# How Amazon RAM works with IAM
By default, IAM principals don't have permission to create or modify Amazon RAM resources. To allow IAM principals to create or modify resources and perform tasks, you perform one of the following steps. These actions grant permission to use specific resources and API actions.
To provide access, add permissions to your users, groups, or roles:
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
Amazon RAM provides several Amazon managed policies that you can use that will address the needs of many users. For more information about these, see [Amazon managed policies for Amazon Resource Access Manager](security-iam-awsmanpol.md).
If you need finer control over the permissions you grant to your users, you can construct your own policies in the IAM console. For information about creating policies and attaching them to your IAM roles and users, see [Policies and permissions in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) in the *Amazon Identity and Access Management User Guide*.
The following sections provide the Amazon RAM specific details for building an IAM permission policy.
**Contents**
+ [Policy structure](#structure)
+ [Effect](#iam-policies-effect)
+ [Action](#iam-policies-action)
+ [Resource](#iam-policies-resource)
+ [Condition](#iam-policies-condition)
## Policy structure
An IAM permission policy is a JSON document that includes the following statements: Effect, Action, Resource, and Condition. An IAM policy typically takes the following form.
```
{
"Statement":[{
"Effect":"",
"Action":"",
"Resource":"",
"Condition":{
"":{
"":""
}
}
}]
}
```
### Effect
The *Effect* statement indicates whether the policy allows or denies a principal permission to perform an action. The possible values include: `Allow` and `Deny`.
### Action
The *Action* statement specifies the Amazon RAM API actions for which the policy is allowing or denying permission. For a complete list of the allowed actions, see [ Actions defined by Amazon Resource Access Manager](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_awsresourceaccessmanager.html#awsresourceaccessmanager-actions-as-permissions) in the *IAM User Guide*.
### Resource
The *Resource* statement specifies the Amazon RAM resources that are affected by the policy. To specify a resource in the statement, you need to use its unique Amazon Resource Name (ARN). For a complete list of the allowed resources, see [ Resources defined by Amazon Resource Access Manager](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_awsresourceaccessmanager.html#awsresourceaccessmanager-resources-for-iam-policies) in the *IAM User Guide*.
### Condition
*Condition* statements are optional. They can be used to further refine the conditions under which the policy applies. Amazon RAM supports the following condition keys:
+ `aws:RequestTag/${TagKey}` – Tests whether the service request includes a tag with the specified tag key exists and has the specified value.
+ `aws:ResourceTag/${TagKey}` – Tests whether the resource acted on by the service request has an attached tag with a tag key that you specify in the policy.
The following example condition checks that the resource referenced in the service request has an attached tag with the key name "Owner" and a value of "Dev Team".
```
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Owner" : "Dev Team"
}
}
```
+ `aws:TagKeys` – Specifies the tag keys that must be used to create or tag a resource share.
+ `ram:AllowsExternalPrincipals` – Tests whether the resource share in the service request allows sharing with external principals. An external principal is an Amazon Web Services account outside of your organization in Amazon Organizations. If this evaluates to `False`, then you can share this resource share with accounts only in the same organization.
+ `ram:PermissionArn` – Tests whether the permission ARN specified in the service request matches an ARN string that you specify in the policy.
+ `ram:PermissionResourceType` – Tests whether the permission specified in the service request is valid for the resource type that you specify in the policy. Specify resource types using the format shown in the list of [shareable resource types](shareable.md).
+ `ram:Principal` – Tests whether the ARN of the principal specified in the service request matches an ARN string that you specify in the policy.
+ `ram:RequestedAllowsExternalPrincipals` – Tests whether the service request includes the `allowExternalPrincipals` parameter and whether its argument matches the value you specify in the policy.
+ `ram:RequestedResourceType` – Tests whether the resource type of the resource being acted on matches a resource type string that you specify in the policy. Specify resource types using the format shown in the list of [shareable resource types](shareable.md).
+ `ram:ResourceArn` – Tests whether the ARN of the resource being acted upon by the service request matches an ARN that you specify in the policy.
+ `ram:ResourceShareName` – Tests whether the name of the resource share being acted upon by the service request matches a string that you specify in the policy.
+ `ram:ShareOwnerAccountId` – Tests the account ID number of the resource share being acted upon by the service request matches a string that you specify in the policy.