在使用RAM账号调用VPC API前,需要主账号通过创建授权策略对RAM账号进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name, ARN)指定授权资源。
可授权的专有网络资源类型
下表列举了VPC中可授权的资源及其描述方式,其中$regionid/accoutid/vrouterid... 为具体的资源ID,*代表对应的所有资源。
| 资源类型 | 授权策略中的资源描述方法 |
|---|---|
| 专有网络(VPC) | acs:vpc:$regionid:$accountid:vpc/$vpcid |
acs:vpc:$regionid:$accountid:vpc/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| 路由器(VRouter) | acs:vpc:$regionid:$accountid:vrouter/$vrouterid |
acs:vpc:$regionid:$accountid:vrouter/* |
|
acs:vpc:*:$accountid:vrouter/* |
|
| 交换机(VSwitch) | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
acs:vpc:$regionid:$accountid:vswitch/* |
|
acs:vpc:*:$accountid:vswitch/* |
|
| 路由表(Route Table) | acs:vpc:$regionid:$accountid:routetable/$routetableid |
acs:vpc:$regionid:$accountid:routetable/* |
|
acs:vpc:*:$accountid:routetable/* |
|
| DHCP选项集(DHCP Options Set) | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
|
acs:vpc:*:$accountid:dhcpoptionsset/* |
|
| 高可用IP (HaVip) | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:$regionid:$accountid:havip/* |
|
acs:vpc:*:$accountid:havip/* |
|
| 弹性公网IP(EIP) | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:vpc:$regionid:$accountid:eip/* |
|
acs:vpc:*:$accountid:eip/* |
|
| NAT网关(NAT Gateway) | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
acs:vpc*:$accountid:vpc/* |
|
| NAT网关带宽包(NAT Gateway Bandwidth Package) | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
aacs:vpc:*:$accountid:vpc/* |
|
| 端口转发表(Forward Table) | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
acs:vpc:$regionid:$accountid:forwardtable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| SNAT表(SNAT Table) | acs:vpc:$regionid:$accountid:snattable/$snattableid |
acs:vpc:$regionid:$accountid:snattable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| 用户网关(Customer Gateway) | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
acs:vpc:$regionid:$accountid:customergateway/* |
|
acs:vpc:*:$accountid:customergateway/* |
|
| IPsec连接(IPsec Connection) | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
acs:vpc:$regionid:$accountid:vpnconnection/* |
|
acs:vpc:*:$accountid:vpnconnection/* |
|
| VPN网关(VPN Gateway) | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
acs:vpc:$regionid:$accountid:vpngateway/* |
|
acs:vpc:*:$accountid:vpngateway/* |
|
| 全球加速实例(Global Acceleration Instance) | acs:vpc:$regionid:$accountid:globalaccelerationinstance /$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:globalaccelerationinstance /* |
|
acs:vpc::$accountid:globalaccelerationinstance /* |
|
| 网络ACL(Network ACL) | acs:vpc:$regionid:$accountid:networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:networkacl/* |
|
acs:vpc:*:$accountid:networkacl/* |
|
| 附加网段(SecondaryCidrBlock) | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| IPv6网关(IPv6 Gateway) | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
acs:vpc:$regionid:$accountid:ipv6gateway/* |
|
acs:vpc:*:$accountid:ipv6gateway/* |
|
| IPv6公网带宽(IPV6 Bandwidth) | acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6instanceid |
acs:vpc:$regionid:$accountid:ipv6bandwidth/* |
|
acs:vpc:*:$accountid:ipv6bandwidth/* |
|
| 通用资源 | acs:vpc:$regionid:$accountid:* |
acs:vpc:*:$accountid:* |
可授权的VPC接口
下表列举了VPC中可授权的API及其描述方式,其中$regionid/accoutid/vrouterid... 为具体的资源ID,*代表对应的所有资源。
| API | 资源描述 |
|---|---|
| CreateVpc | acs:vpc:$regionid:$accountid:vpc/* |
| DeleteVpc | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DescribeVpcs | acs:vpc:$regionid:$accountid:vpc/* |
| ModifyVpcAttribute | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DescribeVRouters | acs:vpc:$regionid:$accountid:vrouter/* |
| 指定要查询的VRouterId:
|
|
| 指定要查询的VRouterId:
|
|
| ModifyVRouterAttribute | acs:vpc:*:$accountid:* |
| CreateVSwitch | acs:vpc:$regionid:$accountid:vswitch/* |
| DescribeVSwitchAttributes | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DeleteVSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
| DescribeVSwitches | acs:vpc:$regionid:$accountid:vswitch/* |
"vpc:Vpc":"acs:vpc:$regionid:$accountid:vpc/$vpcid" |
|
| ModifyVSwitchAttribute | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
| CreateRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
| DeleteRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
| DescribeRouteTables | acs:vpc:$regionid:$accountid:routetable/* |
"vpc:VRouter":"acs:vpc$regionid:$accountid:vrouter/$vrouterid" |
|
| CreateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
| DescribeCreateDHCPOptionsSets | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
| ModifyDHCPOptionsSetAttributes | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
| DeleteDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
| AssociatedDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
| UnassociateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
| CreateHaVip | acs:vpc:$regionid:$accountid:havip/* |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| DeleteHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
| AssociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:%s:%s:certificate/% |
|
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| UnassociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| DescribeHaVips | acs:vpc:$regionid:$accountid:havip/* |
| AllocateEipAddress | acs:vpc:$regionid:$accountid:eip/* |
| AssociateEipAddres | acs:vpc:$regionid:$accountid:eip/* |
| 绑定ECS实例
|
|
| 绑定HAVIP
|
|
| DescribeEipAddresses | acs:vpc:$regionid:$accountid:eip/* |
| UnassociateEipAddress | 绑定ECS实例
|
| 绑定HAVIP
|
|
| ReleaseEipAddress | acs:vpc:$regionid:$accountid:eip/$allocationid |
| DescribeEipMonitorData | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateNatGateway | acs:vpc:$regionid:$accountid:natgateway/* |
| DescribeNatGateways | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
| ModifyNatGatewaySpec | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
| ModifyNatGatewayAttribute | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| DeleteNatGateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/* |
| DescribeBandwidthPackages | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
| ModifyBandwidthPackageSpec | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| ModifyBandwidthPackageAttribute | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| AddBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| RemoveBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| DeleteBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| CreateForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| DeleteForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| ModifyForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| DescribeForwardTableEntries | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| CreateSnatEntry | acs:vpc:$regionid:$accountid:snattable/* |
| ModifySnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| DescribeSnatTableEntries | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| DeleteSnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| CreateCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/* |
| DeleteCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| DescribeCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| DescribeCustomerGateways | acs:vpc:$regionid:$accountid:customergateway/* |
| ModifyCustomerGatewayAttribute | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| CreateVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/* |
| DeleteVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DescribeVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DescribeVpnConnections | acs:vpc:$regionid:$accountid:vpnconnection/* |
| ModifyVpnConnectionAttribute | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DownloadVpnConnectionConfig | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DeleteVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| DescribeVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| DescribeVpnGateways | acs:vpc:$regionid:$accountid:vpngateway/* |
| ModifyVpnGatewayAttribute | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| CreateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
| AssociateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| UnassociateGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
| ModifyGlobalAccerlationInstanceSpec | acs:ecs:$regionid:$accountid:instance/$instanceid |
| ModifyGlobalAccerlationInstanceAttributes | acs:ecs:$regionid:$accountid:instance/$instanceid |
| DeleteGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
| DescribeGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
| AddGlobalAccelerationInstanceIp | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:eip/$allocationid |
|
| RemoveGlobalAccelerationInstanceIp | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:eip/$allocationid |
|
| DescribeServerRelatedGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/* |
| DeleteNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| DescribeNetworkAcls | acs:vpc:$regionid:$accountid: networkacl/* |
| DescribeNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| ModifyNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| AccosicateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| UnassociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| UpdateNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| CopyNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| AssociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |
| UnassociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |
| CreateIpv6Gateway | acs:vpc:$regionid:$accountid:ipv6gateway/* |
| DeleteIpv6Gateway | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| DescribeIpv6Gateways | acs:vpc:$regionid:$accountid:ipv6gateway/* |
acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
|
| AllocateIpv6InternetBandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/* |
| CreateIpv6EgressOnlyRule | acs:vpc:$regionid:$accountid:ipv6gateway/* |
| DeleteIpv6EgressOnlyRule | acs:vpc:$regionid:$accountid:ipv6gateway/$ruleid |
| DeleteIpv6InternetBandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6bandwidthid |
| DescribeIpv6Addresses | acs:vpc:$regionid:$accountid:vpc/* |
| DescribeIpv6EgressOnlyRules | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| DescribeIpv6GatewayAttribute | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| ModifyIpv6AddressAttribute | acs:vpc:$regionid:$accountid:vpc/$ipv6instanceid |
| ModifyIpv6GatewayAttribute | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| ModifyIpv6GatewaySpec | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| ModifyIpv6InternetBandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6instanceid |
