional operator, the system performs a non-case-sensitive match by comparing the value in a request with the condition value.

    • Evaluation logic

      • You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.

      • A condition can have multiple keys that are attached to a single conditional operator. The condition of this type is met only if all requirements for the keys are met.

      • A condition block is met only if all of its conditions are met.

    • Conditional operators

      Conditional operators can be classified into the following categories: string, number, date and time, Boolean, and IP address.

      Category

      Conditional operator

      String

      • StringEquals

      • StringNotEquals

      • StringEqualsIgnoreCase

      • StringNotEqualsIgnoreCase

      • StringLike

      • StringNotLike

      Number

      • NumericEquals

      • NumericNotEquals

      • NumericLessThan

      • NumericLessThanEquals

      • NumericGreaterThan

      • NumericGreaterThanEquals

      Date and time

      • DateEquals

      • DateNotEquals

      • DateLessThan

      • DateLessThanEquals

      • DateGreaterThan

      • DateGreaterThanEquals

      Boolean

      Bool

      IP address

      • IpAddress

      • NotIpAddress

    • Condition keys

      • The format of common condition keys is acs:<condition-key>.

        Common condition key

        Type

        Description

        acs:CurrentTime

        Date and time

        The time at which a request is received by the web server.

        Note

        Specify the time in the ISO 8601 standard in the YYYY-MM-DDThh:mm:ssZ format. The time must be in UTC.  

        For example, use 2013-01-10T12:00:00Z to indicate January 10, 2013, 20:00:00 (UTC+8).

        acs:SecureTransport

        Boolean

        Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.

        acs:SourceIp

        IP address

        The IP address of the client that sends a request.

        Note

        The value of the acs:SourceIp field can be a single IP address or a CIDR block. If the value is a single IP address, you must specify the specific IP address rather than a CIDR block. For example, you must specify 10.0.0.1 rather than 10.0.0.1/32.

        acs:MFAPresent

        Boolean

        Specifies whether multi-factor authentication (MFA) is used during user logon.

        Note

        If MFA for RAM User Logons is set to Required Only for Unusual Logon in the RAM user security settings, the acs:MFAPresent condition key becomes invalid. For more information, see Manage security settings of RAM users.

        acs:PrincipalARN

        String

        The identity of the requester. The condition key can be used only in access control policies of resource directories and trust policies of RAM roles. Example: acs:ram:*:*:role/*resourcedirectory*.

        Note

        You can specify an ARN only for a specified RAM role. The name can contain only lowercase letters. You can view the ARN of a RAM role on the role details page in the RAM console.

        acs:PrincipalRDId

        String

        The ID of the resource directory to which the Alibaba Cloud account of the requester belongs. The condition key can be used only in trust policies of RAM roles and OSS bucket policies.

        acs:PrincipalRDPath

        String

        The path in the resource directory to which the Alibaba Cloud account of the requester belongs. The condition key can be used only in trust policies of RAM roles and OSS bucket policies.

        acs:RequestTag/<tag-key>

        String

        The tag that is passed in a request. <tag-key> indicates a tag key. Replace <tag-key> with the actual tag key. For more information about the supported Alibaba Cloud services and resource types, see Tag Ram Support in Services that work with Tag.

        acs:ResourceTag/<tag-key>

        String

        The tag that is bound to the requested resource. <tag-key> indicates a tag key. Replace <tag-key> with the actual tag key. For more information about the supported Alibaba Cloud services and resource types, see Tag Ram Support in Services that work with Tag.

      • The format of a condition key that is specific to an Alibaba Cloud service is <ram-code>:<condition-key>.

        Condition key specific to a service

        Service

        Type

        Description

        rds:ResourceTag/<tag-key>

        RDS

        String

        The tag key of ApsaraDB RDS resources. <tag-key> indicates a tag key. Replace <tag-key> with the actual tag key.

        oss:Delimiter

        OSS

        String

        The delimiter that is used to categorize OSS object names.

        oss:Prefix

        OSS

        String

        The prefix of an OSS object name.

    References

    The syntax and structure of access control policies are similar to those of the permission policies in RAM. For more information, see Policy structure and syntax.