All Products
Search
Document Center

Resource Access Management:Use RAM to manage CLB permissions

Last Updated:Feb 07, 2024

This topic describes how to manage Classic Load Balancer (CLB) permissions of Resource Access Management (RAM) users. In the RAM console, you can create custom policies and attach the policies to the RAM users.

Background information

  • Before you manage the CLB permissions of RAM users, take note of the following system policies:

    • AliyunSLBFullAccess: grants a RAM user the permissions to manage CLB instances.

    • AliyunSLBReadOnlyAccess: grants read-only permissions on CLB instances.

    If the provided system policies cannot meet your business requirements, you can create custom policies.

  • Before you manage the CLB permissions of RAM users, take note of the CLB permissions. For more information, see Authorize a RAM user.

Procedure

  1. Create a RAM user.

    For more information, see Create a RAM user.

  2. Create a custom policy.

    For more information, see Create custom policies and Policy examples.

  3. Attach the policy to the RAM user.

    For more information, see Grant permissions to RAM users.

Policy examples

  • Example 1: Authorize a RAM user to manage two specific CLB instances.

    To authorize a RAM user to manage the CLB instances lb-abcdxxxx001 and lb-abcdxxxx002 in your Alibaba Cloud account, use the following sample script:

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "slb:*",
          "Resource": [
                      "acs:slb:*:*:loadbalancer/lb-abcdxxxx001",
                      "acs:slb:*:*:loadbalancer/lb-abcdxxxx002"
                      ]
        },
        {
          "Effect": "Allow",
          "Action": "slb:Describe*",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
    Note
    • The authorized RAM user can view all CLB instances, but can manage only the two specified CLB instances.

    • The Describe* element is required in the policy. Otherwise, the authorized RAM user cannot view instances in the Server Load Balancer (SLB) console. However, the RAM user can call API operations or use a CLI or SDK to manage the two specified CLB instances.

  • Example 2: Authorize a RAM user to add an Elastic Compute Service (ECS) instance as a backend server of the SLB instance slb-001. The ID of the ECS instance is lb-abcdxxxx001.

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "slb:AddBackendServers",
          "Resource": ["acs:slb:*:*:loadbalancer/slb-001"]
        },
        {
          "Effect": "Allow",
          "Action": "slb:AddBackendServers",
          "Resource": ["acs:ecs:*:*:instance/lb-abcdxxxx001"]
        },
        {
           "Effect": "Allow",
           "Action": "slb:DescribeLoadBalancers",
           "Resource": "acs:slb:*:*:loadbalancer/*"
        }
      ],
      "Version": "1"
    }
    Note

    After you grant a RAM user permissions to manage a CLB instance based on the policy described in Example 1, you must also grant the following two permissions to the RAM user. Otherwise, the RAM user cannot add or remove ECS instances or configure the weights of ECS instances.

    • Permissions on CLB instances

    • Permissions on ECS instances

  • Example 3: Authorize a RAM user to perform ECS-related operations on a specific CLB instance.

    {
        "Statement": [{
                "Effect": "Allow",
                "Action": "slb:*",
                "Resource": [
                    "acs:slb:*:*:loadbalancer/lb-abcdxxxx001",
                    "acs:slb:*:*:loadbalancer/lb-abcdxxxx002"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "slb:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ecs:DescribeInstances",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "slb:*",
                "Resource": [
                    "acs:ecs:*:*:instance/i-instance001",
                    "acs:ecs:*:*:instance/i-instance002"
                ]
            }
        ],
        "Version": "1"
    }
    Note

    The preceding policy allows the RAM user to manage CLB instances lb-abcdxxxx001 and abcdxxxx002. Then, the RAM user can perform all ECS-related operations on the CLB instances. For example, the RAM user can add the ECS instances i-instance001 and i-instance002 as backend servers of the two specified CLB instances and configure the weights of the ECS instances. After this policy is attached to the RAM user, the RAM user can view the ECS instance list when the user selects ECS instances.