Before you call an Alibaba Cloud API as a Resource Access Management (RAM) user, you must use the Alibaba Cloud account to create a RAM policy with the required permissions and attach the policy to the RAM user.
Authorize a RAM user to access cloud resources
By default, a RAM user does not have the permissions to create or modify cloud resources by calling Alibaba Cloud APIs. Before you call an API as a RAM user, you must authorize the RAM user to call the API. This requires you to create and attach a RAM policy to the RAM user.
When you create the RAM policy, you can specify the resource that the RAM user wants to access by the Alibaba Resource Name (ARN) of the resource. An ARN is a globally unique name that is used to identify a cloud resource in Alibaba Cloud.
An ARN uses the following format:
acs:service-name:region:account-id:resource-relative-idThe following list describes the fields in an ARN:
acs: the acronym of Alibaba Cloud Service.
service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Server Load Balancer (SLB).
region: information about a region. If this parameter is not supported by the cloud resource, the value is set to an asterisk (*).
account-id: the ID of the Alibaba Cloud account, such as 123456789012****.
resource-relative-id: the description of the cloud resource. The description varies based on the Alibaba Cloud service. For more information, see the documentation of Alibaba Cloud services.
For example,
acs:oss:123456789012****:sample_bucket/file1.txtindicates a resource named sample_bucket/file1.txt in OSS.123456789012****indicates the ID of the Alibaba Cloud account to which the resource belongs.
Authorize a RAM user to manage ACK
Resource type | ARN format |
Grant permissions on one Container Service for Kubernetes (ACK) cluster | |
Grant permissions on multiple ACK clusters | |
Grant permissions on all ACK clusters | |