All Products
Search

This Product

    Resource Access Management:Application Load Balancer (ALB)

    Document Center

    Resource Access Management:Application Load Balancer (ALB)

    Last Updated:Sep 30, 2021

    Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Application Load Balancer.

    The code (RamCode) in RAM that is used to indicate Application Load Balancer is alb. You can grant permissions on Application Load Balancer at the resource level.

    Action

    The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Application Load Balancer. The following list describes the columns in the table:

    • Action: the value that you can use in the Action element to specify the operation on a resource.

    • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

    • Access level: the access level of each action. The levels are read, write, and list.

    • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

      • The required resource types are displayed in bold characters.

      • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

    • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

    • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

    Actions

    APIs

    Access level

    Resource types

    Condition keys

    Dependent actions

    alb:AddEntriesToAcl

    AddEntriesToAcl

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}



    N/A

    N/A

    alb:ApplyHealthCheckTemplateToServerGroup

    ApplyHealthCheckTemplateToServerGroup

    Write


    HealthCheckTemplate


    acs:alb:{#accountId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplateId}


    ServerGroup


    acs:alb:{#accountId}:{#accountId}:servergroup/{#ServerGroupId}





    N/A

    N/A

    alb:AssociateAclsWithListener

    AssociateAclsWithListener

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}






    acs:ResourceTag


    N/A

    alb:AssociateAdditionalCertificatesWithListener

    AssociateAdditionalCertificatesWithListener

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:CreateAcl

    CreateAcl

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/*



    N/A

    N/A

    alb:CreateHealthCheckTemplate

    CreateHealthCheckTemplate

    Write


    HealthCheckTemplate


    acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*



    N/A

    N/A

    alb:CreateListener

    CreateListener

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}

    Acl

    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}








    acs:ResourceTag


    N/A

    alb:CreateLoadBalancer

    CreateLoadBalancer

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/*



    N/A

    N/A

    alb:CreateRule

    CreateRule

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}





    N/A

    N/A

    alb:CreateRules

    CreateRules

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}






    acs:ResourceTag


    N/A

    alb:CreateSecurityPolicy

    CreateSecurityPolicy

    Write


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/*



    N/A

    N/A

    alb:CreateServerGroup

    CreateServerGroup

    Write


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/*



    N/A

    N/A

    alb:DeleteAcl

    DeleteAcl

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}



    N/A

    N/A

    alb:DeleteListener

    DeleteListener

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:DeleteLoadBalancer

    DeleteLoadBalancer

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:DeleteRules

    DeleteRule

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:DeleteRules

    DeleteRules

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:DeleteSecurityPolicy

    DeleteSecurityPolicy

    Write


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}



    N/A

    N/A

    alb:DeleteServerGroup

    DeleteServerGroup

    Write


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}



    N/A

    N/A

    alb:DisableDeletionProtection

    DisableDeletionProtection

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



    N/A

    N/A

    alb:DisableLoadBalancerAccessLog

    DisableLoadBalancerAccessLog

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



    N/A

    N/A

    alb:DissociateAclsFromListener

    DissociateAclsFromListener

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}






    acs:ResourceTag


    N/A

    alb:DissociateAdditionalCertificatesFromListener

    DissociateAdditionalCertificatesFromListener

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:EnableDeletionProtection

    EnableDeletionProtection

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



    N/A

    N/A

    alb:EnableLoadBalancerAccessLog

    EnableLoadBalancerAccessLog

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



    N/A

    N/A

    alb:GetGlobalLoadBalancerSummary

    N/A

    List


    LoadBalancer


    acs:alb:*:{#accountId}:loadbalancer/*



    N/A

    N/A

    alb:GetHealthCheckTemplateAttribute

    GetHealthCheckTemplateAttribute

    Read


    HealthCheckTemplate


    acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}



    N/A

    N/A

    alb:GetListenerAttribute

    GetListenerAttribute

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:GetListenerHealthStatus

    N/A

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:GetLoadBalancerAttribute

    GetLoadBalancerAttribute

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:ListAclEntries

    ListAclEntries

    Read


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}



    N/A

    N/A

    alb:ListAcls

    ListAcls

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/*



    N/A

    N/A

    alb:ListAsynJobs

    ListAsynJobs

    List


    All resources


    acs:alb:{#regionId}:{#accountId}:*



    N/A

    N/A

    alb:ListHealthCheckTemplates

    ListHealthCheckTemplates

    List


    HealthCheckTemplate


    acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*



    N/A

    N/A

    alb:ListListenerCertificates

    ListListenerCertificates

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:ListListeners

    ListListeners

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/*


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}






    acs:ResourceTag


    N/A

    alb:ListLoadBalancers

    ListLoadBalancers

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/*


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}






    acs:RequestTag


    acs:ResourceTag



    N/A

    alb:ListRules

    ListRules

    Read


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:ListSecurityPolicies

    ListSecurityPolicies

    List


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/*



    N/A

    N/A

    alb:ListSecurityPolicyRelations

    ListSecurityPolicyRelations

    List


    SecurityPolicy


    acs:alb:*:{#accountId}:securitypolicy/*


    Listener


    acs:alb:*:{#accountId}:listener/*





    N/A

    N/A

    alb:ListServerGroupServers

    ListServerGroupServers

    Read


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}




    acs:ResourceTag


    N/A

    alb:ListServerGroups

    ListServerGroups

    List


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/*



    N/A

    N/A

    alb:ListSystemSecurityPolicies

    ListSystemSecurityPolicies

    List


    All resources


    acs:alb:{#regionId}:{#accountId}:*



    N/A

    N/A

    alb:ListTagKeys

    ListTagKeys

    List


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/*


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/*


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/*


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/*









    N/A

    N/A

    alb:ListTagResources

    ListTagResources

    List


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/*


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/*


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/*


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/*














    acs:RequestTag


    acs:ResourceTag



    N/A

    alb:ListTagValues

    ListTagValues

    List


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/*


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/*


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/*


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/*









    N/A

    N/A

    alb:MoveResourceGroup

    MoveResourceGroup

    Write


    ServerGroup

    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}

    LoadBalancer

    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

    Acl

    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}

    SecurityPolicy

    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}


    N/A

    N/A

    alb:RemoveEntriesFromAcl

    RemoveEntriesFromAcl

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}



    N/A

    N/A

    alb:ReplaceServersInServerGroup

    ReplaceServersInServerGroup

    Write


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#ServerGroupId}



    N/A

    N/A

    alb:StartListener

    StartListener

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:StopListener

    StopListener

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:TagResources

    TagResources

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#AclId}


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}










    acs:RequestTag


    acs:ResourceTag



    N/A

    alb:UnTagResources

    UnTagResources

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#AclId}


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}










    acs:RequestTag


    acs:ResourceTag



    N/A

    alb:UpdateAclAttribute

    UpdateAclAttribute

    Write


    Acl


    acs:alb:{#regionId}:{#accountId}:acl/{#aclId}



    N/A

    N/A

    alb:UpdateHealthCheckTemplateAttribute

    UpdateHealthCheckTemplateAttribute

    Write


    HealthCheckTemplate


    acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}



    N/A

    N/A

    alb:UpdateListenerAttribute

    UpdateListenerAttribute

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}








    acs:ResourceTag


    N/A

    alb:UpdateListenerLogConfig

    UpdateListenerLogConfig

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



    N/A

    N/A

    alb:UpdateLoadBalancerAttribute

    UpdateLoadBalancerAttribute

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:UpdateLoadBalancerEdition

    UpdateLoadBalancerEdition

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}



    N/A

    N/A

    alb:UpdateLoadBalancerZones

    N/A

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



    N/A

    N/A

    alb:UpdateRuleAttribute

    UpdateRuleAttribute

    Write


    LoadBalancer


    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}




    acs:ResourceTag


    N/A

    alb:UpdateSecurityPolicyAttribute

    UpdateSecurityPolicyAttribute

    Write


    SecurityPolicy


    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}



    N/A

    N/A

    alb:UpdateServerGroupAttribute

    UpdateServerGroupAttribute

    Write


    ServerGroup


    acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}



    N/A

    N/A

    Resource

    The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Application Load Balancer.

    The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

    • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

    • An asterisk (*) is used as a wildcard. Examples:

      • If you specify {#resourceType}/*, all resources are specified.

      • If {#regionId} is set to *, all regions are specified.

      • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

    Resource type

    ARN

    Acl

    acs:alb:{#regionId}:{#accountId}:acl/{#AclId}

    HealthCheckTemplate

    acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplateId}

    LoadBalancer

    acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}

    ServerGroup

    acs:alb:{#regionId}:{#accountId}:servergroup/{#ServerGroupId}

    SecurityPolicy

    acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}

    Listener

    acs:alb:{#regionId}:{#accountId}:listener/{#ListenerId}

    Condition

    The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Application Load Balancer. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Application Load Balancer. For more information about the common condition keys, see Policy elements.

    The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

    Condition keys

    Description

    Type

    acs:ResourceTag

    A tag key and value pair that are attached to a resource.

    String