All Products
Search
Document Center

Application Load Balancer (ALB)

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Application Load Balancer.

The code (RamCode) in RAM that is used to indicate Application Load Balancer is alb. You can grant permissions on Application Load Balancer at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Application Load Balancer. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

alb:AddEntriesToAcl

AddEntriesToAcl

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


N/A

N/A

alb:ApplyHealthCheckTemplateToServerGroup

ApplyHealthCheckTemplateToServerGroup

Write


HealthCheckTemplate


acs:alb:{#accountId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplateId}


ServerGroup


acs:alb:{#accountId}:{#accountId}:servergroup/{#ServerGroupId}


N/A

N/A

alb:AssociateAclsWithListener

AssociateAclsWithListener

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:AssociateAdditionalCertificatesWithListener

AssociateAdditionalCertificatesWithListener

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:CreateAcl

CreateAcl

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/*


N/A

N/A

alb:CreateHealthCheckTemplate

CreateHealthCheckTemplate

Write


HealthCheckTemplate


acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*


N/A

N/A

alb:CreateListener

CreateListener

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}

Acl

acs:alb:{#regionId}:{#accountId}:acl/{#aclId}



acs:ResourceTag


N/A

alb:CreateLoadBalancer

CreateLoadBalancer

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/*


N/A

N/A

alb:CreateRule

CreateRule

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


N/A

N/A

alb:CreateRules

CreateRules

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}



acs:ResourceTag


N/A

alb:CreateSecurityPolicy

CreateSecurityPolicy

Write


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/*


N/A

N/A

alb:CreateServerGroup

CreateServerGroup

Write


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/*


N/A

N/A

alb:DeleteAcl

DeleteAcl

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


N/A

N/A

alb:DeleteListener

DeleteListener

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:DeleteLoadBalancer

DeleteLoadBalancer

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:DeleteRules

DeleteRule

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:DeleteRules

DeleteRules

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:DeleteSecurityPolicy

DeleteSecurityPolicy

Write


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}


N/A

N/A

alb:DeleteServerGroup

DeleteServerGroup

Write


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


N/A

N/A

alb:DisableDeletionProtection

DisableDeletionProtection

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


N/A

N/A

alb:DisableLoadBalancerAccessLog

DisableLoadBalancerAccessLog

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


N/A

N/A

alb:DissociateAclsFromListener

DissociateAclsFromListener

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:DissociateAdditionalCertificatesFromListener

DissociateAdditionalCertificatesFromListener

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:EnableDeletionProtection

EnableDeletionProtection

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


N/A

N/A

alb:EnableLoadBalancerAccessLog

EnableLoadBalancerAccessLog

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


N/A

N/A

alb:GetGlobalLoadBalancerSummary

N/A

List


LoadBalancer


acs:alb:*:{#accountId}:loadbalancer/*


N/A

N/A

alb:GetHealthCheckTemplateAttribute

GetHealthCheckTemplateAttribute

Read


HealthCheckTemplate


acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}


N/A

N/A

alb:GetListenerAttribute

GetListenerAttribute

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:GetListenerHealthStatus

N/A

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:GetLoadBalancerAttribute

GetLoadBalancerAttribute

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:ListAclEntries

ListAclEntries

Read


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


N/A

N/A

alb:ListAcls

ListAcls

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/*


N/A

N/A

alb:ListAsynJobs

ListAsynJobs

List


All resources


acs:alb:{#regionId}:{#accountId}:*


N/A

N/A

alb:ListHealthCheckTemplates

ListHealthCheckTemplates

List


HealthCheckTemplate


acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*


N/A

N/A

alb:ListListenerCertificates

ListListenerCertificates

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:ListListeners

ListListeners

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/*


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:ListLoadBalancers

ListLoadBalancers

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/*


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:RequestTag


acs:ResourceTag


N/A

alb:ListRules

ListRules

Read


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:ListSecurityPolicies

ListSecurityPolicies

List


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/*


N/A

N/A

alb:ListSecurityPolicyRelations

ListSecurityPolicyRelations

List


SecurityPolicy


acs:alb:*:{#accountId}:securitypolicy/*


Listener


acs:alb:*:{#accountId}:listener/*


N/A

N/A

alb:ListServerGroupServers

ListServerGroupServers

Read


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}



acs:ResourceTag


N/A

alb:ListServerGroups

ListServerGroups

List


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/*


N/A

N/A

alb:ListSystemSecurityPolicies

ListSystemSecurityPolicies

List


All resources


acs:alb:{#regionId}:{#accountId}:*


N/A

N/A

alb:ListTagKeys

ListTagKeys

List


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/*


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/*


Acl


acs:alb:{#regionId}:{#accountId}:acl/*


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/*


N/A

N/A

alb:ListTagResources

ListTagResources

List


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/*


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/*


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/*


Acl


acs:alb:{#regionId}:{#accountId}:acl/*



acs:RequestTag


acs:ResourceTag


N/A

alb:ListTagValues

ListTagValues

List


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/*


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/*


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/*


Acl


acs:alb:{#regionId}:{#accountId}:acl/*


N/A

N/A

alb:MoveResourceGroup

MoveResourceGroup

Write


ServerGroup

acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}

LoadBalancer

acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

Acl

acs:alb:{#regionId}:{#accountId}:acl/{#aclId}

SecurityPolicy

acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}


N/A

N/A

alb:RemoveEntriesFromAcl

RemoveEntriesFromAcl

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


N/A

N/A

alb:ReplaceServersInServerGroup

ReplaceServersInServerGroup

Write


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#ServerGroupId}


N/A

N/A

alb:StartListener

StartListener

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:StopListener

StopListener

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:TagResources

TagResources

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#AclId}


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}



acs:RequestTag


acs:ResourceTag


N/A

alb:UnTagResources

UnTagResources

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#AclId}


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}



acs:RequestTag


acs:ResourceTag


N/A

alb:UpdateAclAttribute

UpdateAclAttribute

Write


Acl


acs:alb:{#regionId}:{#accountId}:acl/{#aclId}


N/A

N/A

alb:UpdateHealthCheckTemplateAttribute

UpdateHealthCheckTemplateAttribute

Write


HealthCheckTemplate


acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}


N/A

N/A

alb:UpdateListenerAttribute

UpdateListenerAttribute

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}



acs:ResourceTag


N/A

alb:UpdateListenerLogConfig

UpdateListenerLogConfig

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


N/A

N/A

alb:UpdateLoadBalancerAttribute

UpdateLoadBalancerAttribute

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:UpdateLoadBalancerEdition

UpdateLoadBalancerEdition

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}


N/A

N/A

alb:UpdateLoadBalancerZones

N/A

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}


N/A

N/A

alb:UpdateRuleAttribute

UpdateRuleAttribute

Write


LoadBalancer


acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}



acs:ResourceTag


N/A

alb:UpdateSecurityPolicyAttribute

UpdateSecurityPolicyAttribute

Write


SecurityPolicy


acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}


N/A

N/A

alb:UpdateServerGroupAttribute

UpdateServerGroupAttribute

Write


ServerGroup


acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Application Load Balancer.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

Acl

acs:alb:{#regionId}:{#accountId}:acl/{#AclId}

HealthCheckTemplate

acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplateId}

LoadBalancer

acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}

ServerGroup

acs:alb:{#regionId}:{#accountId}:servergroup/{#ServerGroupId}

SecurityPolicy

acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}

Listener

acs:alb:{#regionId}:{#accountId}:listener/{#ListenerId}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Application Load Balancer. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Application Load Balancer. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

acs:ResourceTag

A tag key and value pair that are attached to a resource.

String