Simple Application Server:RAM authorization

General structure of a policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

• Effect: specifies the authorization effect. Valid values: Allow, Deny.
• Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
• Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
• Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
  • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
  • Condition_key: specifies the condition keys.
  • Condition_value: specifies the condition values.

Action

• Operation: the value that you can use in the Action element to specify the operation on a resource.
• API operation: the API operation that you can call to perform the operation.
• Access level: the access level of each operation. The levels are read, write, and list.
• Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
  • The required resource types are displayed in bold characters.
  • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
• Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
• Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Resource

• {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
• An asterisk (*) is used as a wildcard. Examples:
  • {#resourceType} is set to *, all resources are specified.
  • {#regionId} is set to *, all regions are specified.
  • {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Condition

What to do next

• Create a custom policy
• Grant permissions to a RAM user
• Grant permissions to a RAM user group
• Grant permissions to a RAM role