This topic describes how to manage Server Load Balancer (SLB) permissions of a RAM user by using RAM policies.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.

Background information

  • The following common system policies are used in the RAM console to manage SLB permissions:
    • AliyunSLBFullAccess: grants a RAM user all permissions on SLB instances.
    • AliyunSLBReadOnlyAccess: grants a RAM user the read-only permission on SLB instances.
  • For more information about SLB permissions, see RAM authentication.

Attach a custom policy to a RAM user

  1. Create a custom policy based on Examples of SLB permission policies.

    For more information, see Create a custom policy.

  2. On the Policies page, click the name of the policy.
  3. On the page that appears, click the References tab. On this tab, click Grant Permission.
  4. In the Add Permissions pane, enter the logon name or display name of the RAM user in the Principal field, and select the RAM user from the auto-complete results.
  5. Click OK.
  6. Click Complete.

Examples of SLB permission policies

  • Example 1: Authorize a RAM user to manage two specified SLB instances.

    To authorize a RAM user to manage the SLB instances i-001 and i-002 in your Alibaba Cloud account, use the following policy:

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "slb:*",
          "Resource": [
                      "acs:slb:*:*:loadbalancer/i-001",
                      "acs:slb:*:*:loadbalancer/i-002"
                      ]
        },
        {
          "Effect": "Allow",
          "Action": "slb:Describe*",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
    Note
    • The authorized RAM user can view all SLB instances. However, the RAM user can manage only the specified two SLB instances.
    • The policy must contain the Describe* element. Otherwise, the authorized RAM user cannot view instances in the console. However, the RAM user can manage the two specified SLB instances by calling API operations or using the CLI or SDK.
  • Example 2: Authorize a RAM user to add an ECS instance as a backend server of the SLB instance slb-001. The ID of the ECS instance is i-001.
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "slb:AddBackendServers",
          "Resource": ["acs:slb:*:*:loadbalancer/slb-001"]
        },
        {
          "Effect": "Allow",
          "Action": "slb:AddBackendServers",
          "Resource": ["acs:ecs:*:*:instance/i-001"]
        },
        {
           "Effect": "Allow",
           "Action": "slb:DescribeLoadBalancers",
           "Resource": "acs:slb:*:*:loadbalancer/*"
        }
      ],
      "Version": "1"
    }
    Note You must grant both of the following permissions to a RAM user. Otherwise, the RAM user cannot add or remove ECS instances or set the weights of ECS instances.
    • Permissions on SLB instances
    • Permissions on ECS instances
  • Example 3: Authorize a RAM user to perform ECS-related operations on a specified SLB instance.
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "slb:*",
          "Resource": [
                      "acs:slb:*:*:loadbalancer/i-001",
                      "acs:slb:*:*:loadbalancer/i-002"
                      ]
        },
        {
          "Effect": "Allow",
          "Action": "slb:Describe*",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ecs:DescribeInstances",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "slb:*",
          "Resource": [
                      "acs:ecs:*:*:instance/i-instance001",
                      "acs:ecs:*:*:instance/i-instance002"
                      ]
        }
      ],
      "Version": "1"
    }
    Note This policy allows the RAM user to manage two SLB instances i-001 and i-002, including to perform all ECS-related operations on the SLB instances. For example, the RAM user can add the ECS instances i-instance001 and i-instance002 as backend servers of the two SLB instances and set the weights of the ECS instances. After this policy is attached to the RAM user, the RAM user can view the ECS instance list when selecting ECS instances.