RAM ユーザーを使用して Resource Management の API 操作を呼び出し、Alibaba Cloud アカウントに属するリソースにアクセスする前に、Alibaba Cloud アカウントで必要なポリシーを作成して、RAM ユーザーにアタッチする必要があります。 このポリシーでは、Action 要素で許可された API 操作を指定して、Resource 要素で許可されたリソースを指定できます。 各リソースは、Alibaba Cloud Resource Name (ARN) によって示されます。
次のリストでは、ポリシーのResource要素に含まれる変数について説明します。 変数は実際の値に置き換えてください。
<account_id>: Alibaba CloudアカウントのID。
<resourcegroup_id>: リソースグループのID。
<policy_name>: ポリシーの名前。
<role_name>: RAMロールの名前。
<resource_type>: リソースのタイプ。
<resource_id>: リソースのID。
<region_id>: リージョンID。
<product>: サービスのコード。
<handshake_id>: 招待のID。
<policy_id>: アクセス制御ポリシーのID。
<resource_directory_path>: フォルダーまたはメンバーのRDPath。リソースディレクトリ内のフォルダーまたはメンバーの場所を示します。
<contact_id>: 連絡先のID。
必要なリソースタイプは太字で表示されます。
Resource Group
下表に、Action 要素で指定できるリソースグループの API 操作と、Resource 要素で使用される ARN の形式を示します。
Action | リソース |
ram:CreateResourceGroup | acs:ram:*:<account_id>:resourcegroup/* |
ram:DeleteResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
ram:UpdateResourceGroup | acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id> |
ram:CreatePolicy | acs:ram:*:<account_id>:policy/* |
ram:DeletePolicy | acs:ram:*:<account_id>:policy/<policy_name> |
ram:ListPolicies | acs:ram:*:<account_id>:policy/* |
ram:GetPolicy | acs:ram:*:<account_id>:policy/<policy_name> |
ram:CreatePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:DeletePolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:ListPolicyVersions | acs:ram:*:<account_id>:policy/<policy_name> |
ram:GetPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:SetDefaultPolicyVersion | acs:ram:*:<account_id>:policy/<policy_name> |
ram:AttachPolicy |
|
ram:DetachPolicy |
|
ram:ListPolicyAttachments | acs:ram:*:<account_id>:* |
ram:CreateRole | acs:ram:*:<account_id>:role/* |
ram:GetRole | acs:ram:*:<account_id>:role/<role_name> |
ram:ListRoles | acs:ram:*:<account_id>:role/* |
ram:UpdateRole | acs:ram:*:<account_id>:role/<role_name> |
ram:DeleteRole | acs:ram:*:<account_id>:role/<role_name> |
ram:CreateServiceLinkedRole | acs:ram:*:<account_id>:role/* |
ram:DeleteServiceLinkedRole | acs:ram:*:<account_id>:role/<role_name> |
ram:GetServiceLinkedRoleDeletionStatus | acs:ram:*:<account_id>:role/<role_name> |
Resource Directory
下表に、Action 要素で指定できる リソースディレクトリの API 操作と、Resource 要素で使用される ARN の形式を示します。
Action | リソース |
resourcemanager:AcceptHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:AttachControlPolicy |
|
resourcemanager:BindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:CancelHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:CheckAccountDelete | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:CreateCloudAccount | acs:resourcemanager:*:<account_id>:* |
resourcemanager:CreateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:CreateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:CreateResourceAccount | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:DeclineHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:DeleteAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:DeleteControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:DeleteFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:DeregisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:DestroyResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:DetachControlPolicy |
|
resourcemanager:DisableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:EnableControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:EnableResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:GetAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetAccountDeletionCheckResult | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetAccountDeletionStatus | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:GetControlPolicyEnablementStatus | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:GetFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:GetHandshake | acs:resourcemanager:*:<account_id>:handshake/<handshake_id> |
resourcemanager:GetPayerForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:GetResourceDirectory | acs:resourcemanager:*:<account_id>:* |
resourcemanager:InviteAccountToResourceDirectory |
|
resourcemanager:ListAccounts | acs:resourcemanager:*:<account_id>:account/* |
resourcemanager:ListAccountsForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:ListAncestors | acs:resourcemanager:*:<account_id>:folder/* |
resourcemanager:ListControlPolicies | acs:resourcemanager:*:<account_id>:policy/controlpolicy/* |
resourcemanager:ListControlPolicyAttachmentsForTarget |
|
resourcemanager:ListDelegatedAdministrators | acs:resourcemanager:*:<account_id>:account/* |
resourcemanager:ListDelegatedServicesForAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:ListFoldersForParent | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:ListHandshakesForAccount | acs:resourcemanager:*:<account_id>:handshake/* |
resourcemanager:ListHandshakesForResourceDirectory | acs:resourcemanager:*:<account_id>:handshake/* |
resourcemanager:ListTagKeys | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTagValues | acs:resourcemanager:*:<account_id>:* |
resourcemanager:ListTargetAttachmentsForControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:ListTrustedServiceStatus | acs:resourcemanager:*:<account_id>:* |
resourcemanager:MoveAccount |
|
resourcemanager:PromoteResourceAccount | acs:resourcemanager:*:<account_id>:* |
resourcemanager:RegisterDelegatedAdministrator | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:RemoveCloudAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:SendVerificationCodeForBindSecureMobilePhone | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:SendVerificationCodeForEnableRD | acs:resourcemanager:*:<account_id>:* |
resourcemanager:TagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:UntagResources | acs:resourcemanager:*:<account_id>:* |
resourcemanager:UpdateAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:UpdateControlPolicy | acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id> |
resourcemanager:UpdateFolder | acs:resourcemanager:*:<account_id>:folder/<resource_directory_path> |
resourcemanager:AddMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/* |
resourcemanager:CancelMessageContactUpdate | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:DeleteMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:GetMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:GetMessageContactDeletionStatus | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:ListMessageContacts | acs:resourcemanager:*:<account_id>:messagecontact/* |
resourcemanager:ListMessageContactVerifications | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:SendEmailVerificationForMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:SendPhoneVerificationForMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:UpdateMessageContact | acs:resourcemanager:*:<account_id>:messagecontact/<contact_id> |
resourcemanager:AssociateMembers |
|
resourcemanager:DisassociateMembers |
|
resourcemanager:CancelChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:ChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:RetryChangeAccountEmail | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
resourcemanager:PrecheckForConsolidatedBillingAccount | acs:resourcemanager:*:<account_id>:account/<resource_directory_path> |
Resource Sharing
下表に、Action 要素で指定できる リソース共有の API 操作と、Resource 要素で使用される ARN の形式を示します。
Action | リソース |
resourcesharing:EnableSharingWithResourceDirectory | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:CreateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:UpdateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DeleteResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShares | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AssociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DisassociateResourceShare | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShareAssociations | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListSharedResources | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListSharedTargets | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DescribeRegions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceShareInvitations | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AcceptResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:RejectResourceShareInvitation | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:AssociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:DisassociateResourceSharePermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListResourceSharePermissions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:GetPermission | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListPermissionVersions | acs:resourcesharing:<region_id>:<account_id>:* |
resourcesharing:ListPermissions | acs:resourcesharing:<region_id>:<account_id>:* |
タグ
下表に、Action 要素で指定できるTag の API 操作と、Resource 要素で使用される ARN の形式を示します。
Action | リソース |
tag:ListTagResources | acs:tag:<region_id >:< account_id >:< resource_type>/<resource_id> |
tag:TagResources |
|
tag:UntagResources |
|
tag:ListTagKeys | acs:tag:<region_id >:< account_id>:*/* |
tag:ListTagValues | acs:tag:<region_id >:< account_id>:*/* |
tag:CreateTags | acs:tag:<region_id >:< account_id>:*/* |
tag:DeleteTag | acs:tag:<region_id >:< account_id>:*/* |