This topic lists the Alibaba Cloud services that support Resource Access Management (RAM), the authorization granularity and system policies for each service, and the links of related topics.

Overview

Each table in this topic contains the following columns:

  • Alibaba Cloud service: the name of the cloud service that supports RAM.
  • Sub-service or sub-module: the sub-service or sub-module of the cloud service. A hyphen (-) indicates none.
  • RAM code: the code that is used in RAM to indicate the cloud service.
  • Console: indicates whether STS can be used to implement access control in the console of the service. A tick (✓) indicates that STS is supported. A cross (×) indicates that STS is not supported. A circle (○) indicates that no console is provided for that service.
  • API: indicates whether RAM can be used to implement access control by calling the API of the service. A tick (✓) indicates that RAM is supported by calling the API of the service. A cross (×) indicates that RAM is not supported by calling the API of the service. A circle (○) indicates that no API is provided for that service.
  • Authorization granularity: the minimum authorization granularity of the service. A hyphen (-) indicates that no authorization granularity is defined.

    The following authorization granularity is defined:

    • Service: You can control whether RAM users can access the service. You can grant RAM users or RAM roles the permissions to access all or none of the resources in the service.
    • Operation: You can control whether RAM users or RAM roles can perform specific operations on a specific type of resource in the service.
    • Resource: You can control whether RAM users can perform a specific operation on a specific resource in the service. For example, you can authorize a RAM user to restart a specific Elastic Compute Service (ECS) instance.
  • System policy: the system policies that RAM provides for the service. A hyphen (-) indicates that no system policies are provided for the service.
  • References: the topics that are related to both RAM and the service. A hyphen (-) indicates that no topics are related to RAM or the service.

Elastic computing

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
ECS ECS ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
ECS Elastic Block Storage (EBS) ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
ECS Elastic GPU Service ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
ECS ECS Bare Metal Instance ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
ECS Super Computing Cluster ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
ECS Dedicated Host (DDH) ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
ECS Alibaba Cloud Linux 2 ecs Resource
  • AliyunECSFullAccess
  • AliyunECSReadOnlyAccess
  • AliyunECSNetworkInterfaceManagementAccess
Authentication rules
Auto Scaling (ESS) - ess Service
  • AliyunESSFullAccess
  • AliyunESSReadOnlyAccess
API usage instructions
Container Service for Kubernetes (ACK) - cs Resource
  • AliyunCSFullAccess
  • AliyunCSReadOnlyAccess
Use sub-accounts
Batch Compute - batchcompute Service

-

-
Resource Orchestration Service (ROS) - ros Service
  • AliyunROSFullAccess
  • AliyunROSReadOnlyAccess
Use RAM to control resource access
Function Compute - fc Resource
  • AliyunFCFullAccess
  • AliyunFCReadOnlyAccess
  • AliyunFCInvocationAccess
Quick start for using the console as RAM users
Simple Application Server - swas Service AliyunSWASFullAccess -
Elastic High Performance Computing (E-HPC) - ehpc Service
  • AliyunEHPCFullAccess
  • AliyunEHPCReadOnlyAccess
-
Container Registry - cr Resource
  • AliyunContainerRegistryFullAccess
  • AliyunContainerRegistryReadOnlyAccess
Repository access control
Elastic Container Instance (ECI) - eci Resource
  • AliyunECIFullAccess
  • AliyunECIReadOnlyAccess

-

Web App Service - webplus Operation
  • AliyunWebPlusFullAccess
  • AliyunWebPlusReadOnlyAccess
-

Database

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
ApsaraDB RDS ApsaraDB RDS rds Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
Use RAM for resource authorization
ApsaraDB RDS ApsaraDB RDS for MySQL rds Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
Use RAM for resource authorization
ApsaraDB RDS ApsaraDB RDS for SQL Server rds Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
Use RAM for resource authorization
ApsaraDB RDS ApsaraDB RDS for PostgreSQL rds Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
Use RAM for resource authorization
ApsaraDB RDS ApsaraDB RDS for PPAS rds Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
Use RAM for resource authorization
ApsaraDB RDS ApsaraDB for MyBase rds Resource
  • AliyunRDSFullAccess
  • AliyunRDSReadOnlyAccess
-
ApsaraDB for Redis - kvstore Resource
  • AliyunKvstoreFullAccess
  • AliyunKvstoreReadOnlyAccess
RAM authentication
ApsaraDB for Memcache - kvstore Service
  • AliyunKvstoreFullAccess
  • AliyunKvstoreReadOnlyAccess
-
ApsaraDB for MongoDB - dds Resource
  • AliyunMongoDBFullAccess
  • AliyunMongoDBReadOnlyAccess

-

AnalyticDB for PostgreSQL - gpdb Resource
  • AliyunGPDBFullAccess
  • AliyunGPDBReadOnlyAccess
Authentication rules for APIs
Data Management (DMS) - dms Service -

-

AnalyticDB for MySQL - adb Operation
  • AliyunADBFullAccess
  • AliyunADBReadOnlyAccess

-

Distribute Relational Database Service (DRDS) -
  • drds
  • polardbx
Resource
  • AliyunDRDSReadOnlyAccess
  • AliyunDRDSFullAccess

-

ApsaraDB for HBase - hbase Resource
  • AliyunHBaseFullAccess
  • AliyunHBaseReadOnlyAccess

-

Advanced Database & Application Migration (ADAM) - adam Service
  • AliyunADAMReadOnlyAccess
  • AliyunADAMFullAccess

-

PolarDB - polardb Operation
  • AliyunPolardbReadOnlyAccess
  • AliyunPolardbFullAccess

-

Database Backup (DBS) - dbs Service
  • AliyunDBSFullAccess
  • AliyunDBSReadOnlyAccess
-
Database Autonomy Service (DAS) - hdm Service
  • AliyunHDMReadOnlyAccess
  • AliyunHDMFullAccess

-

Data Lake Analytics (DLA) - openanalytics Operation
  • AliyunDLAFullAccess
  • AliyunDLAReadOnlyAccess
  • AliyunDLADeveloperAccess
Grant RAM users fine-grained permissions to access DLA
ApsaraDB for OceanBase - oceanbase Service
  • AliyunOceanBaseFullAccess
  • AliyunOceanBaseReadOnlyAccess
-
ApsaraDB for Cassandra - cassandra Resource
  • AliyunCassandraFullAccess
  • AliyunCassandraReadOnlyAccess

-

LedgerDB - ledgerdb Resource
  • AliyunLedgerDBFullAccess
  • AliyunLedgerDBReadOnlyAccess

-

ApsaraDB for ClickHouse - clickhouse Resource
  • AliyunClickHouseFullAccess
  • AliyunClickHouseReadOnlyAccess

-

Database Gateway - dg Resource
  • AliyunDGFullAccess
  • AliyunDGReadOnlyAccess
-

Storage

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Object Storage Service (OSS) - oss Resource
  • AliyunOSSFullAccess
  • AliyunOSSReadOnlyAccess
Overview
Apsara File Storage NAS (NAS) - nas Operation
  • AliyunNASFullAccess
  • AliyunNASReadOnlyAccess
Perform access control based on RAM policies
Tablestore - ots Resource
  • AliyunOTSFullAccess
  • AliyunOTSReadOnlyAccess
  • AliyunOTSWriteOnlyAccess
Custom permissions
Cloud Storage Gateway (CSG) - hcs-sgw Service AliyunHCSSGWFullAccess

-

Cloud communications

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Short Message Service (SMS) - dysms Service

-

-

Networking

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Virtual Private Cloud (VPC) - vpc Resource
  • AliyunVPCFullAccess
  • AliyunVPCReadOnlyAccess
RAM user authorization
Server Load Balancer (SLB) Server Load Balancer (SLB) slb Resource
  • AliyunSLBReadOnlyAccess
  • AliyunSLBFullAccess
Authorize a RAM user
Server Load Balancer (SLB) Application Load Balancer (ALB) alb Resource
  • AliyunALBFullAccess
  • AliyunALBReadOnlyAccess
-
Express Connect - vpc Resource
  • AliyunExpressConnectFullAccess
  • AliyunExpressConnectReadOnlyAccess
RAM user authorization
Elastic IP Address (EIP) - eip Resource
  • AliyunEIPFullAccess
  • AliyunEIPReadOnlyAccess
RAM user authorization
NAT Gateway (NAT) - vpc Resource
  • AliyunNATGatewayReadOnlyAccess
  • AliyunNATGatewayFullAccess
RAM user authorization
VPN Gateway - vpc Resource
  • AliyunVPNGatewayFullAccess
  • AliyunVPNGatewayReadOnlyAccess
RAM user authorization
EIP Bandwidth Plan - vpc Resource
  • AliyunCommonBandwidthPackageReadOnlyAccess
  • AliyunCommonBandwidthPackageFullAccess
-
Global Accelerator (GA) - ga Resource
  • AliyunGlobalAccelerationReadOnlyAccess
  • AliyunGlobalAccelerationFullAccess
RAM user authorization
Smart Access Gateway (SAG) - smartag Resource

-

RAM authentication
Cloud Enterprise Network - cen Resource
  • AliyunCENReadOnlyAccess
  • AliyunCENFullAccess
RAM authentication
PrivateLink - privatelink Resource
  • AliyunPrivateLinkFullAccess
  • AliyunPrivateLinkReadOnlyAccess
Alibaba Cloud DNS PrivateZone - pvtz Resource
  • AliyunPvtzFullAccess
  • AliyunPvtzReadOnlyAccess

-

O&M management

Alibaba Cloud service Sub-service or sub-module RAM code State in the ApsaraDB for Redis console API Authorization granularity System policy References
CloudMonitor - cms Operation
  • AliyunCloudMonitorFullAccess
  • AliyunCloudMonitorReadOnlyAccess
  • AliyunCloudMonitorMetricDataReadOnlyAccess
Control permissions of RAM users
Cloud Shell - cloudshell Service - -

Middleware

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Enterprise Distributed Application Service (EDAS) - edas Service
  • AliyunEDASFullAccess
  • AliyunEDASReadOnlyAccess
  • AliyunEDASApplicationFullAccess
  • AliyunEDASApplicationReadOnlyAccess
  • AliyunEDASResourceReadOnlyAccess
  • AliyunEDASResourceFullAccess
Manage RAM users
Message Queue Message Queue for Apache RocketMQ mq Resource
  • AliyunMQFullAccess
  • AliyunMQReadOnlyAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess
Grant permissions to RAM users
Message Queue Message Queue for MQTT mq Resource
  • AliyunMQFullAccess
  • AliyunMQReadOnlyAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess

-

Application High Availability Service - ahas Service
  • AliyunAHASFullAccess
  • AliyunAHASReadOnlyAccess

-

Media services and CDN

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
CDN - cdn Resource
  • AliyunCDNFullAccess
  • AliyunCDNReadOnlyAccess

-

ApsaraVideo for Media Processing (MTS) - mts Service
  • AliyunMTSFullAccess
  • AliyunMTSPlayerAuth

-

ApsaraVideo VOD (VOD) - vod Operation
  • AliyunVODFullAccess
  • AliyunVODReadOnlyAccess
  • AliyunVODPlayAuth
  • AliyunVODUploadAuth
-
Real-Time Communication - rtc Resource

-

-

Dynamic Route for CDN (DCDN) - dcdn Resource
  • AliyunDCDNFullAccess
  • AliyunDCDNReadOnlyAccess
-

Enterprise applications

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Direct Mail - dm Service
  • AliyunDirectMailFullAccess
  • AliyunDirectMailReadOnlyAccess
-
API Gateway - apigateway Service
  • AliyunApiGatewayFullAccess
  • AliyunApiGatewayReadOnlyAccess
Use RAM to manage user permissions for API Gateway
CloudQuotation (CQ) - assettech Service
  • AliyunCQLoudFullAccess
  • AliyunCQLoudReadOnlyAccess
-
BizWorks - bizworks Service
  • AliyunBizWorksFullAccess
  • AliyunBizWorksReadOnlyAccess
-

Domains and websites

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Alibaba Cloud DNS DNS alidns Resource
  • AliyunDNSFullAccess
  • AliyunDNSReadOnlyAccess

-

Domains - domain Resource AliyunDomainFullAccess Authentication rules for the Domains API

Artificial intelligence

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Intelligent Speech Interaction - nls Service
  • AliyunNLSFullAccess
  • AliyunNLSReadOnlyAccess
-
Machine Learning Platform for AI (PAI) - pai Service - -
Image Search - imagesearch Resource
  • AliyunImagesearchReadOnlyAccess
  • AliyunImagesearchFullAccess

-

Machine Translation - alimt Operation
  • AliyunMTFullAccess
  • AliyunMTReadOnlyAccess
-

IoT

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
IoT Platform - iot Resource
  • AliyunIOTFullAccess
  • AliyunIOTReadOnlyAccess
RAM user access
ApsaraDB for Lindorm Time Series Database (TSDB) hitsdb Operation

-

-

Big data

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
DataWorks - dataworks Service AliyunDataWorksFullAccess Use a RAM user
Quick BI - - Service - -
DataV - datav Service AliyunDataVFullAccess -
Realtime Compute for Apache Flink - - Service - -
Elasticsearch - elasticsearch Resource
  • AliyunElasticsearchReadOnlyAccess
  • AliyunElasticsearchFullAccess
Types of resources that can be authorized
E-MapReduce - emr Service
  • AliyunEMRFullAccess
  • AliyunUEMReadOnlyAccess
  • AliyunEMRFlowAdmin
  • AliyunEMRDevelopAccess
-
Log Service - log Resource
  • AliyunLogFullAccess
  • AliyunLogReadOnlyAccess
RAM authentication rules

Developer services

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Apsara DevOps - rdc Resource
  • AliyunRDCFullAccess
  • AliyunRDCReadOnlyAccess
-
Tracing Analysis - xtrace Service
  • AliyunTracingAnalysisFullAccess
  • AliyunTracingAnalysisReadOnlyAccess
-

Security

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Security Center (SAS) -
  • yundun-sas
  • yundun-aegis
Service
  • AliyunYundunSASFullAccess
  • AliyunYundunSASReadOnlyAccess
-
Server Guard - yundun-aegis Service
  • AliyunYundunAegisFullAccess
  • AliyunYundunAegisReadOnlyAccess
-
Anti-DDoS Anti-DDoS yundun-ddos Service
  • AliyunYundunDDosFullAccess
  • AliyunYundunDDosReadOnlyAccess
-
Anti-DDoS Anti-DDoS Pro and Anti-DDoS Premium
  • yundun-high
  • yundun-ddoscoo
Service
  • AliyunYundunHighFullAccess
  • AliyunYundunHighReadOnlyAccess
-
Anti-DDoS Anti-DDoS Premium
  • yundun-high
  • yundun-ddoscoo
Service
  • AliyunYundunAntiDDoSPremiumFullAccess
  • AliyunYundunAntiDDoSPremiumReadOnlyAccess
-
GameShield - yundun-gameshield Service

AliyunYundunGameShieldReadOnlyAccess

-
Web Application Firewall (WAF) WAF yundun-waf Service
  • AliyunYundunWAFFullAccess
  • AliyunYundunWAFReadOnlyAccess
-
SSL Certificates Service - yundun-cert Service
  • AliyunYundunCertFullAccess
  • AliyunYundunCertReadOnlyAccess
-
Cloud Firewall (CFW) - yundun-cloudfirewall Service
  • AliyunYundunCloudFirewallReadOnlyAccess
  • AliyunYundunCloudFirewallFullAccess
-
Managed Security Service (MSSP) - mssp Service - -
Content Moderation - yundun-greenweb Service AliyunYundunGreenWebFullAccess -
Bastionhost Bastionhost yundun-bastionhost Service
  • AliyunYundunBastionHostFullAccess
  • AliyunYundunBastionHostReadOnlyAccess
  • AliyunYundunBastionHostOperateOnlyAccess
  • AliyunYundunBastionHostAuditOnlyAccess
-
Data Security Center (DSC) - yundun-sddp Service
  • AliyunYundunSDDPFullAccess
  • AliyunYundunSDDPReadOnlyAccess
-
Identity as a Service (IDaaS) IDaaS yundun-idaas Operation
  • AliyunYundunIdaasFullAccess
  • AliyunYundunIdaasReadOnlyAccess
-
Key Management Service (KMS) - kms Resource
  • AliyunKMSFullAccess
  • AliyunKMSReadOnlyAccess
  • AliyunKMSCryptoAccess
Use RAM to control access to KMS resources
RAM RAM
  • ram
  • sts
  • ims
Resource
  • AliyunRAMFullAccess
  • AliyunRAMReadOnlyAccess
RAM authentication
RAM CloudSSO cloudsso Resource
  • AliyunCloudSSOReadOnlyAccess
  • AliyunCloudSSOFullAccess
-
ActionTrail - actiontrail Operation

-

RAM account authentication

Technical support

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Ticket Management - support Service AliyunSupportFullAccess -

Marketplace

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Alibaba Cloud Marketplace - acm × Service AliyunMarketplaceFullAccess -

Others

Alibaba Cloud service Sub-service or sub-module RAM code Console API Authorization granularity System policy References
Billing Management -
  • bss
  • bssapi
  • efc
Service
  • AliyunBSSFullAccess
  • AliyunBSSReadOnlyAccess
  • AliyunBSSOrderAccess
  • AliyunBSSRefundAccess
  • AliyunBSSRenewReadOnlyAccess
  • AliyunBSSRenewFullAccess

-

ICP Filing -
  • beian
  • bsn
Service AliyunBeianFullAccess -