Before a Resource Access Management (RAM) user can call Alibaba Cloud APIs, the root account (the Alibaba Cloud account) must grant permissions to the RAM user by creating an authorization policy.
Resource authorization
By default, RAM users do not have permissions to create or modify cloud resources by calling Alibaba Cloud APIs. To grant permissions, you can create an authorization policy and attach it to the RAM user.
When you create an authorization policy, you must specify the resources to authorize using their Alibaba Cloud Resource Names (ARNs). An ARN is a globally unique name that Alibaba Cloud defines for each resource.
The ARN format is as follows.
acs:service-name:region:account-id:resource-relative-idWhere:
acs: An abbreviation for Alibaba Cloud Service. This indicates the Alibaba Cloud public cloud platform.
service-name: The name of the Alibaba Cloud service, such as ECS, OSS, or SLB.
region: The region. If a resource does not support regions, use a wildcard character (*).
account-id: The ID of the Alibaba Cloud account, such as 123456789012****.
resource-relative-id: The description of the specific resource. The format of the resource description varies by Alibaba Cloud product. For more information, see the documentation for each product.
For example,
acs:oss::123456789012****:sample_bucket/file1.txtindicates an object named sample_bucket/file1.txt in Object Storage Service (OSS). The ID of the Alibaba Cloud account that owns the object is123456789012****.
Authorizable Container Service for Kubernetes resource types
Resource type | Resource description format in an authorization policy |
Grant permissions on a single cluster | |
Grant permissions on multiple clusters | |
Grant permissions on all clusters | |