RAM用户调用API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。
本文用到的字段含义如下,请在使用时替换为实际值。
- <account-id>:阿里云账号ID。
- <user-name>:RAM用户名称。
- <role-name>:RAM角色名称。
说明 权限策略中的RAM角色名称需要转换成全小写英文字母。
- <group-name>:RAM用户组名称。
- <policy-name>:权限策略名称。
- <serial-number>:虚拟MFA设备序列号。
下表列举了RAM中可授权的操作(Action)和资源(Resource)。
| Action | Resource |
|---|---|
| ram:CreateUser | acs:ram:*:<account-id>:user/* |
| ram:GetUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:UpdateUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:DeleteUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:ListUsers | acs:ram:*:<account-id>:user/* |
| ram:CreateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:GetLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:DeleteLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:UpdateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
| ram:CreateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
| ram:UpdateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
| ram:DeleteAccessKey | acs:ram:*:<account-id>:user/<user-name> |
| ram:ListAccessKeys | acs:ram:*:<account-id>:user/<user-name> |
| ram:CreateVirtualMFADevice | acs:ram:*:<account-id>:mfa/* |
| ram:ListVirtualMFADevices | acs:ram:*:<account-id>:mfa/* |
| ram:DeleteVirtualMFADevice | acs:ram:*:<account-id>:mfa/<serial-number> |
| ram:BindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
| ram:UnbindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
| ram:GetUserMFAInfo | acs:ram:*:<account-id>:user/<user-name> |
| ram:ChangePassword | acs:ram:*:<account-id>:user/<user-name> |
| ram:CreateGroup | acs:ram:*:<account-id>:group/* |
| ram:GetGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:UpdateGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:ListGroups | acs:ram:*:<account-id>:group/* |
| ram:DeleteGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:AddUserToGroup | acs:ram:*:<account-id>:user/<user-name> |
acs:ram:*:<account-id>:group/<group-name> |
|
| ram:RemoveUserFromGroup | acs:ram:*:<account-id>:user/<user-name> |
acs:ram:*:<account-id>:group/<group-name> |
|
| ram:ListGroupsForUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:ListUsersForGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:CreateRole | acs:ram:*:<account-id>:role/<role-name> |
| ram:GetRole | acs:ram:*:<account-id>:role/<role-name> |
| ram:UpdateRole | acs:ram:*:<account-id>:role/<role-name> |
| ram:ListRoles | acs:ram:*:<account-id>:role/* |
| ram:DeleteRole | acs:ram:*:<account-id>:role/<role-name> |
| ram:CreatePolicy | acs:ram:*:<account-id>:policy/* |
| ram:GetPolicy |
|
| ram:DeletePolicy | acs:ram:*:<account-id>:policy/<policy-name> |
| ram:UpdatePolicyDescription | acs:ram::<account-id>:policy/<policy-name> |
| ram:ListPolicies | acs:ram:*:<account-id>:policy/* |
| ram:CreatePolicyVersion | acs:ram:*:<account-id>:policy/<policy-name> |
| ram:GetPolicyVersion |
|
| ram:DeletePolicyVersion | acs:ram:*:<account-id>:policy/<policy-name> |
| ram:ListPolicyVersions |
|
| ram:SetDefaultPolicyVersion | acs:ram:*:<account-id>:policy/<policy-name> |
| ram:AttachPolicyToUser | acs:ram:*:<account-id>:user/<user-name> |
|
|
| ram:DetachPolicyFromUser | acs:ram:*:<account-id>:user/<user-name> |
|
|
| ram:AttachPolicyToGroup | acs:ram:*:<account-id>:group/<group-name> |
|
|
| ram:DetachPolicyFromGroup | acs:ram:*:<account-id>:group/<group-name> |
|
|
| ram:AttachPolicyToRole | acs:ram:*:<account-id>:role/<role-name> |
|
|
| ram:DetachPolicyFromRole | acs:ram:*:<account-id>:role/<role-name> |
|
|
| ram:ListPoliciesForUser | acs:ram:*:<account-id>:user/<user-name> |
| ram:ListPoliciesForGroup | acs:ram:*:<account-id>:group/<group-name> |
| ram:ListPoliciesForRole | acs:ram:*:<account-id>:role/<role-name> |
| ram:ListEntitiesForPolicy |
|
| ram:SetAccountAlias | acs:ram:*:<account-id>:* |
| ram:GetAccountAlias | acs:ram:*:<account-id>:* |
| ram:ClearAccountAlias | acs:ram:*:<account-id>:* |
| ram:SetPasswordPolicy | acs:ram:*:<account-id>:* |
| ram:GetPasswordPolicy | acs:ram:*:<account-id>:* |
| ram:SetSecurityPreference | acs:ram:*:<account-id>:* |