RAM用户调用资源管理API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。

本文用到的字段含义如下,请在使用时替换为实际值。

  • <AccountId>:阿里云账号(主账号)ID。
  • <ResourceGroupName>:资源组名称。
  • <PolicyName>:权限策略名称。
  • <RoleName>:RAM角色名称。
  • <ResourceType>:资源类型。
  • <ResourceId>:资源ID。
  • <RegionId>:地域ID。
  • <Product>:云服务代码。

资源组鉴权列表

下表列举了资源组中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:CreateResourceGroup acs:ram:*:<AccountId>:resourcegroup/*
ram:DeleteResourceGroup acs:ram:*:<AccountId>:resourcegroup/<ResourceGroupName>
ram:UpdateResourceGroup acs:ram:*:<AccountId>:resourcegroup/<ResourceGroupName>
ram:CreatePolicy acs:ram:*:<AccountId>:policy/*
ram:DeletePolicy acs:ram:*:<AccountId>:policy/<PolicyName>
ram:ListPolicies acs:ram:*:<AccountId>:policy/*
ram:GetPolicy acs:ram:*:<AccountId>:policy/<PolicyName>
ram:CreatePolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:DeletePolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:ListPolicyVersions acs:ram:*:<AccountId>:policy/<PolicyName>
ram:GetPolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:SetDefaultPolicyVersion acs:ram:*:<AccountId>:policy/<PolicyName>
ram:AttachPolicy
  • Policy:

    acs:ram:*:system:policy/<PolicyName>或acs:ram:*:<AccountId>:policy/<PolicyName>

  • IMSUser:

    acs:ims:*:<AccountId>:user/*

  • IMSGroup:

    acs:ims:*:<AccountId>:group/*

  • ServiceRole:

    acs:ram:*:<AccountId>:role/*
ram:DetachPolicy
  • Policy:

    acs:ram:*:system:policy/<PolicyName>或acs:ram:*:<AccountId>:policy/<PolicyName>

  • IMSUser:

    acs:ims:*:<AccountId>:user/*

  • IMSGroup:

    acs:ims:*:<AccountId>:group/*

  • ServiceRole:

    acs:ram:*:<AccountId>:role/*
ram:ListPolicyAttachments acs:ram:*:<AccountId>:*
ram:CreateRole acs:ram:*:<AccountId>:role/*
ram:GetRole acs:ram:*:<AccountId>:role/<RoleName>
ram:ListRoles acs:ram:*:<AccountId>:role/*
ram:UpdateRole acs:ram:*:<AccountId>:role/<RoleName>
ram:DeleteRole acs:ram:*:<AccountId>:role/<RoleName>
ram:CreateServiceLinkedRole acs:ram:*:<AccountId>:role/*
ram:DeleteServiceLinkedRole acs:ram:*:<AccountId>:role/<RoleName>
ram:GetServiceLinkedRoleDeletionStatus acs:ram:*:<AccountId>:role/<RoleName>

资源目录鉴权列表

下表列举了资源目录中可授权的操作(Action)和资源(Resource)。

Action Resource
resourcemanager:InitResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:DestroyResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:CreateResourceAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:CreateCloudAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:PromoteResourceAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:ResendCreateCloudAccountEmail acs:resourcemanager:*:<AccountId>:*
resourcemanager:ResendPromoteResourceAccountEmail acs:resourcemanager:*:<AccountId>:*
resourcemanager:CancelCreateCloudAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:CancelPromoteResourceAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:RemoveCloudAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:MoveAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListAccountsForParent acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListAccounts acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetPayerForAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:UpdateAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:CreateFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:DeleteFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListFoldersForParent acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListAncestors acs:resourcemanager:*:<AccountId>:*
resourcemanager:UpdateFolder acs:resourcemanager:*:<AccountId>:*
resourcemanager:InviteAccountToResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:GetHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:AcceptHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:CancelHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:DeclineHandshake acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListHandshakesForAccount acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListHandshakesForResourceDirectory acs:resourcemanager:*:<AccountId>:*
resourcemanager:ListTrustedServiceStatus acs:resourcemanager:*:<AccountId>:*

资源共享鉴权列表

下表列举了资源共享中可授权的操作(Action)和资源(Resource)。

说明 Resource列的星号(*)表示全部资源。
Action Resource
resourcesharing:CreateResourceShare *
resourcesharing:UpdateResourceShare *
resourcesharing:DeleteResourceShare *
resourcesharing:ListResourceShares *
resourcesharing:AssociateResourceShare *
resourcesharing:DisassociateResourceShare *
resourcesharing:ListResourceShareAssociations *
resourcesharing:ListSharedResources *
resourcesharing:ListSharedTargets *

标签鉴权列表

下表列举了标签中可授权的操作(Action)和资源(Resource)。

Action Resource
tag:ListTagResources acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
tag:TagResources
  • acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
  • acs:<Product>:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
tag:UntagResources
  • acs:tag:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
  • acs:<Product>:<RegionId>:<AccountId>:<ResourceType>/<ResourceId>
tag:ListTagKeys acs:tag:<RegionId>:<AccountId>:*/*
tag:ListTagValues acs:tag:<RegionId>:<AccountId>:*/*
tag:CreateTags acs:tag:<RegionId>:<AccountId>:*/*
tag:DeleteTag acs:tag:<RegionId>:<AccountId>:*/*