RAM用户调用IMS API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。
本文用到的字段含义如下,请在使用时替换为实际值。
- <account-id>:阿里云账号(主账号)ID。
- <user-name>:RAM用户名称。
- <group-name>:RAM用户组名称。
- <saml-provider-name>:身份提供商名称。
- <app-name>:OAuth应用名称。
- <serial-number>:虚拟MFA设备序列号。
用户管理鉴权列表
下表列举了用户管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ram:CreateUser | acs:ram:*:<account-id>:user/* |
ram:GetUser | acs:ram:*:<account-id>:user/<user-name> |
ram:UpdateUser | acs:ram:*:<account-id>:user/<user-name> |
ram:DeleteUser | acs:ram:*:<account-id>:user/<user-name> |
ram:ListUsers | acs:ram:*:<account-id>:user/* |
ram:ListUserBasicInfos | acs:ram:*:<account-id>:user/* |
ram:CreateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:GetLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:UpdateLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:DeleteLoginProfile | acs:ram:*:<account-id>:user/<user-name> |
ram:CreateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
ram:UpdateAccessKey | acs:ram:*:<account-id>:user/<user-name> |
ram:DeleteAccessKey | acs:ram:*:<account-id>:user/<user-name> |
ram:ListAccessKeys | acs:ram:*:<account-id>:user/<user-name> |
ram:GetAccessKeyLastUsed | acs:ram:*:<account-id>:user/<user-name> |
ram:CreateVirtualMFADevice | acs:ram:*:<account-id>:mfa/* |
ram:ListVirtualMFADevices | acs:ram:*:<account-id>:mfa/* |
ram:DeleteVirtualMFADevice | acs:ram:*:<account-id>:mfa/<serial-number> |
ram:DisableVirtualMFA | acs:ram:*:<account-id>:user/<user-name> |
ram:BindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
ram:UnbindMFADevice | acs:ram:*:<account-id>:user/<user-name> |
ram:GetAccountMFAInfo | acs:ram:*:<account-id>:* |
ram:GetUserMFAInfo | acs:ram:*:<account-id>:user/<user-name> |
ram:GetAccountSummary | acs:ram:*:<account-id>:* |
用户组管理鉴权列表
下表列举了用户组管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ram:CreateGroup | acs:ram:*:<account-id>:group/* |
ram:GetGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:UpdateGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:DeleteGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:ListGroups | acs:ram:*:<account-id>:group/* |
ram:AddUserToGroup |
|
ram:RemoveUserFromGroup |
|
ram:ListUsersForGroup | acs:ram:*:<account-id>:group/<group-name> |
ram:ListGroupsForUser | acs:ram:*:<account-id>:user/<user-name> |
单点登录(SSO)管理鉴权列表
下表列举了单点登录(SSO)管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ram:SetUserSsoSettings | acs:ram:*:<account-id>:* |
ram:GetUserSsoSettings | acs:ram:*:<account-id>:* |
ram:CreateSAMLProvider | acs:ram:*:<account-id>:saml-provider/* |
ram:GetSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
ram:UpdateSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
ram:ListSAMLProviders | acs:ram:*:<account-id>:saml-provider/* |
ram:DeleteSAMLProvider | acs:ram:*:<account-id>:saml-provider/<saml-provider-name> |
开放授权(OAuth)管理鉴权列表
下表列举了开放授权(OAuth)管理中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ram:CreateApplication | acs:ram:*:<account-id>:application/* |
ram:GetApplication | acs:ram:*:<account-id>:application/<app-name> |
ram:UpdateApplication | acs:ram:*:<account-id>:application/<app-name> |
ram:DeleteApplication | acs:ram:*:<account-id>:application/<app-name> |
ram:ListApplications | acs:ram:*:<account-id>:application/* |
ram:CreateAppSecret | acs:ram:*:<account-id>:application/<app-name> |
ram:GetAppSecret | acs:ram:*:<account-id>:application/<app-name> |
ram:DeleteAppSecret | acs:ram:*:<account-id>:application/<app-name> |
ram:ListAppSecretIds | acs:ram:*:<account-id>:application/<app-name> |
安全设置鉴权列表
下表列举了安全设置中可授权的操作(Action)和资源(Resource)。
Action | Resource |
---|---|
ram:SetPasswordPolicy | acs:ram:*:<account-id>:* |
ram:GetPasswordPolicy | acs:ram:*:<account-id>:* |
ram:SetSecurityPreference | acs:ram:*:<account-id>:* |
ram:GetSecurityPreference | acs:ram:*:<account-id>:* |
ram:SetDefaultDomain | acs:ram:*:<account-id>:* |
ram:GetDefaultDomain | acs:ram:*:<account-id>:* |
ram:GenerateCredentialReport | acs:ram:*:<account-id>:* |
ram:GetCredentialReport | acs:ram:*:<account-id>:* |
ram:GetAccountSecurityPracticeReport | acs:ram:*:<account-id>:* |