Before you call the PrivateLink API as a RAM user, you must use an Alibaba Cloud account to create a permission policy and use the policy to authorize the RAM user. In the permission policy, Alibaba Cloud Resource Names (ARNs) are used to specify resources.

Types of PrivateLink resource that can be authorized

The following table lists the PrivateLink resources that can be authorized and their corresponding ARN formats.$regionid:$accountid:endpoint/$endpointid is the ID of specified resource, and the asterisk (*) represents all the corresponding resources.

Resource type ARN format in the permission policy
Endpoint service (VpcEndpointService) acs:privatelink:$regionid:$accountid:vpcendpointservice/$serviceid
acs:privatelink:$regionid:$accountid:vpcendpointservice/*
acs:privatelink:*:$accountid:vpcendpointservice/*
Endpoint (VpcEndpoint) acs:privatelink:$regionid:$accountid:vpcendpoint/$endpointid
acs:privatelink:$regionid:$accountid:vpcendpoint/*
acs:privatelink:*:$accountid:vpcendpoint/*

PrivateLink API operations that can be authorized

The following table lists the PrivateLink API operations that can be authorized and their corresponding ARN formats. $regionid:$accountid:endpoint/$endpointid is the ID of specified resource, and the asterisk (*) represents all the corresponding resources.
API ARN format in the permission policy
AddUserToVpcEndpointService acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
AttachResourceToVpcEndpointService acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
Optional. acs:slb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}
AddZoneToVpcEndpoint acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
AttachSecurityGroupToVpcEndpoint acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
acs:ecs:{#regionId}:{#accountId}:securitygroup/{#SecurityGroupId}
CreateVpcEndpoint acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/*
acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}
acs:vpc:{#regionId}:{#accountId}:securitygroup/{#SecurityGroupId}
Optional. acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId}
CreateVpcEndpointService acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/*
Optional. acs:slb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}
DeleteVpcEndpoint acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
DeleteVpcEndpointService acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
DetachResourceFromVpcEndpointService acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
DetachSecurityGroupFromVpcEndpoint acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
DisableVpcEndpointConnection acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
EnableVpcEndpointConnection acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
GetVpcEndpointAttribute acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
GetVpcEndpointServiceAttribute acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
ListVpcEndpointConnections acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/*
ListVpcEndpoints acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/*
ListVpcEndpointSecurityGroups acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
ListVpcEndpointServiceResources acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
ListVpcEndpointServices acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/*
ListVpcEndpointServiceUsers acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
ListVpcEndpointZones acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
RemoveUserFromVpcEndpointService acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
RemoveZoneFromVpcEndpoint acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
UpdateVpcEndpointAttribute acs:privatelink:{#regionId}:{#accountId}:vpcendpoint/{#EndpointId}
UpdateVpcEndpointConnectionAttribute acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
UpdateVpcEndpointServiceAttribute acs:privatelink:{#regionId}:{#accountId}:vpcendpointservice/{#ServiceId}
ListVpcEndpointServicesByEndUser Condition: privatelink:VpcEndpointServiceIdacs:privatelink:*:*:*
DescribeRegions No authorization is required.
DescribeZones No authorization is required.