Resource Access Management (RAM) policies control what actions RAM users can perform on Enterprise Distributed Application Service (EDAS) resources. Each policy maps an action to a resource Alibaba Cloud Resource Name (ARN) with an Allow or Deny effect.
This topic lists all EDAS actions, resource ARN formats, and JSON policy examples for common permission scenarios.
Resource ARN format
Each EDAS resource is identified by an ARN:
acs:edas:<region-id>:<account-id>:<resource-path>The following table lists all EDAS resource types and their ARN patterns.
| Resource type | ARN pattern |
|---|---|
| Microservices namespace | acs:edas:$regionid:$accountid:namespace/$namespace |
| Cluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
| Application | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| Configuration | acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId |
| System (global) | acs:edas:$regionid:$accountid:* |
Resource variables
| Variable | Description | Where to find it |
|---|---|---|
$regionid | Region where the resource is deployed, such as cn-shanghai. For more information, see Regions and zones. | N/A |
$namespace | Microservices namespace ID. | In the EDAS console, go to Resource Management > Microservice Namespaces. The ID is shown on the Microservices Namespace page.  |
$clusterId | Cluster ID, such as 8c349f69-505c-436f-8dc7-**********. | In the EDAS console, go to Resource Management > ECS Clusters. Click a cluster ID in the Cluster ID/Name column to open the Cluster Details page.  |
$applicationId | Application ID, such as ec8e38a3-3dca-47a7-b6f9-5**********. | In the EDAS console, go to Application Management > Applications. Click an application name, then find the ID on the Basic Information tab.  |
Wildcards
Use an asterisk (*) in place of a specific ID to match all resources of that type:
namespace/*-- all microservices namespaces in a regionnamespace/$namespace/cluster/*-- all clusters in a namespacenamespace/*/application/*-- all applications across all namespaces in a region
Actions reference
The tables below list the actions for each resource category, their dependent actions, and the target resource ARN.
Microservices namespace management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 1.1 | Create a namespace | edas:CreateNamespace | -- | acs:edas:$regionid:$accountid:namespace/* |
| 1.2 | Delete a namespace | edas:DeleteNamespace | edas:ReadNamespace | acs:edas:$regionid:$accountid:namespace/$namespace |
| 1.4 | Modify a namespace | edas:ManageNamespace | edas:ReadNamespace | acs:edas:$regionid:$accountid:namespace/$namespace |
| 1.5 | View namespace details | edas:ReadNamespace | -- | acs:edas:$regionid:$accountid:namespace/$namespace |
Cluster management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 2.1 | Create a cluster | edas:CreateCluster | -- | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/* |
| 2.2 | Delete a cluster | edas:DeleteCluster | edas:ReadCluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
| 2.3 | View cluster details | edas:ReadCluster | -- | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
| 2.4 | Manage a cluster | edas:ManageCluster | edas:ReadCluster | acs:edas:$regionid:$accountid:namespace/$namespace/cluster/$clusterId |
Application management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 3.1 | Create an application | edas:CreateApplication | -- | acs:edas:$regionid:$accountid:namespace/$namespace/application/* |
| 3.2 | Delete an application | edas:DeleteApplication | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 3.3 | View application details | edas:ReadApplication | -- | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 3.4 | Manage an application | edas:ManageApplication | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 3.5 | Configure an application (port, Tomcat context, load balancing, health check, JVM, Intra-zone Provider First) | edas:ConfigApplication | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 3.6 | Manage application logs | edas:ManageAppLog | edas:ReadApplication | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
Microservices management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 4.1 | View microservices | edas:ReadService | -- | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 4.2 | Test microservices | edas:TestService | -- | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
| 4.3 | Manage microservices | edas:ManageService | edas:ReadService | acs:edas:$regionid:$accountid:namespace/$namespace/application/$applicationId |
Configuration management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 5.1 | View configurations | acms:R | -- | acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId |
| 5.2 | Manage configurations | acms:* | -- | acs:acms:$regionid:$accountid:cfg/$namespace/$groupId/$configId |
System management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 6.1 | Manage the EDAS system | edas:ManageSystem | -- | acs:edas:$regionid:$accountid:* |
| 6.2 | View operation logs | edas:ReadOperationLog | -- | acs:edas:$regionid:$accountid:* |
| 6.3 | Perform system O&M operations | edas:ManageOperation | -- | acs:edas:$regionid:$accountid:* |
| 6.4 | Purchase ECS instances | edas:ECSPurchase | -- | acs:edas:*:*:* |
| 6.5 | Purchase SLB instances | edas:SLBPurchase | -- | acs:edas:*:*:* |
| 6.6 | Purchase Simple Log Service projects | edas:SLSPurchase | -- | acs:edas:*:*:* |
Commercial feature management
| Code | Operation | Action | Dependent action | Resource |
|---|---|---|---|---|
| 7 | Manage commercially available EDAS features | edas:ManageCommercialization | -- | acs:edas:$regionid:$accountid:* |
Policy examples
All policies use "Version": "1". Replace variables ($regionid, $namespace, $clusterId, $applicationId) with actual values. Set a variable to * to match all resources of that type.
Application policies
Single application
Manage an application (without create or delete permissions)
Allows viewing, configuring, and managing logs for a specific application, while explicitly denying creation and deletion.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:*Application"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
},
{
"Action": ["edas:DeleteApplication"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"],
"Effect": "Deny"
},
{
"Action": ["edas:CreateApplication"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/*"],
"Effect": "Deny"
}
]
}Create an application
Creating an application requires a cluster instance. Include ReadCluster alongside CreateApplication.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:CreateApplication", "edas:ReadCluster"],
"Effect": "Allow",
"Resource": [
"acs:edas:$regionid:*:namespace/$namespace/application/*",
"acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"
]
}
]
}Delete an application
Include ReadApplication so the RAM user can locate the application before deleting it.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:DeleteApplication", "edas:ReadApplication"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
}
]
}Manage application logs
Include ReadApplication so the RAM user can locate the application.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadApplication", "edas:ManageAppLog"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
}
]
}Configure an application
Covers the application port, Tomcat context, load balancing, health check, JVM parameters, and Intra-zone Provider First.
Include ReadApplication so the RAM user can access the application settings.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadApplication", "edas:ConfigApplication"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
}
]
}Multiple applications
Query applications across all namespaces in a region
A region may contain multiple microservices namespaces. This policy grants read access to applications in all namespaces within the specified region.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadApplication"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/*/application/*"]
}
]
}Manage all applications in a namespace
Grants full application permissions and cluster read access within a specific namespace.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:*Application", "edas:ReadCluster"],
"Effect": "Allow",
"Resource": [
"acs:edas:$regionid:*:namespace/$namespace/application/*",
"acs:edas:$regionid:*:namespace/$namespace/cluster/*"
]
}
]
}Cluster policies
Create clusters
The Resource value must end with cluster/* to allow cluster creation.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:CreateCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
"Effect": "Allow"
}
]
}View cluster details
Read-only access to a cluster, including its instances and applications.
Assign permissions on a resource group to let a RAM user view all clusters in that group.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
}
]
}Full cluster management
Allows creating, adding instances to, modifying, and deleting a cluster.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
}
]
}To restrict specific operations, add explicit Deny statements:
Allow management but deny creation:
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
},
{
"Action": ["edas:CreateCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
"Effect": "Deny"
}
]
}Allow management but deny both creation and deletion:
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
},
{
"Action": ["edas:CreateCluster", "edas:DeleteCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/*"],
"Effect": "Deny"
}
]
}Set $clusterId to a specific cluster ID to restrict management to that cluster. Set it to * to allow management of all clusters in the namespace.
Delete clusters
Requires both ReadCluster (to locate the cluster) and DeleteCluster.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadCluster", "edas:DeleteCluster"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/cluster/$clusterId"],
"Effect": "Allow"
}
]
}Microservices namespace policies
Create microservices namespaces
The Resource value must end with namespace/* to allow namespace creation.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:CreateNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/*"],
"Effect": "Allow"
}
]
}View microservices namespaces
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
"Effect": "Allow"
}
]
}Manage microservices namespaces
Allows modifying or renaming a microservices namespace.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
"Effect": "Allow"
}
]
}Delete microservices namespaces
Requires both ReadNamespace (to locate the namespace) and DeleteNamespace.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadNamespace", "edas:DeleteNamespace"],
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"],
"Effect": "Allow"
}
]
}Microservices policies
View microservices
Set $applicationId to * to grant access to all microservices in the namespace.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadService"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
}
]
}Test microservices
Set both $namespace and $applicationId to * to allow testing across all namespaces.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:TestService"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
}
]
}Manage microservices
Set $applicationId to * to grant management access to all microservices in the namespace.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageService"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace/application/$applicationId"]
}
]
}Remove outlier instances
Removing an outlier instance affects all applications in the microservices namespace. This permission can only be scoped to the namespace level.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageService"],
"Effect": "Allow",
"Resource": ["acs:edas:$regionid:*:namespace/$namespace"]
}
]
}Resource purchase policies
The
Resourcevalue for all purchase policies must beacs:edas:*:*:*. Finer-grained resource scoping is not supported.Purchase policies apply only to RAM users.
Purchase ECS instances
Applicable when purchasing ECS instances in a cluster, creating an application in an ECS cluster, or scaling out an application.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["edas:ECSPurchase"],
"Resource": ["acs:edas:*:*:*"]
}
]
}Purchase SLB instances
Applicable when binding an SLB instance to an application.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["edas:SLBPurchase"],
"Resource": ["acs:edas:*:*:*"]
}
]
}Purchase Simple Log Service resources
Applicable when provisioning Log Service resources for an application.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": ["edas:SLSPurchase"],
"Resource": ["acs:edas:*:*:*"]
}
]
}System policies
System policies are not scoped to specific resources. Set the Resource value to acs:edas:*:*:*.
Full system management
Grants permissions to manage RAM users, view resource usage, and view operation logs.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageSystem"],
"Resource": ["acs:edas:*:*:*"],
"Effect": "Allow"
}
]
}System O&M
Grants permissions to view operation logs, perform one or more O&M tasks at a time, and manage resource groups.
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ManageOperation"],
"Resource": ["acs:edas:*:*:*"],
"Effect": "Allow"
}
]
}View operation logs
{
"Version": "1",
"Statement": [
{
"Action": ["edas:ReadOperationLog"],
"Resource": ["acs:edas:*:*:*"],
"Effect": "Allow"
}
]
}