Before a Resource Access Management (RAM) user can call the API operations of Anycast Elastic IP Address (EIP), you must use an Alibaba Cloud account to grant the required permissions to the RAM user. Alibaba Cloud Resource Names (ARNs) are used to specify resources in policies.

Table 1. The type of resource that you can authorize to a RAM user
Resource type Description The ARN that is used to specify the resource
anycast Anycast EIP

acs:eipanycast:{#regionId}:{#accountId}:anycast/*

acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}

Authentication rules of API operations

When you call API operations to access resources as a RAM user, the system checks whether you are granted the required permissions.

The permissions to be checked are determined by the resources that are used by each API operation. The following table describes the corresponding authentication rule for each API operation.

Table 2. Authentication rules
API operation Authentication rule
eipanycast:AllocateAnycastEipAddress acs:eipanycast:{#regionId}:{#accountId}:anycast/*
eipanycast:ModifyAnycastEipAddressAttribute acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
eipanycast:ModifyAnycastEipAddressSpec acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
eipanycast:ReleaseAnycastEipAddress acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
eipanycast:AssociateAnycastEipAddress

acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}

acs:slb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}

eipanycast:UnassociateAnycastEipAddress

acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}

acs:slb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}

eipanycast:DescribeAnycastEipAddress acs:eipanycast:{#regionId}:{#accountId}:anycast/{#anycastId}
eipanycast:ListAnycastEipAddresses acs:eipanycast:{#regionId}:{#accountId}:anycast/*
eipanycast:DescribeAnycastPopLocations Not required
eipanycast:DescribeAnycastServerRegions Not required