在使用RAM账号调用资源管理API前,需要主账号通过创建授权策略对RAM账号进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。

资源组鉴权列表

下表列举了资源组中可授权的操作(Action)和资源(Resource)。

Action Resource
ram:CreateResourceGroup acs:ram:*:$AccountId:resourcegroup/*
ram:DeleteResourceGroup acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:UpdateResourceGroup acs:ram:*:$AccountId:resourcegroup/$ResourceGroupName
ram:CreatePolicy acs:ram:*:$AccountId:policy/*
ram:DeletePolicy acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicies acs:ram:*:$AccountId:policy/*
ram:GetPolicy acs:ram:*:$AccountId:policy/$PolicyName
ram:CreatePolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:DeletePolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:ListPolicyVersions acs:ram:*:$AccountId:policy/$PolicyName
ram:GetPolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:SetDefaultPolicyVersion acs:ram:*:$AccountId:policy/$PolicyName
ram:AttachPolicy
  • Policy:

    acs:ram:*:system:policy/$PolicyName或acs:ram:*:$AccountId:policy/$PolicyName

  • IMSUser:

    acs:ims:*:$AccountId:user/*

  • IMSGroup:

    acs:ims:*:$AccountId:group/*

  • ServiceRole:

    acs:ram:*:$AccountId:role/*

ram:DetachPolicy
  • Policy:

    acs:ram:*:system:policy/$PolicyName或acs:ram:*:$AccountId:policy/$PolicyName

  • IMSUser:

    acs:ims:*:$AccountId:user/*

  • IMSGroup:

    acs:ims:*:$AccountId:group/*

  • ServiceRole:

    acs:ram:*:$AccountId:role/*

ram:ListPolicyAttachments acs:ram:*:$AccountId:*
ram:CreateRole acs:ram:*:$AccountId:role/*
ram:GetRole acs:ram:*:$AccountId:role/$RoleName
ram:ListRoles acs:ram:*:$AccountId:role/*
ram:UpdateRole acs:ram:*:$AccountId:role/$RoleName
ram:DeleteRole acs:ram:*:$AccountId:role/$RoleName
ram:CreateServiceLinkedRole acs:ram:*:$AccountId:role/*
ram:DeleteServiceLinkedRole acs:ram:*:$AccountId:role/$RoleName
ram:GetServiceLinkedRoleDeletionStatus acs:ram:*:$AccountId:role/$RoleName

资源目录鉴权列表

下表列举了资源目录中可授权的操作(Action)和资源(Resource)。

Action Resource
resourcemanager:InitResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:DestroyResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:GetResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:PromoteResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ResendCreateCloudAccountEmail acs:resourcemanager:*:$AccountId:*
resourcemanager:ResendPromoteResourceAccountEmail acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelCreateCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelPromoteResourceAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:RemoveCloudAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:GetAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:MoveAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAccountsForParent acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAccounts acs:resourcemanager:*:$AccountId:*
resourcemanager:GetPayerForAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:UpdateAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:CreateFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:DeleteFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:GetFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:ListFoldersForParent acs:resourcemanager:*:$AccountId:*
resourcemanager:ListAncestors acs:resourcemanager:*:$AccountId:*
resourcemanager:UpdateFolder acs:resourcemanager:*:$AccountId:*
resourcemanager:InviteAccountToResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:GetHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:AcceptHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:CancelHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:DeclineHandshake acs:resourcemanager:*:$AccountId:*
resourcemanager:ListHandshakesForAccount acs:resourcemanager:*:$AccountId:*
resourcemanager:ListHandshakesForResourceDirectory acs:resourcemanager:*:$AccountId:*
resourcemanager:ListTrustedServiceStatus acs:resourcemanager:*:$AccountId:*

标签鉴权列表

下表列举了标签中可授权的操作(Action)和资源(Resource)。

Action Resource
tag:ListTagResources acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:TagResources
  • acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
  • acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:UntagResources
  • acs:tag:$RegionId:$AccountId:$ResourceType/$ResourceId
  • acs:$Product:$RegionId:$AccountId:$ResourceType/$ResourceId
tag:ListTagKeys acs:tag:$RegionId:$AccountId:*/*
tag:ListTagValues acs:tag:$RegionId:$AccountId:*/*