RevokeSecurityGroup

Last Updated: Sep 13, 2017

Description

This operation allows users to cancel a security group authorization rule. Two authorization methods are supported to revoke a security group access permission. One approach is to revoke the authorization rules that other security groups within the same region (classic internet) or VPC have granted by using the assigned agreement through the assigned ports. The other approach is to revoke the authorization of IP network segments for accessing the security group by using the assigned agreement through the assigned ports.

Note: Only authorization rules granted by the called authorization interface can be deleted (the parameter values are the same as during authorization).

The security group rules are constructed by one of the two sets of optional parameters:

  • SourceGroupOwnerAccount, SourceGroupId, IpProtocol, PortRange, NicType, Policy
  • SourceCidrIp, IpProtocol, PortRange, NicType, Policy

If the matching rule cannot be found, an error will be reported.

Request parameters

Name Type Required Description
Action String Yes Value: RevokeSecurityGroup.
SecurityGroupId String Yes Indicates the ID of the target security group.
RegionId String Yes Indicates the ID of the target region of security group
IpProtocol String Yes Refers to the IP protocol, optional values:
  • tcp
  • udp
  • icmp
  • gre
  • all
all indicates support for all four protocols.
PortRange String Yes Indicates the range of port numbers relevant to the IP protocol.
  • When the protocol is tcp or udp, the default port number range is 1-65535. For example, 1/200 means the port number range is 1-200. If the input value is 200/1, the interface call reports an error.
  • When the protocol is icmp, the port number range is -1/-1.
  • When the protocol is gre, the port number range is -1/-1.
  • When the protocol is all, the port number range is -1/-1.
SourceGroupId String No Indicates the ID of the source security group. Either the SourceGroupId or SourceCidrIp parameter must be set. If both are set, then SourceCidrIp is authorized by default. Multiple groups (maximum of 10) can be specified simultaneously, but have to be separated by commas.
SourceGroupOwnerId String No Indicates the ID of the AliCloud user account of the source security group when security group rules are revoked across accounts. This parameter is optional. If it is not set, security groups of the same account are revoked by default. If SourceCidrIp has already been set, this parameter is invalid.
SourceCidrIp String No Indicates the source IP address range, CIDR format is used to specify the IP address range. By default, the value is 0.0.0.0/0. This means no restriction will be applied. Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy String No Refers to the Authorization policy, optional values:
  • accept
  • drop
The default value is accept.
NicType String No Refers to the network type, optional values:
  • Internet
  • Intranet
The default value is Internet. In mutual security group authorization (namely, SourceGroupId is specified, while SourceCidrIp is not), you must specify the NicType as Intranet.
Priority Integer No Indicates the priority of the security group rule which will be revoked.

Return parameters

All parameters are public return parameters. For details, refer to Public Return Parameters.

Error code

Error code Description Http status code Meaning
InvalidRegionId.NotFound The specified RegionId does not exist. 404 The specified RegionId does not exist.
MissingParameter The input parameter RegionId that is mandatory for processing this request is not supplied. 400 The RegionId parameter is not specified.
InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. 404 The specified SecurityGroupId does not exist.
MissingParameter The input parameter SecurityGroupId that is mandatory for processing this request is not supplied. 400 The SecurityGroupId parameter is not specified.
InvalidIpProtocol.ValueNotSupported The specified IpProtocol does not exist. 400 The specified IpProtocol parameter value is not supported.
MissingParameter The input parameter IpProtocol that is mandatory for processing this request is not supplied. 400 The IpProtocol parameter is not specified.
InvalidPriority.Malformed The specified parameter Priority is not valid. 400 The format of the Priority parameter is incorrect.
InvalidIpPortRange.Malformed The specified parameter PortRange is not valid. 400 The format of PortRange is incorrect.
MissingParameter The input parameter PortRange that is mandatory for processing this request is not supplied. 400 The PortRange parameter is not specified.
InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. 404 The specified SourceGroupId does not exist.
InvalidSourceGroupId.Mismatch NicType is required or NicType expects intrnet. 403 You must specify the NicType parameter or the NicType must be set to intranet.
InvalidSourceCidrIp.Malformed The specified parameter SourceCidrIp is not valid. 400 The SourceCidrIp parameter format is incorrect.
MissingParameter The input parameter SourceGroupId or SourceCidrIp cannot be both blank. 400 The SourceGroupId or SourceCidrIp parameter is not specified.
InvalidPolicy.Malformed The specified parameter Policy is not valid. 400 The format of the Policy parameter is incorrect.
InvalidNicType.ValueNotSupported The specified NicType does not exist. 400 The specified NicType value is not supported.
InvalidSourceGroupId.Mismatch SourceGroupOwnerAccount is required. 403 Another user’s SourceGroup is specified, but the SourceGroupOwnerUserAccount is not.
InvalidSourceGroupOwnerUserAccount.Mismatch The specified SourceGroupId is not belong to the SourceGroupOwnerAccount. 403 The specified SourceGroup does not belong to the user specified in SourceGroupOwnerUserAccount.

Examples

Request example

  1. https://ecs.aliyuncs.com/?Action=RevokeSecurityGroup
  2. &SecurityGroupId=C0003E8B-B930-4F59-ADC0-0E209A9012B0
  3. &SourceGroupId=sg-F876FF7BA
  4. &SourceGroupOwnerAccount=test@aliyun.com
  5. &IpProtocol=tcp
  6. &PortRange=1/65535
  7. &Priority=1
  8. &<Public Request Parameters>

Return example

XML format

  1. <RevokeSecurityGroupResponse>
  2. <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
  3. </RevokeSecurityGroupResponse>

JSON format

  1. {
  2. "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
  3. }
Thank you! We've received your feedback.