You can use resource groups with RAM to isolate resources and manage fine-grained permissions within a single Alibaba Cloud account. This topic explains how EIPs support resource groups and outlines the steps to grant resource group-level permissions.
-
Resource-group-level authorization applies only to resource types that support resource groups and to operations that support resource-group-level authorization.
-
For resource types that do not support resource groups, permissions granted at the resource group scope have no effect. When selecting a resource scope, you must select the account level. For more information, see Operations that do not support resource-group-level authorization.
Resource group authorization
You can use resource groups to organize resources in your Alibaba Cloud account. For example, you can create a resource group for each project to hold all its resources, which lets you manage them centrally. For more information, see What is a resource group?.
After grouping your resources, you can grant permissions for a specific resource group to a RAM principal, such as a RAM user, RAM user group, or RAM role. This restricts the principal to managing only the resources in that group. For more information, see Resource grouping and authorization.
This authorization method offers the following benefits:
-
Fine-grained permissions: Grants each identity only the precise permissions it needs to access resources and prevents resources from different projects from being managed together.
-
Scalability: When you add new resources to a resource group, the associated RAM principal automatically inherits permissions for them. This eliminates the need for repeated authorization.
Grant a RAM user resource group permissions
This section shows how to grant a RAM user permissions on Elastic IP Address (EIP) resources in a specific resource group.
1. Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and move existing resources to it. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.
2. Grant resource group permissions
Use one of the following methods to grant permissions on the resource group.
Method 1: Resource Management console
Use the resource group's permission management feature to grant permissions to a specific RAM user. For more information, see Grant permissions within the scope of a resource group to a RAM identity.
-
Log on to the Resource Management console.
-
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
-
On the Permission Management tab, click Grant Permission.
-
In the Grant Permission panel, configure the principal and the policy.
-
Principal: Select an existing RAM user.
-
Permission Policy: Select a system policy or a custom policy. For more information, see Create a custom policy.
-
-
Click Confirm.
Method 2: RAM console
You can also grant a specific RAM user permissions on a resource group in the RAM console. For more information, see Manage permissions for a RAM user.
-
Log on to the RAM console with your Alibaba Cloud account or as a RAM administrator.
-
In the left-side navigation pane, choose .On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Add Permissions panel, configure the following settings:
-
Resource Scope: Select Resource Group.
-
Principal: The current RAM user is automatically specified.
-
Permission Policy: Select a system policy or a custom policy. For more information, see Create a custom policy.
-
-
Click Confirm.
Resource types that support resource groups
This table lists the Elastic IP Address (EIP) resource types that support resource groups:
|
Cloud service |
Cloud service code |
Resource type |
|
Elastic IP Address |
eip |
eip: Elastic IP Address |
You can request support for resource types that are not currently supported by resource groups by submitting feedback in the Resource Group console.
Unsupported resource group-level authorization actions
The following actions for elastic IP addresses do not support resource-group-level authorization:
|
Actions |
Description |
|
vpc:AddBandwidthPackageIps |
- |
|
vpc:AddGlobalAccelerationInstanceIp |
Adds an EIP to a specified bandwidth sharing instance. |
|
vpc:AddIPv6TranslatorAclListEntry |
Adds an IP entry to an access control list (ACL). |
|
vpc:AllocateVpcIpv6Cidr |
Reserves a specified IPv6 CIDR block. |
|
vpc:CancelExpressCloudConnection |
- |
|
vpc:CheckVpnBgpEnabled |
Checks whether an IPsec connection's region supports BGP. |
|
vpc:ConvertBandwidthPackage |
Converts a NAT bandwidth package. |
|
vpc:CreateNatGateway |
- |
|
vpc:CreateBandwidthPackage |
- |
|
vpc:CreateBondRouterInterfaceConnection |
- |
|
vpc:CreateExpressCloudConnection |
Creates an Express Connect instance. |
|
vpc:CreateGlobalAccelerationInstance |
Creates a Global Accelerator instance. |
|
vpc:CreateIPv6Translator |
Creates an IPv6 Translation Service instance. |
|
vpc:CreateIPv6TranslatorAclList |
Creates an access control list (ACL). |
|
vpc:CreateIPv6TranslatorEntry |
Adds an IPv6 translation entry to a specified IPv6 Translation Service instance. |
|
vpc:CreateNqa |
- |
|
vpc:DeleteBandwidthPackage |
- |
|
vpc:DeleteGlobalAccelerationInstance |
Deletes a Global Accelerator instance. |
|
vpc:DeleteIPv6Translator |
Deletes an IPv6 Translation Service instance. |
|
vpc:DeleteIPv6TranslatorAclList |
Deletes an access control list (ACL). An ACL can be deleted only if it has no associated IPv6 translation entries. |
|
vpc:DeleteIPv6TranslatorEntry |
Deletes an IPv6 translation entry. |
|
vpc:DeleteIpv6EgressOnlyRule |
Deletes an egress-only rule. |
|
vpc:DescribeAccessPoints |
- |
|
vpc:DescribeBandwidthPackageMonitorData |
- |
|
vpc:DescribeBandwidthPackagePublicIpMonitorData |
- |
|
vpc:DescribeGlobalAccelerationInstances |
Queries Global Accelerator instances. |
|
vpc:DescribeGrantRulesToCbn |
- |
|
vpc:DescribeIPv6TranslatorAclListAttributes |
Queries the details of an access control list (ACL), including its IP entries and associated IPv6 translation entries. |
|
vpc:DescribeIPv6TranslatorAclLists |
Queries access control lists (ACLs). |
|
vpc:DescribeIPv6TranslatorEntries |
Queries IPv6 translation entries. |
|
vpc:DescribeInstances |
- |
|
vpc:DescribeNetworkQuotas |
- |
|
vpc:DescribePublicIpAddress |
Queries the public IP address range of VPCs in a specified region. |
|
vpc:DescribeRouterInterfacesForGlobal |
- |
|
vpc:DescribeServerRelatedGlobalAccelerationInstances |
Queries the Global Accelerator instances that are associated with a specified backend server. |
|
vpc:DescribeVPCs |
- |
|
vpc:DescribeVpnGatewayAvailableZones |
Queries the availability zones in a specified region that support IPsec connections. |
|
vpc:DescribeVrouters |
- |
|
vpc:DescribeZones |
- |
|
vpc:DiagnoseVpnConnections |
Diagnoses IPsec connections. |
|
vpc:DiagnoseVpnConnectionsHistory |
- |
|
vpc:DiagnoseVpnGateway |
Diagnoses a specified VPN gateway. |
|
vpc:DisableNatGatewayEcsMetric |
Disables ECS traffic monitoring. |
|
vpc:EnableNatGatewayEcsMetric |
Enables ECS traffic monitoring. |
|
vpc:GetBusinessAccessPointDetail |
- |
|
vpc:GetFlowLogServiceStatus |
Queries the status of the flow log feature. |
|
vpc:GetNatIpCidrAttribute |
- |
|
vpc:GetObject |
- |
|
vpc:GetPhysicalConnectionServiceStatus |
Checks whether billing for outbound traffic is enabled for the current account. |
|
vpc:GetPublicIpAddressPoolServiceStatus |
Queries the status of the IP address pool feature. |
|
vpc:GetTrafficMirrorServiceStatus |
Queries the status of the traffic mirroring feature. |
|
vpc:GetVpcIpamServiceStatus |
Queries the status of the IPAM feature. |
|
vpc:GetVpnGatewayDiagnoseResult |
Queries the diagnosis result for a VPN gateway. |
|
vpc:GrantInstanceToCbn |
- |
|
vpc:InnerVpcCreateDscp |
- |
|
vpc:InnerVpcDeleteDscp |
- |
|
vpc:InnerVpcDescribeCrossBorderRouterInterface |
- |
|
vpc:InnerVpcDescribeDscp |
- |
|
vpc:InnerVpcModifyDscp |
- |
|
vpc:InnerVpcRefreshDscp |
- |
|
vpc:ListBusinessAccessPointPortUsage |
- |
|
vpc:ListBusinessAccessPoints |
Lists access points for physical connections. |
|
vpc:ListBusinessRegions |
Lists the regions where physical connections can be purchased. |
|
vpc:ListGeographicSubRegions |
Lists geographic sub-regions. |
|
vpc:ListNatGatewayEcsMetric |
- |
|
vpc:ListVpcCloudInstance |
- |
|
vpc:ListVpcEndpointServicesByEndUser |
Lists available endpoint services. |
|
vpc:ModifyBandwidthPackageAttribute |
- |
|
vpc:ModifyBandwidthPackageSpec |
- |
|
vpc:ModifyBypassToaAttribute |
- |
|
vpc:ModifyExpressCloudConnectionAttribute |
Modifies an Express Connect instance. |
|
vpc:ModifyGlobalAccelerationInstanceAttributes |
Modifies the name and description of a Global Accelerator instance. |
|
vpc:ModifyGlobalAccelerationInstanceSpec |
Modifies the bandwidth of a Global Accelerator instance. |
|
vpc:ModifyIPv6TranslatorAclAttribute |
Modifies the name of an access control list (ACL). |
|
vpc:ModifyIPv6TranslatorAclListEntry |
Modifies an IP entry in an access control list (ACL). |
|
vpc:ModifyIPv6TranslatorAttribute |
Modifies the name and description of an IPv6 Translation Service instance. |
|
vpc:ModifyIPv6TranslatorBandwidth |
Modifies the bandwidth of an IPv6 Translation Service instance. |
|
vpc:ModifyIPv6TranslatorEntry |
Modifies an IPv6 translation entry. |
|
vpc:ModifyIpv6GatewaySpec |
- |
|
vpc:OpenFlowLogService |
Enables the flow log feature. |
|
vpc:OpenPhysicalConnectionService |
Enables the outbound traffic service. |
|
vpc:OpenPublicIpAddressPoolService |
Enables the IP address pool feature. |
|
vpc:OpenTrafficMirrorService |
Enables the traffic mirroring feature. |
|
vpc:OpenVpcIpamService |
Enables the IPAM feature. |
|
vpc:QueryPconnTrafficPrice |
- |
|
vpc:QueryPhysicalConnectionPrice |
- |
|
vpc:RejectVpcPeerConnection |
Rejects a request to create a VPC peering connection. |
|
vpc:RemoveBandwidthPackageIps |
- |
|
vpc:RemoveGlobalAccelerationInstanceIp |
Removes an EIP from a bandwidth sharing instance. |
|
vpc:RemoveIPv6TranslatorAclListEntry |
Removes an IP entry from an access control list (ACL). |
|
vpc:RevokeInstanceFromCbn |
- |
|
vpc:SetHaVipMasterInstance |
- |
|
vpc:TransformEipSegmentToPublicIpAddressPool |
Migrates a contiguous EIP group to an IP address pool. |
|
vpc:UnAssociateEipAddress |
- |
|
vpc:UnassociateGlobalAccelerationInstance |
Disassociates a backend server from a Global Accelerator instance. |
|
vpc:UpdateCrossBorderStatus |
- |
|
vpc:associatevpccidrblock |
- |
|
vpc:createvpc |
- |
|
vpc:deleteBgpNetwork |
- |
|
vpc:describeVpcs |
- |
|
vpc:releaseIpv6Address |
- |
For operations that do not support resource-group-level authorization, granting permissions at the resource group level has no effect. To grant a RAM user permissions for these operations, create a custom policy and grant the permissions at the account level.
Here are two custom policy examples. You can adjust the policies as needed.
-
Allows all read-only operations that do not support resource group-level authorization. The
Actionfield lists these operations.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:CheckVpnBgpEnabled", "vpc:DescribeAccessPoints", "vpc:DescribeBandwidthPackageMonitorData", "vpc:DescribeBandwidthPackagePublicIpMonitorData", "vpc:DescribeGlobalAccelerationInstances", "vpc:DescribeGrantRulesToCbn", "vpc:DescribeIPv6TranslatorAclListAttributes", "vpc:DescribeIPv6TranslatorAclLists", "vpc:DescribeIPv6TranslatorEntries", "vpc:DescribeInstances", "vpc:DescribeNetworkQuotas", "vpc:DescribePublicIpAddress", "vpc:DescribeRouterInterfacesForGlobal", "vpc:DescribeServerRelatedGlobalAccelerationInstances", "vpc:DescribeVPCs", "vpc:DescribeVpnGatewayAvailableZones", "vpc:DescribeVrouters", "vpc:DescribeZones", "vpc:GetBusinessAccessPointDetail", "vpc:GetFlowLogServiceStatus", "vpc:GetNatIpCidrAttribute", "vpc:GetObject", "vpc:GetPhysicalConnectionServiceStatus", "vpc:GetPublicIpAddressPoolServiceStatus", "vpc:GetTrafficMirrorServiceStatus", "vpc:GetVpcIpamServiceStatus", "vpc:GetVpnGatewayDiagnoseResult", "vpc:ListBusinessAccessPointPortUsage", "vpc:ListBusinessAccessPoints", "vpc:ListBusinessRegions", "vpc:ListGeographicSubRegions", "vpc:ListNatGatewayEcsMetric", "vpc:ListVpcCloudInstance", "vpc:ListVpcEndpointServicesByEndUser" ], "Resource": "*" } ] } -
Allows all actions that do not support resource group-level authorization. The
Actionfield lists these actions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:AddBandwidthPackageIps", "vpc:AddGlobalAccelerationInstanceIp", "vpc:AddIPv6TranslatorAclListEntry", "vpc:AllocateVpcIpv6Cidr", "vpc:CancelExpressCloudConnection", "vpc:CheckVpnBgpEnabled", "vpc:ConvertBandwidthPackage", "vpc:CreaeNatGateway", "vpc:CreateBandwidthPackage", "vpc:CreateBondRouterInterfaceConnection", "vpc:CreateExpressCloudConnection", "vpc:CreateGlobalAccelerationInstance", "vpc:CreateIPv6Translator", "vpc:CreateIPv6TranslatorAclList", "vpc:CreateIPv6TranslatorEntry", "vpc:CreateNqa", "vpc:DeleteBandwidthPackage", "vpc:DeleteGlobalAccelerationInstance", "vpc:DeleteIPv6Translator", "vpc:DeleteIPv6TranslatorAclList", "vpc:DeleteIPv6TranslatorEntry", "vpc:DeleteIpv6EgressOnlyRule", "vpc:DescribeAccessPoints", "vpc:DescribeBandwidthPackageMonitorData", "vpc:DescribeBandwidthPackagePublicIpMonitorData", "vpc:DescribeGlobalAccelerationInstances", "vpc:DescribeGrantRulesToCbn", "vpc:DescribeIPv6TranslatorAclListAttributes", "vpc:DescribeIPv6TranslatorAclLists", "vpc:DescribeIPv6TranslatorEntries", "vpc:DescribeInstances", "vpc:DescribeNetworkQuotas", "vpc:DescribePublicIpAddress", "vpc:DescribeRouterInterfacesForGlobal", "vpc:DescribeServerRelatedGlobalAccelerationInstances", "vpc:DescribeVPCs", "vpc:DescribeVpnGatewayAvailableZones", "vpc:DescribeVrouters", "vpc:DescribeZones", "vpc:DiagnoseVpnConnections", "vpc:DiagnoseVpnConnectionsHistory", "vpc:DiagnoseVpnGateway", "vpc:DisableNatGatewayEcsMetric", "vpc:EnableNatGatewayEcsMetric", "vpc:GetBusinessAccessPointDetail", "vpc:GetFlowLogServiceStatus", "vpc:GetNatIpCidrAttribute", "vpc:GetObject", "vpc:GetPhysicalConnectionServiceStatus", "vpc:GetPublicIpAddressPoolServiceStatus", "vpc:GetTrafficMirrorServiceStatus", "vpc:GetVpcIpamServiceStatus", "vpc:GetVpnGatewayDiagnoseResult", "vpc:GrantInstanceToCbn", "vpc:InnerVpcCreateDscp", "vpc:InnerVpcDeleteDscp", "vpc:InnerVpcDescribeCrossBorderRouterInterface", "vpc:InnerVpcDescribeDscp", "vpc:InnerVpcModifyDscp", "vpc:InnerVpcRefreshDscp", "vpc:ListBusinessAccessPointPortUsage", "vpc:ListBusinessAccessPoints", "vpc:ListBusinessRegions", "vpc:ListGeographicSubRegions", "vpc:ListNatGatewayEcsMetric", "vpc:ListVpcCloudInstance", "vpc:ListVpcEndpointServicesByEndUser", "vpc:ModifyBandwidthPackageAttribute", "vpc:ModifyBandwidthPackageSpec", "vpc:ModifyBypassToaAttribute", "vpc:ModifyExpressCloudConnectionAttribute", "vpc:ModifyGlobalAccelerationInstanceAttributes", "vpc:ModifyGlobalAccelerationInstanceSpec", "vpc:ModifyIPv6TranslatorAclAttribute", "vpc:ModifyIPv6TranslatorAclListEntry", "vpc:ModifyIPv6TranslatorAttribute", "vpc:ModifyIPv6TranslatorBandwidth", "vpc:ModifyIPv6TranslatorEntry", "vpc:ModifyIpv6GatewaySpec", "vpc:OpenFlowLogService", "vpc:OpenPhysicalConnectionService", "vpc:OpenPublicIpAddressPoolService", "vpc:OpenTrafficMirrorService", "vpc:OpenVpcIpamService", "vpc:QueryPconnTrafficPrice", "vpc:QueryPhysicalConnectionPrice", "vpc:RejectVpcPeerConnection", "vpc:RemoveBandwidthPackageIps", "vpc:RemoveGlobalAccelerationInstanceIp", "vpc:RemoveIPv6TranslatorAclListEntry", "vpc:RevokeInstanceFromCbn", "vpc:SetHaVipMasterInstance", "vpc:TransformEipSegmentToPublicIpAddressPool", "vpc:UnAssociateEipAddress", "vpc:UnassociateGlobalAccelerationInstance", "vpc:UpdateCrossBoarderStatus", "vpc:associatevpccidrblock", "vpc:createvpc", "vpc:deleteBgpNetwork", "vpc:describeVpcs", "vpc:releaseIpv6Address" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permission can manage all resources within the account. Always ensure that granted permissions are intentional and follow the principle of least privilege.
FAQ
Find a resource's resource group
-
Method 1: Click the resource name to open its details page, which displays the resource group.
-
Method 2: Log on to the Resource Management console, click , select the account of the target resource on the left (the current account is selected by default), and use the filter conditions to locate the target resource and view its resource group.
View service resources in a resource group
-
Method 1: Log on to the Resource Management console, click , and then click the name of the target resource group on the left side under the account that owns the resources (the current account by default). Finally, on the right side, select the current cloud service in the Select Resource Type section to view all resources of the current cloud service in the specified resource group.
-
Method 2: Log on to the Resource Management console, click , find the target resource group, and then click Resource Management in the Actions column for the group. On the Resource Management page, select the cloud service from the Product drop-down list to view all of its resources in the resource group.
Move multiple resources to another resource group
Log on to the Resource Management console, click , and then click Resource Management in the Actions column for the target resource group to go to the Resource Management page. On this page, locate multiple target resources by using the filter conditions, select the checkbox for each resource in the first column, click Transfer Resource Group at the bottom of the page, and then follow the on-screen instructions to change the resource group.