在RAM用户调用API前,需要阿里云账号通过创建授权策略对RAM用户进行授权。
资源授权
默认情况下,RAM用户没有权限通过调用API去创建、修改阿里云资源。RAM用户调用API时,需要先创建一个授权策略,然后将这个授权策略关联给对应的RAM用户以完成资源授权。
在创建授权策略时,您可以通过资源描述符ARN(Alibaba Cloud Resource Name)指定要授权的资源。ARN是阿里云为每个资源定义的一个全局的阿里云资源名称。ARN格式如下:
acs:service-name:region:account-id:resource-relative-idARN字段含义如下:
- acs:Alibaba Cloud Service的首字母缩写,表示阿里云的公共云平台。
- service-name:阿里云服务的名称,例如:ECS、OSS、ROS等。
-
region:地域信息。如果不支持该项,可以使用通配符星号(
*)来代替。 - account-id:阿里云账号ID,例如:123456789012****。
- resource-relative-id:具体的资源描述,不同的阿里云服务的资源描述也不同。更多信息,请参见各阿里云服务的开发文档。
例如:
acs:oss:*:123456789012****:sample_bucket/file1.txt表示OSS服务中对象名称是sample_bucket/file1.txt的资源,对象的所有者UID为123456789012****。
可授权的资源编排资源类型
| 资源类型 | 授权策略中的资源描述方法 |
|---|---|
| Stack | acs:ros:$regionid:$accountid:stack/$stackid |
| acs:ros:$regionid:$accountid:stack/* | |
| Template | acs:ros:$regionid:$accountid:template/$templateid |
| acs:ros:$regionid:$accountid:template/* | |
| StackGroup | acs:ros:$regionid:$accountid:stack_group/* |
可授权的资源编排接口
- 资源栈相关接口
API Action 资源描述 PreviewStack ros:PreviewStack acs:ros:cn-hangzhou:$accountid:stack/* CreateStack ros:CreateStack cs:ros:cn-hangzhou:$accountid:stack/* ContinueCreateStack ros:ContinueCreateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid SetDeletionProtection ros:SetDeletionProtection acs:ros:cn-hangzhou:$accountid:stack/$stackid UpdateStack ros:UpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CancelUpdateStack ros:CancelUpdateStack acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStack ros:GetStack acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStacks ros:ListStacks acs:ros:cn-hangzhou:$accountid:stack/* ListStackEvents ros:ListStackEvents acs:ros:cn-hangzhou:$accountid:stack/$stackid ListStackOperationRisks ros:ListStackOperationRisks acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteStack ros:DeleteStack acs:ros:cn-hangzhou:$accountid:stack/$stackid CreateChangeSet ros:CreateChangeSet - 当ChangeSetType取值为CREATE时:acs:ros:cn-hangzhou:$accountid:stack/*
- 当ChangeSetType取值为UPDATE时:acs:ros:cn-hangzhou:$accountid:stack/$stackid
- 当ChangeSetType取值为IMPORT时:acs:ros:cn-hangzhou:$accountid:stack/*
ExecuteChangeSet ros:ExecuteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid GetChangeSet ros:GetChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid ListChangeSets ros:ListChangeSets acs:ros:cn-hangzhou:$accountid:stack/$stackid DeleteChangeSet ros:DeleteChangeSet acs:ros:cn-hangzhou:$accountid:stack/$stackid - 资源相关接口
API Action 资源描述 GetResourceTypeTemplate ros:GetResourceTypeTemplate 不鉴权 ListStackResources ros:ListStackResources acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackResource ros:GetStackResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetResourceType ros:GetResourceType 不鉴权 ListResourceTypes ros:ListResourceTypes 不鉴权 MoveResourceGroup ros:MoveResourceGroup - 当ResourceType取值为stack时:acs:ros:cn-hangzhou:$accountid:stack/*
- 当ResourceType取值为stackgroup时:acs:ros:cn-hangzhou:$accountid:stack_group/*
- 当ResourceType取值为template时:acs:ros:cn-hangzhou:$accountid:template/*
- 资源栈组相关接口
API Action 资源描述 CreateStackGroup ros:CreateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* UpdateStackGroup ros:UpdateStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* GetStackGroup ros:GetStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* ListStackGroups ros:ListStackGroups acs:ros:cn-hangzhou:$accountid:stack_group/* DeleteStackGroup ros:DeleteStackGroup acs:ros:cn-hangzhou:$accountid:stack_group/* CreateStackInstances ros:CreateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* UpdateStackInstances ros:UpdateStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackInstance ros:GetStackInstance acs:ros:cn-hangzhou:$accountid:stack_instance/* ListStackInstances ros:ListStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* DeleteStackInstances ros:DeleteStackInstances acs:ros:cn-hangzhou:$accountid:stack_instance/* GetStackGroupOperation ros:GetStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperations ros:ListStackGroupOperations acs:ros:cn-hangzhou:$accountid:stack_group_operation/* ListStackGroupOperationResults ros:ListStackGroupOperationResults acs:ros:cn-hangzhou:$accountid:stack_group_operation/* StopStackGroupOperation ros:StopStackGroupOperation acs:ros:cn-hangzhou:$accountid:stack_group_operation/* - 模板相关接口
API Action 资源描述 GenerateTemplatePolicy ros:GenerateTemplatePolicy acs:ros:cn-hangzhou:$accountid:template/$templateid 说明 如果指定参数TemplateId,则需要鉴权。CreateTemplate ros:CreateTemplate acs:ros:cn-hangzhou:$accountid:template/* ValidateTemplate ros:ValidateTemplate 不鉴权 UpdateTemplate ros:UpdateTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid GetTemplate ros:GetTemplate - acs:ros:cn-hangzhou:$accountid:stack/$stackid
- acs:ros:$regionid:$accountid:stack_group/*
- acs:ros:cn-hangzhou:$accountid:template/$templateid
GetTemplateEstimateCost ros:GetTemplateEstimateCost acs:ros:cn-hangzhou:$accountid:* GetTemplateSummary ros:GetTemplateSummary acs:ros:cn-hangzhou:$accountid:template/$templateid 说明 如果指定参数TemplateId,则需要鉴权。ListTemplates ros:ListTemplates acs:ros:cn-hangzhou:$accountid:template/* ListTemplateVersions ros:ListTemplateVersions acs:ros:cn-hangzhou:$accountid:template/$templateid SetTemplatePermission ros:SetTemplatePermission acs:ros:cn-hangzhou:$accountid:* DeleteTemplate ros:DeleteTemplate acs:ros:cn-hangzhou:$accountid:template/$templateid - 标签相关接口
API Action 资源描述 ListTagResources ros:ListTagResources acs:ros:cn-hangzhou:$accountid:tag/* ListTagKeys ros:ListTagKeys acs:ros:cn-hangzhou:$accountid:tag/* ListTagValues ros:ListTagValues acs:ros:cn-hangzhou:$accountid:tag/* UntagResources ros:UntagResources acs:ros:cn-hangzhou:$accountid:tag/* - 其他接口
API Action 资源描述 DescribeRegions ros:DescribeRegions 不鉴权 SignalResource ros:SignalResource acs:ros:cn-hangzhou:$accountid:stack/$stackid GetStackPolicy ros:GetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid SetStackPolicy ros:SetStackPolicy acs:ros:cn-hangzhou:$accountid:stack/$stackid