This topic describes how to manage Server Load Balancer (SLB) permissions of a Resource Access Management (RAM) user by using RAM policies.
Prerequisites
An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
Background information
- The following common system policies are used in the RAM console to manage SLB permissions:
- AliyunSLBFullAccess: grants a RAM user all permissions on SLB instances.
- AliyunSLBReadOnlyAccess: grants a RAM user the read-only permission on SLB instances.
- For more information about SLB permissions, see RAM authentication.
Attach a custom policy to a RAM user
Examples of SLB permission policies
- Example 1: Authorize a RAM user to manage two specified SLB instances.
To authorize a RAM user to manage the SLB instances
i-001
andi-002
in your Alibaba Cloud account, use the following policy:{ "Statement": [ { "Effect": "Allow", "Action": "slb:*", "Resource": [ "acs:slb:*:*:loadbalancer/i-001", "acs:slb:*:*:loadbalancer/i-002" ] }, { "Effect": "Allow", "Action": "slb:Describe*", "Resource": "*" } ], "Version": "1" }
Note- The authorized RAM user can view all SLB instances. However, the RAM user can manage only the specified two SLB instances.
- The policy must contain the
Describe*
element. Otherwise, the authorized RAM user cannot view instances in the console. However, the RAM user can manage the two specified SLB instances by calling API operations or using the CLI or SDK.
- Example 2: Authorize a RAM user to add an ECS instance as a backend server of the
SLB instance
slb-001
. The ID of the ECS instance isi-001
.{ "Statement": [ { "Effect": "Allow", "Action": "slb:AddBackendServers", "Resource": ["acs:slb:*:*:loadbalancer/slb-001"] }, { "Effect": "Allow", "Action": "slb:AddBackendServers", "Resource": ["acs:ecs:*:*:instance/i-001"] }, { "Effect": "Allow", "Action": "slb:DescribeLoadBalancers", "Resource": "acs:slb:*:*:loadbalancer/*" } ], "Version": "1" }
Note You must grant both of the following two permissions to a RAM user. Otherwise, the RAM user cannot add or remove ECS instances or set the weights of ECS instances.- Permissions on SLB instances
- Permissions on ECS instances
- Example 3: Authorize a RAM user to perform ECS-related operations on a specified SLB
instance.
{ "Statement": [{ "Effect": "Allow", "Action": "slb:*", "Resource": [ "acs:slb:*:*:loadbalancer/i-001", "acs:slb:*:*:loadbalancer/i-002" ] }, { "Effect": "Allow", "Action": "slb:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": "slb:*", "Resource": [ "acs:ecs:*:*:instance/i-instance001", "acs:ecs:*:*:instance/i-instance002" ] } ], "Version": "1" }
Note This policy allows the RAM user to manage two SLB instancesi-001
andi-002
, including to perform all ECS-related operations on the SLB instances. For example, the RAM user can add the ECS instancesi-instance001
andi-instance002
as backend servers of the two SLB instances and set the weights of the ECS instances. After this policy is attached to the RAM user, the RAM user can view the ECS instance list when selecting ECS instances.