RAM authorization-Elastic Compute Service(ECS)-阿里云帮助中心

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by placeholder-${productName} for RAM permission policies. The RAM code (RamCode) for placeholder-${productName} is placeholder-${ramCodes?join(",")}, and the supported authorization granularity is placeholder-${ramLevel}.

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by placeholder-${productName}. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
ecs:ReleaseDedicatedHost	ReleaseDedicatedHost	delete	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:ModifyDedicatedHostAutoRenewAttribute	ModifyDedicatedHostAutoRenewAttribute	update	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:DescribeDedicatedHostClusters	DescribeDedicatedHostClusters	get	DedicatedHostCluster `acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}` DedicatedHostCluster `acs:ecs:{#regionId}:{#accountId}:ddhcluster/*`	None	None
ecs:AllocateDedicatedHosts	AllocateDedicatedHosts	create	DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/`	None	None
ecs:EnableNetworkInterfaceQoS	EnableNetworkInterfaceQoS	update	*NetworkInterface `acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}`	None	None
ecs:DeletePlanMaintenanceWindow	DeletePlanMaintenanceWindow	delete	All Resources ``	None	None
ecs:DescribeDedicatedHosts	DescribeDedicatedHosts	get	DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/*` DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:DescribeDedicatedHostAutoRenew	DescribeDedicatedHostAutoRenew	get	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:CreatePlanMaintenanceWindow	CreatePlanMaintenanceWindow	create	All Resources ``	None	None
ecs:ModifyDedicatedHostAttribute	ModifyDedicatedHostAttribute	update	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}` DedicatedHostCluster `acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}`	None	None
ecs:RedeployDedicatedHost	RedeployDedicatedHost	update	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:DisableNetworkInterfaceQoS	DisableNetworkInterfaceQoS	update	*NetworkInterface `acs:ecs:{#regionId}:{#accountId}:eni/{#eniId}`	None	None
ecs:ModifyDedicatedHostsChargeType	ModifyDedicatedHostsChargeType	update	All Resources ``	None	None
ecs:DescribePlanMaintenanceWindows	DescribePlanMaintenanceWindows	list	All Resources ``	None	None
ecs:ModifyDedicatedHostClusterAttribute	ModifyDedicatedHostClusterAttribute	update	*ddhcluster `acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}`	None	None
ecs:CreateDedicatedHostCluster	CreateDedicatedHostCluster	create	All Resources ``	None	None
ecs:ModifyDedicatedHostAutoReleaseTime	ModifyDedicatedHostAutoReleaseTime	update	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:ModifyPlanMaintenanceWindow	ModifyPlanMaintenanceWindow	update	All Resources ``	None	None
ecs:RenewDedicatedHosts	RenewDedicatedHosts	update	*DedicatedHost `acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}`	None	None
ecs:DeleteDedicatedHostCluster	DeleteDedicatedHostCluster	delete	*DedicatedHostCluster `acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}`	None	None

Resource

The following table lists the resources defined by placeholder-${productName}. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
DedicatedHost	acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} acs:ecs:{#regionId}:{#accountId}:ddh/*
Instance	acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} acs:ecs:{#regionId}:{#accountId}:instance/* acs:vpc:{#regionId}:{#accountId}:instance/{#InstanceId}
AutoSnapshotPolicy	acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/* acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
Image	acs:ecs:{#regionId}:{#accountId}:image/{#imageId} acs:ecs:{#regionId}:{#accountId}:image/*
KeyPair	acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName} acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId} acs:ecs:{#regionId}:{#accountId}:keypair/*
SecurityGroup	acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} acs:ecs:{#regionId}:{#accountId}:securitygroup/*
PortRangeList	acs:ecs:{#regionId}:{#accountId}:portrangelist/* acs:ecs:{#regionId}:{#accountId}:portrangelist/{#portRangeListId}
ReservedInstance	acs:ecs:{#regionId}:{#accountId}:reservedinstance/* acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#ReservedInstanceId}
Snapshot	acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} acs:ecs:{#regionId}:{#accountId}:snapshot/* acs:ecs::{#accountId}:snapshot/* acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#autoSnapshotPolicyId}
LaunchTemplate	acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} acs:ecs:{#regionId}:{#accountId}:launchtemplate/*
Disk	acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} acs:ecs:{#regionId}:{#accountId}:disk/* acs:ecs:{#regionId}:{#accountId}:disk/{#SourceDiskId}
NetworkInterface	acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} acs:ecs:{#regionId}:{#accountId}:eni/*
DedicatedHostCluster	acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} acs:ecs:{#regionId}:{#accountId}:ddhcluster/*
ImagePipeline	acs:ecs:{#regionId}:{#accountId}:imagepipeline/* acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId}
Command	acs:ecs:{#regionId}:{#accountId}:command/{#commandId} acs:ecs:{#regionId}:{#accountId}:command/*
VSwitch	acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId} acs:vpc:{#regionId}:{#accountId}:vswitch/*
CapacityReservation	acs:ecs:{#regionId}:{#accountId}:capacityreservation/{#CapacityReservationId} acs:ecs:{#regionId}:{#accountId}:capacityreservation/*
PrefixList	acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}
VPC	acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId} acs:vpc:{#regionId}:{#accountId}:vpc/*
Role	acs:ram:{#regionId}:{#accountId}:role/{#roleName}
ElasticityAssurance	acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} acs:ecs:{#regionId}:{#accountId}:elasticityassurance/*
snapshotpolicy	acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId}
DiskEncryptionDefaultConfig	acs:ecs:{#regionId}:{#accountId}:diskencryptiondefaultconfig/*
Activation	acs:ecs:{#regionId}:{#accountId}:activation/* acs:ecs:{#regionId}:{#accountId}:activation/{#ActivationId}
SnapshotGroup	acs:ecs:{#regionId}:{#accountId}:snapshotgroup/* acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId}
StorageCapacityUnit	acs:ecs:{#regionId}:{#accountId}:scu/* acs:ecs:{#regionId}:{#accountId}:scu/{#scuId}
AutoProvisioningGroup	acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId} acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/*
Invocation	acs:ecs:{#regionId}:{#accountId}:invocation/{#invocationId}
ddhcluster	acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} acs:ecs:{#regionId}:{#accountId}:ddhcluster/*
DeploymentSet	acs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId} acs:ecs:{#regionId}:{#accountId}:deploymentset/*
HpcCluster	acs:ecs:{#regionId}:{#accountId}:hpc/{#hpcClusterId} acs:ecs:{#regionId}:{#accountId}:hpc/*
ServiceSettings	acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId}
activation	acs:ecs:{#regionId}:{#accountId}:activation/{#activationId}
autoprovisioninggroup	acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId}
ImageComponent	acs:ecs:{#regionId}:{#accountId}:imagecomponent/* acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId}
Fleet	acs:ecs:{#regionId}:{#accountId}:fleet/*
ImagePipelineExecution	acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/* acs:ecs:{#regionId}:{#accountId}:imagepipelineexecution/{#ImagePipelineExecutionId}
ForwardTable	acs:vpc:{#regionId}:{#accountId}:forwardtable/{#ForwardTableId}
RouterInterface	acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} acs:vpc:{#regionId}:{#accountId}:routerinterface/*
HaVip	acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} acs:vpc:{#regionId}:{#accountId}:havip/*
PhysicalConnection	acs:vpc:{#regionId}:{#accountId}:physicalconnection/{#PhysicalConnectionId} acs:vpc:{#regionId}:{#accountId}:physicalconnection/*
VirtualBorderRouter	acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VirtualBorderRouterId} acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VbrId} acs:vpc:{#regionId}:{#AccountId}:virtualborderrouter/*
Address	acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId} acs:vpc:{#regionId}:{#accountId}:eip/*
NatGateway	acs:vpc:{#regionId}:{#accountId}:natgateway/{#natgatewayid} acs:vpc:{#regionId}:{#accountId}:natgateway/*
RouteTable	acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId}
BandwidthPackage	acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/{#BandwidthPackageId} acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/*
VRouter	acs:vpc:{#regionId}:{#accountId}:vrouter/* acs:vpc:{#regionId}:{#accountId}:vrouter/{#VRouterId}
Association	acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId}

Condition

The following table lists the product-level condition keys defined by placeholder-${productName}. You can also use Alibaba Cloud's Common condition keys. Specify these keys in the Condition element of RAM policy statements to define granular authorization rules. In the condition key, specify the condition values in the Condition_value element of the policy.

Each condition key has a specific data type, such as string, number, Boolean, or IP address. The data type determines which conditional operators can be used to compare the request values against policy values. You must specify the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition operator for valid combinations.

Condition key	Description	Data type
ecs:ImagePlatform	Operating system type of the image	String
ecs:SecurityEnhancementStrategy	Whether to enable security enhancement.	String
vpc:CreateDefaultVpc	Whether a default VPC can be created	Boolean
ecs:AssociatePublicIpAddress	Whether to support public IP address allocation during resource creation or configuration changes, that is, whether to allow the public network bandwidth to be greater than 0 Mbit/s.	Boolean
ecs:PasswordInherit	Whether the instance inherits the image password.	Boolean
vpc:IsDefaultVSwitch	Whether it is the default vSwitch and whether the default vSwitch can be used	Boolean
ecs:IsSystemDiskEncrypted	Whether it is an encrypted system disk	String
ecs:IsSystemDiskByokEncrypted	Whether the system disk is encrypted by a customer master key.	String
ecs:ImageSource	Image source	String
ecs:PasswordCustomized	Whether a custom password is used	Boolean
ecs:CommandRunAs	The user in the operating system that runs Cloud Assistant commands	String
ecs:SecurityHardeningMode	Whether to enforce hardened mode (IMDSv2) when accessing instance metadata	Boolean
ecs:SecurityGroupSourceCidrIps	The source IPv4 CIDR block of the security group that has access permissions	Array
vpc:VPC	The resource ARN of the VPC. Example: acs:vpc:cn-shanghai:1234567890:vpc/vpc-abc0123efg4567***	String
ecs:IsDiskEncrypted	Whether it is an encrypted data disk	String
ecs:InstanceTypeFamily	Instance family	String
ecs:InstanceChargeType	The billing method of the instance	String
ecs:ImageOwnerId	The owner UID of the image.	String
ecs:SecurityGroupIpProtocols	The transport layer protocol of the security group	Array
vpc:IsDefaultVpc	Whether it is the default VPC	Boolean
ecs:LoginAsNonRoot	Whether to log on to the instance as a non-root user	Boolean
ecs:IsDiskByokEncrypted	Whether the data disk is encrypted by a customer master key.	String
ecs:InstanceType	Instance type	String
ecs:NotSpecifySecurityGroupId	Whether the security group ID is not specified	Boolean

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: