RAM用户调用API前,需要阿里云账号(主账号)通过创建授权策略对RAM用户进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。

下表列举了RAM中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:CreateUser acs:ram:*:${AccountId}:user/*
ram:GetUser acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateUser acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteUser acs:ram:*:${AccountId}:user/${UserName}
ram:ListUsers acs:ram:*:${AccountId}:user/*
ram:CreateLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:GetLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateLoginProfile acs:ram:*:${AccountId}:user/${UserName}
ram:CreateAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:UpdateAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:DeleteAccessKey acs:ram:*:${AccountId}:user/${UserName}
ram:ListAccessKeys acs:ram:*:${AccountId}:user/${UserName}
ram:CreateVirtualMFADevice acs:ram:*:${AccountId}:mfa/*
ram:ListVirtualMFADevices acs:ram:*:${AccountId}:mfa/*
ram:DeleteVirtualMFADevice ${SerialNumber}
ram:BindMFADevice acs:ram:*:${AccountId}:user/${UserName}
ram:UnbindMFADevice acs:ram:*:${AccountId}:user/${UserName}
ram:GetUserMFAInfo acs:ram:*:${AccountId}:user/${UserName}
ram:ChangePassword acs:ram:*:${AccountId}:user/${UserName}
ram:CreateGroup acs:ram:*:${AccountId}:group/*
ram:GetGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:UpdateGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:ListGroups acs:ram:*:${AccountId}:group/*
ram:DeleteGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:AddUserToGroup acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId}:group/${GroupName}
ram:RemoveUserFromGroup acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId}:group/${GroupName}
ram:ListGroupsForUser acs:ram:*:${AccountId}:user/${UserName}
ram:ListUsersForGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:CreateRole acs:ram:*:${AccountId}:role/*
ram:GetRole acs:ram:*:${AccountId}:role/${RoleName}
ram:UpdateRole acs:ram:*:${AccountId}:role/${RoleName}
ram:ListRoles acs:ram:*:${AccountId}:role/*
ram:DeleteRole acs:ram:*:${AccountId}:role/${RoleName}
ram:CreatePolicy acs:ram:*:${AccountId}:policy/*
ram:GetPolicy acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DeletePolicy acs:ram:*:${AccountId}:policy/${PolicyName}
ram:ListPolicies acs:ram:*:${AccountId}:policy/*
ram:CreatePolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:GetPolicyVersion acs:ram:*:${AccountId} or system:group/${PolicyName}
ram:DeletePolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:ListPolicyVersions acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:SetDefaultPolicyVersion acs:ram:*:${AccountId}:policy/${PolicyName}
ram:AttachPolicyToUser acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromUser acs:ram:*:${AccountId}:user/${UserName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:AttachPolicyToGroup acs:ram:*:${AccountId}:group/${GroupName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromGroup acs:ram:*:${AccountId}:group/${GroupName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:AttachPolicyToRole acs:ram:*:${AccountId}:role/${RoleName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:DetachPolicyFromRole acs:ram:*:${AccountId}:role/${RoleName}
acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:ListPoliciesForUser acs:ram:*:${AccountId}:user/{UserName}
ram:ListPoliciesForGroup acs:ram:*:${AccountId}:group/${GroupName}
ram:ListPoliciesForRole acs:ram:*:${AccountId}:role/${RoleName}
ram:ListEntitiesForPolicy acs:ram:*:${AccountId} or system:policy/${PolicyName}
ram:SetAccountAlias acs:ram:*:${AccountId}:*
ram:GetAccountAlias acs:ram:*:${AccountId}:*
ram:ClearAccountAlias acs:ram:*:${AccountId}:*
ram:SetPasswordPolicy acs:ram:*:${AccountId}:*
ram:GetPasswordPolicy acs:ram:*:${AccountId}:*
ram:SetSecurityPreference acs:ram:*:${AccountId}:*