RAM用户调用资源管理API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符ARN(Aliyun Resource Name)指定授权资源。

本文用到的字段含义如下,请在使用时替换为实际值。

  • <account_id>:阿里云账号(主账号)ID。
  • <resourcegroup_id>:资源组ID。
  • <policy_name>:权限策略名称。
  • <role_name>:RAM角色名称。
  • <resource_type>:资源类型。
  • <resource_id>:资源ID。
  • <region_id>:地域ID。
  • <product>:云服务代码。

资源组鉴权列表

下表列举了资源组中可授权的操作(Action)和资源(Resource)。

ActionResource
ram:CreateResourceGroupacs:ram:*:<account_id>:resourcegroup/*
ram:DeleteResourceGroupacs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>
ram:UpdateResourceGroupacs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>
ram:CreatePolicyacs:ram:*:<account_id>:policy/*
ram:DeletePolicyacs:ram:*:<account_id>:policy/<policy_name>
ram:ListPoliciesacs:ram:*:<account_id>:policy/*
ram:GetPolicyacs:ram:*:<account_id>:policy/<policy_name>
ram:CreatePolicyVersionacs:ram:*:<account_id>:policy/<policy_name>
ram:DeletePolicyVersionacs:ram:*:<account_id>:policy/<policy_name>
ram:ListPolicyVersionsacs:ram:*:<account_id>:policy/<policy_name>
ram:GetPolicyVersionacs:ram:*:<account_id>:policy/<policy_name>
ram:SetDefaultPolicyVersionacs:ram:*:<account_id>:policy/<policy_name>
ram:AttachPolicy
  • Policy:

    acs:ram:*:system:policy/<policy_name>或acs:ram:*:<account_id>:policy/<policy_name>

  • IMSUser:

    acs:ims:*:<account_id>:user/*

  • IMSGroup:

    acs:ims:*:<account_id>:group/*

  • ServiceRole:

    acs:ram:*:<account_id>:role/*

ram:DetachPolicy
  • Policy:

    acs:ram:*:system:policy/<policy_name>或acs:ram:*:<account_id>:policy/<policy_name>

  • IMSUser:

    acs:ims:*:<account_id>:user/*

  • IMSGroup:

    acs:ims:*:<account_id>:group/*

  • ServiceRole:

    acs:ram:*:<account_id>:role/*

ram:ListPolicyAttachmentsacs:ram:*:<account_id>:*
ram:CreateRoleacs:ram:*:<account_id>:role/*
ram:GetRoleacs:ram:*:<account_id>:role/<role_name>
ram:ListRolesacs:ram:*:<account_id>:role/*
ram:UpdateRoleacs:ram:*:<account_id>:role/<role_name>
ram:DeleteRoleacs:ram:*:<account_id>:role/<role_name>
ram:CreateServiceLinkedRoleacs:ram:*:<account_id>:role/*
ram:DeleteServiceLinkedRoleacs:ram:*:<account_id>:role/<role_name>
ram:GetServiceLinkedRoleDeletionStatusacs:ram:*:<account_id>:role/<role_name>

资源目录鉴权列表

下表列举了资源目录中可授权的操作(Action)和资源(Resource)。

ActionResource
resourcemanager:InitResourceDirectoryacs:resourcemanager:*:<account_id>:*
resourcemanager:DestroyResourceDirectoryacs:resourcemanager:*:<account_id>:*
resourcemanager:GetResourceDirectoryacs:resourcemanager:*:<account_id>:*
resourcemanager:CreateResourceAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:CreateCloudAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:PromoteResourceAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:ResendCreateCloudAccountEmailacs:resourcemanager:*:<account_id>:*
resourcemanager:ResendPromoteResourceAccountEmailacs:resourcemanager:*:<account_id>:*
resourcemanager:CancelCreateCloudAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:CancelPromoteResourceAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:RemoveCloudAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:GetAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:MoveAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:ListAccountsForParentacs:resourcemanager:*:<account_id>:*
resourcemanager:ListAccountsacs:resourcemanager:*:<account_id>:*
resourcemanager:GetPayerForAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:UpdateAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:CreateFolderacs:resourcemanager:*:<account_id>:*
resourcemanager:DeleteFolderacs:resourcemanager:*:<account_id>:*
resourcemanager:GetFolderacs:resourcemanager:*:<account_id>:*
resourcemanager:ListFoldersForParentacs:resourcemanager:*:<account_id>:*
resourcemanager:ListAncestorsacs:resourcemanager:*:<account_id>:*
resourcemanager:UpdateFolderacs:resourcemanager:*:<account_id>:*
resourcemanager:InviteAccountToResourceDirectoryacs:resourcemanager:*:<account_id>:*
resourcemanager:GetHandshakeacs:resourcemanager:*:<account_id>:*
resourcemanager:AcceptHandshakeacs:resourcemanager:*:<account_id>:*
resourcemanager:CancelHandshakeacs:resourcemanager:*:<account_id>:*
resourcemanager:DeclineHandshakeacs:resourcemanager:*:<account_id>:*
resourcemanager:ListHandshakesForAccountacs:resourcemanager:*:<account_id>:*
resourcemanager:ListHandshakesForResourceDirectoryacs:resourcemanager:*:<account_id>:*
resourcemanager:ListTrustedServiceStatusacs:resourcemanager:*:<account_id>:*

资源共享鉴权列表

下表列举了资源共享中可授权的操作(Action)和资源(Resource)。

ActionResource
resourcesharing:EnableSharingWithResourceDirectoryacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:CreateResourceShareacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:UpdateResourceShareacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:DeleteResourceShareacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListResourceSharesacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:AssociateResourceShareacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:DisassociateResourceShareacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListResourceShareAssociationsacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListSharedResourcesacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListSharedTargetsacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:DescribeRegionsacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListResourceShareInvitationsacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:AcceptResourceShareInvitationacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:RejectResourceShareInvitationacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:AssociateResourceSharePermissionacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:DisassociateResourceSharePermissionacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListResourceSharePermissionsacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:GetPermissionacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListPermissionVersionsacs:resourcesharing:<region_id>:<account_id>:*
resourcesharing:ListPermissionsacs:resourcesharing:<region_id>:<account_id>:*

标签鉴权列表

下表列举了标签中可授权的操作(Action)和资源(Resource)。

ActionResource
tag:ListTagResourcesacs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>
tag:TagResources
  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>
  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>
tag:UntagResources
  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>
  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>
tag:ListTagKeysacs:tag:<region_id>:<account_id>:*/*
tag:ListTagValuesacs:tag:<region_id>:<account_id>:*/*
tag:CreateTagsacs:tag:<region_id>:<account_id>:*/*
tag:DeleteTagacs:tag:<region_id>:<account_id>:*/*