RAM ユーザーで VPC API を呼び出す前に、プライマリアカウントで RAM ユーザーに権限付与ポリシーを作成して対応したアクセス権限を付与する必要があります。 権限付与ポリシーで、権限を付与するリソースを指定するには、一意の識別子として Alibaba Cloud Resource Name(ARN)が使用されます。 本ドキュメントでは、VPC リソースの一意の識別子として使用される ARN の概要を説明します。
VPC リソース
権限付与できる VPC リソースとその ARN 形式を以下の表に示します。 次の ARN 形式の場合、$regionid/accountid/vrouterid はリソース ID であり、* はすべての対応するリソースを表します。
リソース | ARN 形式 |
---|---|
VPC | acs:vpc:$regionid:$accountid:vpc/$vpcid |
acs:vpc:$regionid:$accountid:vpc/* |
|
acs:vpc:*:$accountid:vpc/* |
|
acs:slb:*:*:loadbalancer/* |
|
VRouter | acs:vpc:$regionid:$accountid:vrouter/$vrouterid |
acs:vpc:$regionid:$accountid:vrouter/* |
|
acs:vpc:*:$accountid:vrouter/* |
|
VSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
acs:vpc:$regionid:$accountid:vswitch/* |
|
acs:vpc:*:$accountid:vswitch/* |
|
Route Table | acs:vpc:$regionid:$accountid:routetable/$routetableid |
acs:vpc:$regionid:$accountid:routetable/* |
|
acs:vpc:*:$accountid:routetable/* |
|
HaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:$regionid:$accountid:havip/* |
|
acs:vpc:*:$accountid:havip/* |
|
EIP | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:vpc:$regionid:$accountid:eip/* |
|
acs:vpc:*:$accountid:eip/* |
|
NAT Gateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
acs:vpc*:$accountid:vpc/* |
|
NAT Gateway Bandwidth Package | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
aacs:vpc:*:$accountid:vpc/* |
|
Forward Table | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
acs:vpc:$regionid:$accountid:forwardtable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
SNAT Table | acs:vpc:$regionid:$accountid:snattable/$snattableid |
acs:vpc:$regionid:$accountid:snattable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
Customer Gateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
acs:vpc:$regionid:$accountid:customergateway/* |
|
acs:vpc:*:$accountid:customergateway/* |
|
IPsec Connection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
acs:vpc:$regionid:$accountid:vpnconnection/* |
|
acs:vpc:*:$accountid:vpnconnection/* |
|
VPN Gateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
acs:vpc:$regionid:$accountid:vpngateway/* |
|
acs:vpc:*:$accountid:vpngateway/* |
|
Global Acceleration Instance | acs:vpc:$regionid:$accountid: globalaccelerationinstance /$ globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid: globalaccelerationinstance /* |
|
acs:vpc::$accountid: globalaccelerationinstance /* |
|
General Expression | acs:vpc:$regionid:$accountid:* |
acs:vpc:*:$accountid:* |
VPC API
次の表に、権限付与可能な API の ARN 形式を示します。
$regionid/accoutid/vrouterid
はリソースIDで、*
は、対応するリソースを示します。
API | ARN 形式 |
---|---|
CreateVpc | acs:vpc:$regionid:$accountid:vpc/* |
DeleteVpc | acs:vpc:$regionid:$accountid:vpc/$vpcid |
DescribeVpcs | acs:vpc:$regionid:$accountid:vpc/* |
ModifyVpcAttribute | acs:vpc:$regionid:$accountid:vpc/$vpcid |
DescribeVRouters | acs:vpc:$regionid:$accountid:vrouter/* |
Specify the VRouterId to query:
|
|
The VRouterId is not specified:
|
|
ModifyVRouterAttribute | acs:vpc:*:$accountid:* |
CreateVSwitch | acs:vpc:$regionid:$accountid:vswitch/* |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
DeleteVSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
DescribeVSwitches | acs:vpc:$regionid:$accountid:vswitch/* |
"vpc:Vpc":"acs:vpc:$regionid:$accountid:vpc/$vpcid" |
|
ModifyVSwitchAttribute | acs:vpc:$regionid:$accountid:vswitch/$vswitchId |
CreateRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
DeleteRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
DescribeRouteTables | acs:vpc:$regionid:$accountid:routetable/* |
"vpc:VRouter":"acs:vpc$regionid:$accountid:vrouter/$vrouterid" |
|
CreateHaVip | acs:vpc:$regionid:$accountid:havip/* |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
DeleteHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
AssociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:%s:%s:certificate/% |
|
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
UnassociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
DescribeHaVips | acs:vpc:$regionid:$accountid:havip/* |
AllocateEipAddress | acs:vpc:$regionid:$accountid:eip/* |
AssociateEipAddres | acs:vpc:$regionid:$accountid:eip/* |
Attach an ECS instance
|
|
Attach an HaVip
|
|
DescribeEipAddresses | acs:vpc:$regionid:$accountid:eip/* |
UnassociateEipAddress | Attach an ECS instance
|
Attach an HaVip
|
|
ReleaseEipAddress | acs:vpc:$regionid:$accountid:eip/$allocationid |
DescribeEipMonitorData | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
CreateNatGateway | acs:vpc:$regionid:$accountid:natgateway/* |
DescribeNatGateways | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
ModifyNatGatewaySpec | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
ModifyNatGatewayAttribute | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
DeleteNatGateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
CreateBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/* |
DescribeBandwidthPackages | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
ModifyBandwidthPackageSpec | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
ModifyBandwidthPackageAttribute | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
AddBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
RemoveBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
DeleteBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
CreateForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
DeleteForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
ModifyForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
DescribeForwardTableEntries | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
CreateSnatEntry | acs:vpc:$regionid:$accountid:snattable/* |
ModifySnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
DescribeSnatTableEntries | acs:vpc:$regionid:$accountid:snattable/$snattableid |
DeleteSnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
CreateCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/* |
DeleteCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
DescribeCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
DescribeCustomerGateways | acs:vpc:$regionid:$accountid:customergateway/* |
ModifyCustomerGatewayAttribute | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
CreateVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/* |
DeleteVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DescribeVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DescribeVpnConnections | acs:vpc:$regionid:$accountid:vpnconnection/* |
ModifyVpnConnectionAttribute | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
Downloadvpnconnectionconfig | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DeleteVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
DescribeVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
DescribeVpnGateways | acs:vpc:$regionid:$accountid:vpngateway/* |
ModifyVpnGatewayAttribute | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
CreateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
AssociateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
UnassociateGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
ModifyGlobalAccerlationInstanceSpec | acs:ecs:$regionid:$accountid:instance/$instanceid |
ModifyGlobalAccerlationInstanceAttributes | acs:ecs:$regionid:$accountid:instance/$instanceid |
DeleteGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
DescribeGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
AddGlobalAccelerationInstanceIp |
|
RemoveGlobalAccelerationInstanceIp |
|
DescribeServerRelatedGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
acs:ecs:$regionid:$accountid:instance/$instanceid |