Before you call the Anycast Elastic IP Address (Anycast EIP) API as a RAM user, you must use an Alibaba Cloud account to create a permission policy and grant permissions to the RAM user. In the permission policy, Alibaba Cloud Resource Names (ARNs) are used to specify resources.

Table 1. The type of resource that you can authorize to a RAM user
Resource type Description The ARN that is used to specify the resource
anycast Anycast EIP

acs:eipanycast:{#regionId}:{#accountId}:anycast/*

acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}

Authentication rules of API operations

When you call API operations to access resources as a RAM user, the system checks whether you are granted the required permissions.

The permissions to be checked vary by resource and API syntax. The following table describes the authentication rules for each API operation.

Table 2. Authentication rules
API operation Authentication rule
Eipanycast:AllocateAnycastEipAddress acs:eipanycast:{#regionId}:{#accountId}:anycast/*
Eipanycast:ModifyAnycastEipAddressAttribute acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
Eipanycast:ModifyAnycastEipAddressSpec acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
Eipanycast:ReleaseAnycastEipAddress acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
Eipanycast:AssociateAnycastEipAddress

acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}

acs:slb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}

Eipanycast:UnassociateAnycastEipAddress

acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}

acs:slb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}

Eipanycast:DescribeAnycastEipAddress acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
Eipanycast:ListAnycastEipAddresses acs:eipanycast:{#regionId}:{#accountId}:anycast/*
Eipanycast:DescribeAnycastPopLocations No authorization is required.
Eipanycast:DescribeAnycastServerRegions No authorization is required.