Home PageExpenses and CostsDeveloper GuideReferencesAuthorize a RAM user to use BOA
Search for Help Content

Authorize a RAM user to use BOA

Updated at: 2024-05-22 09:24
Community

To use Alibaba Cloud Transactions and Bills Management OpenAPI (BOA) as a Resource Access Management (RAM) user, you must use your Alibaba Cloud account to grant the required permissions to the RAM user.

Authorize a RAM user to use BOA

You must grant the required permissions to a RAM user before you use BOA as the RAM user. To authorize a RAM user to use BOA, you can attach the following policies to the RAM user:

  • AliyunBSSFullAccess

  • AliyunBSSReadOnlyAccess

  • AliyunBSSOrderAccess

You can also create custom policies to implement fine-grained access control on BOA. For more information about the syntax of policies, see Policy structure and syntax.

Actions in BOA-related policies are in the bssapi:<API operation name> format, such as bssapi:QueryOrder and bssapi:QueryInstanceBill.

To ensure compatibility with the permissions granted to the RAM user in the Alibaba Cloud Management Console, you can also use the corresponding actions of API operations in the following table when you create a custom policy. When you create a policy that grants or denies the permissions on an API operation in the following table, you can set the Action element in the bssapi:<API operation name> format or to the corresponding value in the Action column in the following table. For example, if you replace bssapi:QueryInstanceBill with bss:DescribeBillList in the following policy, the policy still takes effect: 

{
    "Version": 1, 
    "Statement": [
        {
            "Action": [
                "bssapi: QueryInstanceBill"
            ], 
            "Resource": "*", 
            "Effect": "Allow"
        }
    ]
}
Note

Set the Resource element to an asterisk (*) in all policies.

Operation

Description

Action

Operation

Description

Action

QueryAccountBalance

Queries the balance of your account.

bss:DescribeAcccount

QueryCashCoupons

Queries the information about vouchers within your account.

bss:DescribeCoupons

QueryPrepaidCards

Queries the information about prepaid cards within your account.

bss:DescrbePrepaidCards

QueryProductList

Queries the information about all Alibaba Cloud services within your account.

bss:DescribeProduct

DescribePricingModule

Queries the pricing information about an Alibaba Cloud service.

bss:DescribeProduct

QueryPriceList

Queries the balance of your account.

bss:DescribeProduct

GetPayAsYouGoPrice

Queries the price of a service that is billed by using the pay-as-you-go billing method.

bss:DescribePrice

GetSubscriptionPrice

Queries the price of a service that is billed by using the subscription billing method.

bss:DescribePrice

QueryOrders

Queries the orders of your account.

bss:DescribeOrderList

GetOrderDetail

Queries the details of an order.

bss:DescribeOrderDetail

ModifyInstance

Modifies the configurations of an instance.

bss:ModifyInstance

QueryAvailableInstances

Queries the available instances within your account.

bss:DescribeInstances

CreateInstance

Creates an instance.

bss:ModifyInstance

SetRenewal

Enables auto-renewal for an instance.

bss:ModifyPrepaidInstanceAutoRenew

RenewInstance

Renews an instance.

bss:ModifyInstance

DescribeResourcePackageProduct

Queries the information about resource plans of an Alibaba Cloud service.

bss:DescribeProduct

GetResourcePackagePrice

Queries the price of a resource plan.

bss:DescribePrice

QueryResourcePackageInstances

Queries the instances of a resource plan.

bss:DescribeInstances

CreateResourcePackage

Creates a resource plan.

bss:ModifyInstance

QueryInstanceGaapCost

Queries the monthly generally accepted accounting principles (GAAP) amount.

bss:DescribeGaapBill

QueryBillOverview

Queries the overview information about bills in a billing cycle.

bss:DescribeBillList

QueryBill

Queries the bills in a billing cycle.

bss:DescribeBillList

QueryInstanceBill

Queries the bills of instances or billable items in a billing cycle.

bss:DescribeBillList

SubscribeBillToOSS

Subscribes to the bills that are stored in Object Storage Service (OSS) buckets.

bss:ModifySubscribeToOSS

UnsubscribeBillToOSS

Unsubscribes from the bills that are stored in OSS buckets.

bss:ModifySubscribeToOSS

QueryAccountTransactions

Queries transactions within your account.

bss:DescribeAcccountTran

CancelOrder

Cancels an unpaid order.

bss:CancelOrder

Control the access to Alibaba Cloud resources from BOA

In most business scenarios, you may want to grant a RAM user or a RAM user group only the permissions to manage or query the instances or bills of specific Alibaba Cloud services. To achieve this, you can use the ProductCode and ProductType condition keys to specify to which resources RAM users are allowed or denied access.

For example, the following policy allows RAM users to query only orders whose service code is rds and commodity code is rords or bards: 

{
    "Version": 1, 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "bssapi:QueryOrders"
            ], 
            "Resource": [
                "*"
            ], 
            "Condition": {
                "StringEquals": {
                    "bssapi:ProductCode": "rds", 
                    "bssapi: ProductType": [
                        "rords", 
                        "bards"
                    ]
                }
            }
        }
    ]
}

Previous: ReferencesNext: Query frequently used regions
  • On this page (1, O)
  • Authorize a RAM user to use BOA
  • Control the access to Alibaba Cloud resources from BOA
Feedback