This topic describes the elements of policies that are used in Alibaba Cloud Resource Access Management (RAM) to define permissions.

Elements

Element Description
Effect Specifies whether the statement results in an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action Describes one or more API operations that are allowed or denied.
Resource Specifies one or more objects that the statement covers.
Condition Specifies the conditions that are required for a policy to take effect.

Rules in using policy elements

  • Effect

    Valid values are Allow and Deny.

    Note If policies that apply to a request include an Allow statement and a Deny statement, the Deny statement takes precedence over the Allow statement.

    Example: "Effect": "Allow".

  • Action

    This element can contain one or more values. Valid values are the names of API operations from Alibaba Cloud services.

    Note In most cases, each Alibaba Cloud service has an exclusive set of API operations. For more information, see the documentation of each Alibaba Cloud service.

    Format: <ram-code>:<action-name>.

    • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Alibaba Cloud services that support RAM.
    • action-name: the name of one or more API operations in the service.

    Example: "Action": ["oss:ListBuckets", "ecs:Describe*", "rds:Describe*"].

  • Resource

    Specifies one or more objects that the statement covers.

    Format: acs:<ram-code>:<region>:<account-id>:<relative-id>. The format is the same as the format of an Alibaba Cloud Resource Name (ARN).

    • acs: the abbreviation of Alibaba Cloud Service, which indicates the public cloud of Alibaba Cloud.
    • ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Alibaba Cloud services that support RAM.
    • region: the information about a region. You can use an asterisk (*) to specify all the regions.
    • account-id: the ID of the Alibaba Cloud account. For example, you can enter 123456789012****. If no IDs are required or available, use an asterisk (*).
    • relative-id: the identifier of the service-related resource. The meaning of this element varies based on services. The format of the relative-id element is similar to a file path. For example, relative-id = "mybucket/dir1/object1.jpg" indicates an Object Storage Service (OSS) object.

    Example: "Resource": ["acs:ecs:*:*:instance/inst-001", "acs:ecs:*:*:instance/inst-002", "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*"].

  • Condition
    A condition block contains one or more conditions. Each condition consists of operators, keys, and values. Condition block

    Evaluation logic

    • You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.
    • A condition can have multiple keys that are attached to a single condition operator. The condition of this type is met only if all requirements for the keys are met.
    • A condition block is met only if all of its conditions are met.

    Condition operators

    Condition operators can be classified into the following categories: string, number, date and time, Boolean, and IP address.

    Category Condition operator
    String
    • StringEquals
    • StringNotEquals
    • StringEqualsIgnoreCase
    • StringNotEqualsIgnoreCase
    • StringLike
    • StringNotLike
    Number
    • NumericEquals
    • NumericNotEquals
    • NumericLessThan
    • NumericLessThanEquals
    • NumericGreaterThan
    • NumericGreaterThanEquals
    Date and time
    • DateEquals
    • DateNotEquals
    • DateLessThan
    • DateLessThanEquals
    • DateGreaterThan
    • DateGreaterThanEquals
    Boolean Bool
    IP address
    • IpAddress
    • NotIpAddress

    Condition keys

    • The format of common condition keys is acs:<condition-key>.
      Common condition key Category Description
      acs:CurrentTime Date and time The time at which a request is received by the web server. Specify the time in the ISO 8601 format. Example: 2012-11-11T23:59:59Z.
      acs:SecureTransport Boolean Specifies whether a secure channel is used to send a request. For example, a request can be sent over HTTPS.
      acs:SourceIp IP address The IP address of the client that sends a request.
      Note If you specify only one value for the acs:SourceIp key, the value must be an IP address, such as 10.0.0.1. CIDR blocks such as 10.0.0.1/32 cannot be used.
      acs:MFAPresent Boolean Specifies whether multi-factor authentication (MFA) is used during user logon.
    • The format of a condition key that is specific to an Alibaba Cloud service is <ram-code>:<condition-key>.
      Condition key specific to an Alibaba Cloud service Service Category Description
      ecs:tag/<tag-key> ECS String The tag key of Elastic Compute Service (ECS) resources. This key can be customized.
      rds:ResourceTag/<tag-key> RDS String The tag key of ApsaraDB RDS resources. This key can be customized.
      oss:Delimiter OSS String The delimiter that is used to categorize OSS object names.
      oss:Prefix OSS String The prefix of an OSS object name.