全部產品
Search
文件中心

Resource Management:RAM鑒權

更新時間:Jun 30, 2024

RAM使用者調用資源管理API前,需要阿里雲帳號(主帳號)建立權限原則並對RAM使用者進行授權。在權限原則中,使用資源描述符ARN(Aliyun Resource Name)指定授權資源。

資源(Resource)中用到的欄位含義如下,請在使用時替換為實際值。

  • <account_id>:阿里雲帳號(主帳號)ID。

  • <resourcegroup_id>:資源群組ID。

  • <policy_name>:權限原則名稱。

  • <role_name>:RAM角色名稱。

  • <resource_type>:資源類型。

  • <resource_id>:資源ID。

  • <region_id>:地區ID。

  • <product>:雲端服務代碼。

  • <handshake_id>:成員邀請ID。

  • <policy_id>:管控策略ID。

  • <resource_directory_path>:RDPath,資源夾或成員在資來源目錄中的位置資訊。

  • <contact_id>:訊息通知連絡人ID。

對於必選的資源類型,用加粗字型顯示。

資源群組鑒權列表

下表列舉了資源群組中可授權的操作(Action)和資源(Resource)。

Action

Resource

ram:CreateResourceGroup

acs:ram:*:<account_id>:resourcegroup/*

ram:DeleteResourceGroup

acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>

ram:UpdateResourceGroup

acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>

ram:CreatePolicy

acs:ram:*:<account_id>:policy/*

ram:DeletePolicy

acs:ram:*:<account_id>:policy/<policy_name>

ram:ListPolicies

acs:ram:*:<account_id>:policy/*

ram:GetPolicy

acs:ram:*:<account_id>:policy/<policy_name>

ram:CreatePolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:DeletePolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:ListPolicyVersions

acs:ram:*:<account_id>:policy/<policy_name>

ram:GetPolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:SetDefaultPolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:AttachPolicy

  • Policy:

    acs:ram:*:system:policy/<policy_name>或acs:ram:*:<account_id>:policy/<policy_name>

  • IMSUser:

    acs:ims:*:<account_id>:user/*

  • IMSGroup:

    acs:ims:*:<account_id>:group/*

  • ServiceRole:

    acs:ram:*:<account_id>:role/*

ram:DetachPolicy

  • Policy:

    acs:ram:*:system:policy/<policy_name>或acs:ram:*:<account_id>:policy/<policy_name>

  • IMSUser:

    acs:ims:*:<account_id>:user/*

  • IMSGroup:

    acs:ims:*:<account_id>:group/*

  • ServiceRole:

    acs:ram:*:<account_id>:role/*

ram:ListPolicyAttachments

acs:ram:*:<account_id>:*

ram:CreateRole

acs:ram:*:<account_id>:role/*

ram:GetRole

acs:ram:*:<account_id>:role/<role_name>

ram:ListRoles

acs:ram:*:<account_id>:role/*

ram:UpdateRole

acs:ram:*:<account_id>:role/<role_name>

ram:DeleteRole

acs:ram:*:<account_id>:role/<role_name>

ram:CreateServiceLinkedRole

acs:ram:*:<account_id>:role/*

ram:DeleteServiceLinkedRole

acs:ram:*:<account_id>:role/<role_name>

ram:GetServiceLinkedRoleDeletionStatus

acs:ram:*:<account_id>:role/<role_name>

資來源目錄鑒權列表

下表列舉了資來源目錄中可授權的操作(Action)和資源(Resource)。

Action

Resource

resourcemanager:AcceptHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:AttachControlPolicy

  • ControlPolicy

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:BindSecureMobilePhone

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:CancelHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:CheckAccountDelete

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:CreateCloudAccount

acs:resourcemanager:*:<account_id>:*

resourcemanager:CreateControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:CreateFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:CreateResourceAccount

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DeclineHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:DeleteAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:DeleteControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:DeleteFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DeregisterDelegatedAdministrator

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:DestroyResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:DetachControlPolicy

  • ControlPolicy

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DisableControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:EnableControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:EnableResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:GetAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetAccountDeletionCheckResult

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetAccountDeletionStatus

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:GetControlPolicyEnablementStatus

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:GetFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:GetHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:GetPayerForAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:InviteAccountToResourceDirectory

  • Handshake

    acs:resourcemanager:*:<account_id>:handshake/*

  • Folder

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListAccounts

acs:resourcemanager:*:<account_id>:account/*

resourcemanager:ListAccountsForParent

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListAncestors

acs:resourcemanager:*:<account_id>:folder/*

resourcemanager:ListControlPolicies

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:ListControlPolicyAttachmentsForTarget

  • ControlPolicy

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListDelegatedAdministrators

acs:resourcemanager:*:<account_id>:account/*

resourcemanager:ListDelegatedServicesForAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:ListFoldersForParent

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListHandshakesForAccount

acs:resourcemanager:*:<account_id>:handshake/*

resourcemanager:ListHandshakesForResourceDirectory

acs:resourcemanager:*:<account_id>:handshake/*

resourcemanager:ListTagKeys

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTagValues

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTargetAttachmentsForControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:ListTrustedServiceStatus

acs:resourcemanager:*:<account_id>:*

resourcemanager:MoveAccount

  • Account

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:PromoteResourceAccount

acs:resourcemanager:*:<account_id>:*

resourcemanager:RegisterDelegatedAdministrator

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:RemoveCloudAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:SendVerificationCodeForBindSecureMobilePhone

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:SendVerificationCodeForEnableRD

acs:resourcemanager:*:<account_id>:*

resourcemanager:TagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:UntagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:UpdateAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:UpdateControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:UpdateFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:AddMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/*

resourcemanager:CancelMessageContactUpdate

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:DeleteMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:GetMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:GetMessageContactDeletionStatus

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:ListMessageContacts

acs:resourcemanager:*:<account_id>:messagecontact/*

resourcemanager:ListMessageContactVerifications

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:SendEmailVerificationForMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:SendPhoneVerificationForMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:UpdateMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:AssociateMembers

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • MessageContact:

    acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:DisassociateMembers

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • MessageContact:

    acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:CancelChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:ChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:RetryChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:PrecheckForConsolidatedBillingAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

資源共用鑒權列表

下表列舉了資源共用中可授權的操作(Action)和資源(Resource)。

Action

Resource

resourcesharing:EnableSharingWithResourceDirectory

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:CreateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:UpdateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DeleteResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShares

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AssociateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DisassociateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShareAssociations

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListSharedResources

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListSharedTargets

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DescribeRegions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShareInvitations

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AcceptResourceShareInvitation

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:RejectResourceShareInvitation

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AssociateResourceSharePermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DisassociateResourceSharePermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceSharePermissions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:GetPermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListPermissionVersions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListPermissions

acs:resourcesharing:<region_id>:<account_id>:*

標籤鑒權列表

下表列舉了標籤中可授權的操作(Action)和資源(Resource)。

Action

Resource

tag:ListTagResources

acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:TagResources

  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:UntagResources

  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:ListTagKeys

acs:tag:<region_id>:<account_id>:*/*

tag:ListTagValues

acs:tag:<region_id>:<account_id>:*/*

tag:CreateTags

acs:tag:<region_id>:<account_id>:*/*

tag:DeleteTag

acs:tag:<region_id>:<account_id>:*/*