All Products
Search
Document Center

Elastic Compute Service:LeaveSecurityGroup

Last Updated:Sep 29, 2024

Removes an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) from a security group. To remove an ECS instance from a security group, specify SecurityGroupId and InstanceId in the request. To remove an ENI from a security group, specify SecurityGroupId and NetworkInterfaceId in the request.

Operation description

Usage notes

Note
  • To improve user experience, Alibaba Cloud modified the verification rules for the LeaveSecurityGroup operation on July 8, 2024. When you remove an ECS instance or ENI that does not belong to a security group from the security group, the "InvalidSecurityGroupAssociation.NotFound" error code is returned instead of a success response. Update the LeaveSecurityGroup operation to use the new verification rules with the new error code based on your business requirements.

  • This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an ECS instance to or remove an ECS instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.

Take note of the following items:

  • Before you remove an instance from a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.
  • An instance must belong to at least one security group. Therefore, if the instance to be removed belongs to only one security group, the LeaveSecurityGroup request fails.
  • You cannot remove an instance and an ENI from a security group at the same time. This indicates that you cannot specify InstanceId and NetworkInterfaceId in one request.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
ecs:LeaveSecurityGroupupdate
  • Instance
    acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
  • SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SecurityGroupIdstringYes

The security group ID.

sg-bp67acfmxazb4p****
InstanceIdstringNo

The instance ID.

Note If you configure this parameter, you cannot configure NetworkInterfaceId.
i-bp67acfmxazb4p****
NetworkInterfaceIdstringNo

The ENI ID.

Note If you configure this parameter, you cannot configure InstanceId.
eni-bp13kd656hxambfe****
RegionIdstringNo

The region ID. You can call the DescribeRegions operation to query the most recent region list.

  • If you want to remove an instance from a security group, you do not need to specify a region ID.
  • If you want to remove an ENI from a security group, you must specify the ID of the region in which the ENI resides.
cn-hangzhou

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Sample success responses

JSONformat

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidInstanceId.MalformedThe specified parameter "InstanceId" is not valid.-
400MissingParameter.RegionIdThe specified RegionId should not be null.The RegionId parameter is required.
400InvalidOperation.InvalidEniState%s-
400InvalidSecurityGroupAssociation.NotFound%s.The specified ECS or ENI is not associated with the specified security group.
403InstanceLastSecurityGroupThe specified security group is the last security group for the instance.The specified security group is the only security group to which the instance belongs.
403IncorrectInstanceStatusThe current status of the resource does not support this operation.The resource is in a state that does not support the current operation.
403InstanceLockedForSecurityThe specified operation is denied as your instance is locked for security reasons.-
403InstanceNotInSecurityGroupThe instance not in the group.The specified instance does not belong to the security group.
403InvalidOperation.ResourceManagedByCloudProduct%sYou cannot modify security groups managed by cloud services.
403InvalidOperation.AtLeastInOneGroup%s-
403InvalidOperation.EniServiceManaged%sThe operation is invalid.
403InvalidOperation.InvalidEniType%s-
403InvalidParam.Malformed%s-
403InvalidParam.EniIdAndInstanceId.Conflict%sThe InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified.
404InvalidInstanceId.NotFoundThe specified InstanceId does not exist.The specified instance does not exist.
404InvalidSecurityGroupId.NotFoundThe specified SecurityGroupId does not exist.The specified security group does not exist in this account. Check whether the security group ID is correct.
404InvalidEniId.NotFound%sThe specified ENI ID does not exist.
504RequestTimeoutThe request encounters an upstream server timeout.The request is denied due to a timeout error of the upstream server.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-06-03The Error code has changedView Change Details