edit-icon download-icon

Authentication rules for Express Connect APIs

Last Updated: Feb 11, 2018

When a RAM account accesses the Express Connect resources of the corresponding Alibaba Cloud account by using APIs, the Express Connect backend authenticates the RAM account to make sure that the resource owner indeed grants access rights to related resources to the caller.

Each different API determines the resources of which the access rights are to be checked according to involved resources and the API definition. The authentication rules for the APIs are shown in the following table.

Action Resource Condition
vpc:DescribeAccessPoints acs:vpc:*:$accountid:*
vpc:CreatePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/*
vpc:DescribePhysicalConnections acs:vpc:$regionid:$accountid:physicalconnection/*
vpc:ModifyPhysicalConnectionAttribute acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:EnablePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:CancelPhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:TerminatePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:DeletePhysicalConnection acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:CreateVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/*
acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid
vpc:DescribeVirtualBorderRouters acs:vpc:$regionid:$accountid:virtualborderrouter/*
vpc:ModifyVirtualBorderRouterAttribute acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:DeleteVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:DescribeVirtualBorderRoutersForPhysicalConnection acs:vpc:$regionid:$accountid:virtualborderrouter/* “vpd:PhysicalConnection”:”acs:vpc:$regionid:$accountid:physicalconnection/$physicalconnectionid”
vpc:TerminateVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:RecoverVirtualBorderRouter acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:CreateRouteEntry acs:vpc:$regionid:$accountid:routertable/$routertableid
vpc:DescribeRouteTables acs:vpc:$regionid:$accountid:routertable/* Route table in VRouter:
“vpc:VRouter”:”acs:vpc$regionid:$accountid:vrouter/$vrouterid”
Route table in RouteVirtualBorderRouter:
“vpc:VirtualBorderRouter”:”acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid”
vpc:DeleteRouteEntry acs:vpc:$regionid:$accountid:routertable/$routertableid
vpc:CreateRouterInterface The RouterType is VRouter:
acs:vpc:$regionid:$accountid:routerinterface/*
acs:vpc:$regionid:$accountid:vrouter/$vrouterid
The RouterType is VirtualBorderRouter:
acs:vpc:$regionid:$accountid:routerinterface/*
acs:vpc:$regionid:$accountid:virtualborderrouter/$virtualborderrouterid
vpc:ConnectRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:DescribeRouterInterfaces acs:vpc:$regionid:$accountid:routerinterface/*
vpc:DeactivateRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:ActivateRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:ModifyRouterInterfaceAttribute acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:ModifyRouterInterfaceSpec acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
vpc:DeleteRouterInterface acs:vpc:$regionid:$accountid:routerinterface/$routerinterfaceid
Thank you! We've received your feedback.