Before you use a RAM user to call Alibaba Cloud API operations, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.
Resource authorization
By default, a RAM user is not authorized to call Alibaba Cloud API operations. Before you use a RAM user to call Alibaba Cloud API operations, you must grant the RAM user the permissions on the API operations that you want to call. To grant permissions to a RAM user, you must create and attach an authorization policy to the RAM user.
When you create the authorization policy, you can use an Alibaba Cloud Resource Name
(ARN) to specify the resource on which you want to grant permissions. An ARN is a
globally unique name that is used to identify a resource on Alibaba Cloud. An ARN
is in the following format:
acs:service-name:region:account-id:resource-relative-idAn ARN contains the following fields:
- acs: the abbreviated form of Alibaba Cloud Service. This indicates that the service is a public cloud offering of Alibaba Cloud.
- service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Resource Orchestration Service (ROS).
-
region: the region where a service resides. If this option is not supported, use the asterisk (
*) instead. - account-id: the ID of your Alibaba Cloud account, such as 123456789012****.
- resource-relative-id: the description of the resource. The description varies by service. For more information,
see the documentation of the Alibaba Cloud service that you want to use.
For example,
acs:oss:*:123456789012****:sample_bucket/file1.txtindicates a resource named sample_bucket/file1.txt in OSS, and123456789012****indicates the ID of the user to which the resource belongs.
Types of ROS resources that can be authorized
| Resource type | ARN format in the authorization policy |
|---|---|
| Stack | acs:ros:$regionid:$accountid:stack/$stackid |
| acs:ros:$regionid:$accountid:stack/* | |
| Template | acs:ros:$regionid:$accountid:template/$templateid |
| acs:ros:$regionid:$accountid:template/* | |
| StackGroup | acs:ros:$regionid:$accountid:stack_group/* |
ROS API operations that can be authorized
- Stack operations
API Action ARN format PreviewStack ros:PreviewStack acs:ros:cn-hangzhou:$accountid:stack/* CreateStack ros:CreateStack cs:ros:cn-hangzhou:$accountid:stack/* ContinueCreateStack ros:ContinueCreateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid SetDeletionProtection ros:SetDeletionProtection acs:ros:cn-hangzhou:$accountid:stack/$stackid UpdateStack ros:UpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CancelUpdateStack ros:CancelUpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStack ros:GetStack acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStacks ros:ListStacks acs:ros:cn-hangzhou:$accountid:stack/* ListStackEvents ros:ListStackEvents acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStackOperationRisks ros:ListStackOperationRisks acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteStack ros:DeleteStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CreateChangeSet ros:CreateChangeSet - When ChangeSetType is set to CREATE: acs:ros:cn-hangzhou:$accountid:stack/*
- When ChangeSetType is set to UPDATE: acs:ros:cn-hangzhou:$accountid:stack/$stackid
- When ChangeSetType is set to IMPORT: acs:ros:cn-hangzhou:$accountid:stack/*
ExecuteChangeSet ros:ExecuteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid GetChangeSet ros:GetChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid ListChangeSets ros:ListChangeSets acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteChangeSet ros:DeleteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid - Resource operations
API Action ARN format GetResourceTypeTemplate ros:GetResourceTypeTemplate No authentication required ListStackResources ros:ListStackResources acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackResource ros:GetStackResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetResourceType ros:GetResourceType No authentication required ListResourceTypes ros:ListResourceTypes No authentication required MoveResourceGroup ros:MoveResourceGroup - When ResourceType is set to stack: acs:ros:cn-hangzhou:$accountid:stack/*
- When ResourceType is set to stackgroup: acs:ros:cn-hangzhou:$accountid:stack_group/*
- When ResourceType is set to template: acs:ros:cn-hangzhou:$accountid:template/*
- Stack group operations
API Action ARN format CreateStackGroup ros:CreateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* UpdateStackGroup ros:UpdateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* GetStackGroup ros:GetStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* ListStackGroups ros:ListStackGroups acs:ros:cn-hangzhou:$accountid:stack_group/* DeleteStackGroup ros:DeleteStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* CreateStackInstances ros:CreateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* UpdateStackInstances ros:UpdateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackInstance ros:GetStackInstance acs:ros:cn-hangzhou:$accountid:stack_instance/* ListStackInstances ros:ListStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* DeleteStackInstances ros:DeleteStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackGroupOperation ros:GetStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperations ros:ListStackGroupOperations acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperationResults ros:ListStackGroupOperationResults acs:ros:cn-hangzhou:$accountid:stack_group_operation/* StopStackGroupOperation ros:StopStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* - Template operations
API Action ARN format GenerateTemplatePolicy ros:GenerateTemplatePolicy acs:ros:cn-hangzhou:$accountid:template/$templateid Note If the TemplateId parameter is specified, authentication is required.CreateTemplate ros:CreateTemplate acs:ros:cn-hangzhou:$accountid:template/* ValidateTemplate ros:ValidateTemplate No authentication required UpdateTemplate ros:UpdateTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid GetTemplate ros:GetTemplate - acs:ros:cn-hangzhou:$accountid:stack/$stackid
- acs:ros:$regionid:$accountid:stack_group/*
- acs:ros:cn-hangzhou:$accountid:template/$templateid
GetTemplateEstimateCost ros:GetTemplateEstimateCost acs:ros:cn-hangzhou:$accountid:* GetTemplateSummary ros:GetTemplateSummary acs:ros:cn-hangzhou:$accountid:template/$templateid Note If the TemplateId parameter is specified, authentication is required.ListTemplates ros:ListTemplates acs:ros:cn-hangzhou:$accountid:template/* ListTemplateVersions ros:ListTemplateVersions acs:ros:cn-hangzhou:$accountid:template/$templateid SetTemplatePermission ros:SetTemplatePermission acs:ros:cn-hangzhou:$accountid:* DeleteTemplate ros:DeleteTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid - Tag operations
API Action ARN format ListTagResources ros:ListTagResources acs:ros:cn-hangzhou:$accountid:tag/* ListTagKeys ros:ListTagKeys acs:ros:cn-hangzhou:$accountid:tag/* ListTagValues ros:ListTagValues acs:ros:cn-hangzhou:$accountid:tag/* UntagResources ros:UntagResources acs:ros:cn-hangzhou:$accountid:tag/* - Other operations
API Action ARN format DescribeRegions ros:DescribeRegions No authentication required SignalResource ros:SignalResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackPolicy ros:GetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid SetStackPolicy ros:SetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid