RAM鉴权

RAM用户调用资源管理API前,需要阿里云账号(主账号)创建权限策略并对RAM用户进行授权。在权限策略中,使用资源描述符ARN(Aliyun Resource Name)指定授权资源。

资源(Resource)中用到的字段含义如下,请在使用时替换为实际值。

  • <account_id>:阿里云账号(主账号)ID。

  • <resourcegroup_id>:资源组ID。

  • <policy_name>:权限策略名称。

  • <role_name>:RAM角色名称。

  • <resource_type>:资源类型。

  • <resource_id>:资源ID。

  • <region_id>:地域ID。

  • <product>:云服务代码。

  • <handshake_id>:成员邀请ID。

  • <policy_id>:管控策略ID。

  • <resource_directory_path>:RDPath,资源夹或成员在资源目录中的位置信息。

  • <contact_id>:消息通知联系人ID。

对于必选的资源类型,用加粗字体显示。

资源组鉴权列表

下表列举了资源组中可授权的操作(Action)和资源(Resource)。

Action

Resource

ram:CreateResourceGroup

acs:ram:*:<account_id>:resourcegroup/*

ram:DeleteResourceGroup

acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>

ram:UpdateResourceGroup

acs:ram:*:<account_id>:resourcegroup/<resourcegroup_id>

ram:CreatePolicy

acs:ram:*:<account_id>:policy/*

ram:DeletePolicy

acs:ram:*:<account_id>:policy/<policy_name>

ram:ListPolicies

acs:ram:*:<account_id>:policy/*

ram:GetPolicy

acs:ram:*:<account_id>:policy/<policy_name>

ram:CreatePolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:DeletePolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:ListPolicyVersions

acs:ram:*:<account_id>:policy/<policy_name>

ram:GetPolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:SetDefaultPolicyVersion

acs:ram:*:<account_id>:policy/<policy_name>

ram:AttachPolicy

  • Policy:

    acs:ram:*:system:policy/<policy_name>或acs:ram:*:<account_id>:policy/<policy_name>

  • IMSUser:

    acs:ims:*:<account_id>:user/*

  • IMSGroup:

    acs:ims:*:<account_id>:group/*

  • ServiceRole:

    acs:ram:*:<account_id>:role/*

ram:DetachPolicy

  • Policy:

    acs:ram:*:system:policy/<policy_name>或acs:ram:*:<account_id>:policy/<policy_name>

  • IMSUser:

    acs:ims:*:<account_id>:user/*

  • IMSGroup:

    acs:ims:*:<account_id>:group/*

  • ServiceRole:

    acs:ram:*:<account_id>:role/*

ram:ListPolicyAttachments

acs:ram:*:<account_id>:*

ram:CreateRole

acs:ram:*:<account_id>:role/*

ram:GetRole

acs:ram:*:<account_id>:role/<role_name>

ram:ListRoles

acs:ram:*:<account_id>:role/*

ram:UpdateRole

acs:ram:*:<account_id>:role/<role_name>

ram:DeleteRole

acs:ram:*:<account_id>:role/<role_name>

ram:CreateServiceLinkedRole

acs:ram:*:<account_id>:role/*

ram:DeleteServiceLinkedRole

acs:ram:*:<account_id>:role/<role_name>

ram:GetServiceLinkedRoleDeletionStatus

acs:ram:*:<account_id>:role/<role_name>

资源目录鉴权列表

下表列举了资源目录中可授权的操作(Action)和资源(Resource)。

Action

Resource

resourcemanager:AcceptHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:AttachControlPolicy

  • ControlPolicy

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:BindSecureMobilePhone

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:CancelHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:CheckAccountDelete

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:CreateCloudAccount

acs:resourcemanager:*:<account_id>:*

resourcemanager:CreateControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:CreateFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:CreateResourceAccount

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DeclineHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:DeleteAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:DeleteControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:DeleteFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DeregisterDelegatedAdministrator

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:DestroyResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:DetachControlPolicy

  • ControlPolicy

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:DisableControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:EnableControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:EnableResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:GetAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetAccountDeletionCheckResult

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetAccountDeletionStatus

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:GetControlPolicyEnablementStatus

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:GetFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:GetHandshake

acs:resourcemanager:*:<account_id>:handshake/<handshake_id>

resourcemanager:GetPayerForAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:GetResourceDirectory

acs:resourcemanager:*:<account_id>:*

resourcemanager:InviteAccountToResourceDirectory

  • Handshake

    acs:resourcemanager:*:<account_id>:handshake/*

  • Folder

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListAccounts

acs:resourcemanager:*:<account_id>:account/*

resourcemanager:ListAccountsForParent

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListAncestors

acs:resourcemanager:*:<account_id>:folder/*

resourcemanager:ListControlPolicies

acs:resourcemanager:*:<account_id>:policy/controlpolicy/*

resourcemanager:ListControlPolicyAttachmentsForTarget

  • ControlPolicy

    acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListDelegatedAdministrators

acs:resourcemanager:*:<account_id>:account/*

resourcemanager:ListDelegatedServicesForAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:ListFoldersForParent

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:ListHandshakesForAccount

acs:resourcemanager:*:<account_id>:handshake/*

resourcemanager:ListHandshakesForResourceDirectory

acs:resourcemanager:*:<account_id>:handshake/*

resourcemanager:ListTagKeys

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTagValues

acs:resourcemanager:*:<account_id>:*

resourcemanager:ListTargetAttachmentsForControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:ListTrustedServiceStatus

acs:resourcemanager:*:<account_id>:*

resourcemanager:MoveAccount

  • Account

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • Folder

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:PromoteResourceAccount

acs:resourcemanager:*:<account_id>:*

resourcemanager:RegisterDelegatedAdministrator

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:RemoveCloudAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:SendVerificationCodeForBindSecureMobilePhone

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:SendVerificationCodeForEnableRD

acs:resourcemanager:*:<account_id>:*

resourcemanager:TagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:UntagResources

acs:resourcemanager:*:<account_id>:*

resourcemanager:UpdateAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:UpdateControlPolicy

acs:resourcemanager:*:<account_id>:policy/controlpolicy/<policy_id>

resourcemanager:UpdateFolder

acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

resourcemanager:AddMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/*

resourcemanager:CancelMessageContactUpdate

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:DeleteMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:GetMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:GetMessageContactDeletionStatus

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:ListMessageContacts

acs:resourcemanager:*:<account_id>:messagecontact/*

resourcemanager:ListMessageContactVerifications

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:SendEmailVerificationForMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:SendPhoneVerificationForMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:UpdateMessageContact

acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:AssociateMembers

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • MessageContact:

    acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:DisassociateMembers

  • Folder:

    acs:resourcemanager:*:<account_id>:folder/<resource_directory_path>

  • Account:

    acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

  • MessageContact:

    acs:resourcemanager:*:<account_id>:messagecontact/<contact_id>

resourcemanager:CancelChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:ChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:RetryChangeAccountEmail

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

resourcemanager:PrecheckForConsolidatedBillingAccount

acs:resourcemanager:*:<account_id>:account/<resource_directory_path>

资源共享鉴权列表

下表列举了资源共享中可授权的操作(Action)和资源(Resource)。

Action

Resource

resourcesharing:EnableSharingWithResourceDirectory

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:CreateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:UpdateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DeleteResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShares

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AssociateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DisassociateResourceShare

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShareAssociations

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListSharedResources

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListSharedTargets

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DescribeRegions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceShareInvitations

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AcceptResourceShareInvitation

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:RejectResourceShareInvitation

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:AssociateResourceSharePermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:DisassociateResourceSharePermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListResourceSharePermissions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:GetPermission

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListPermissionVersions

acs:resourcesharing:<region_id>:<account_id>:*

resourcesharing:ListPermissions

acs:resourcesharing:<region_id>:<account_id>:*

标签鉴权列表

下表列举了标签中可授权的操作(Action)和资源(Resource)。

Action

Resource

tag:ListTagResources

acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:TagResources

  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:UntagResources

  • acs:tag:<region_id>:<account_id>:<resource_type>/<resource_id>

  • acs:<product>:<region_id>:<account_id>:<resource_type>/<resource_id>

tag:ListTagKeys

acs:tag:<region_id>:<account_id>:*/*

tag:ListTagValues

acs:tag:<region_id>:<account_id>:*/*

tag:CreateTags

acs:tag:<region_id>:<account_id>:*/*

tag:DeleteTag

acs:tag:<region_id>:<account_id>:*/*