All Products
Search
Document Center

Global Accelerator:CreateAcl

Last Updated:Jun 30, 2026

Invokes the CreateAcl operation to create an access control policy group.

Operation description

CreateAcl is an asynchronous operation. After you invoke the operation, the system returns an access control policy group ID but the access control policy group is not yet created. The creation node continues to run in the background. You can invoke GetAcl or ListAcls to query the status of the access control policy group:

  • If the access control policy group is in the init state, the access control policy group is being created. In this state, you can only execute query operations and cannot execute other operations.

  • If the access control policy group is in the active state, the access control policy group is created.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ga:CreateAcl

create

*Acl

acs:ga:{#regionId}:{#accountId}:acl/*

None None

Request parameters

Parameter

Type

Required

Description

Example

RegionId

string

Yes

The region ID of the Alibaba Cloud Global Accelerator (GA) instance. Set the value to cn-hangzhou.

cn-hangzhou

AclName

string

No

The name of the access control policy group.

The name must be 1 to 128 characters in length and must start with a letter or a Chinese character. It can contain digits, periods (.), underscores (_), and hyphens (-).

test-acl

AddressIPVersion

string

Yes

The IP version of the access control policy group. Valid values:

  • IPv4

  • IPv6

IPv4

AclEntries

array<object>

No

The access control policy group entries, which are IP address entries or CIDR block entries.

You can add up to 50 entries at a time.

object

No

The access control policy group entries, which are IP address entries or CIDR block entries.

You can add up to 50 entries at a time.

Entry

string

No

The access control policy group entry, which is an IP address entry (192.168.XX.XX) or a CIDR block entry (10.0.XX.XX/24).

You can add up to 50 entries at a time.

10.0.XX.XX/24

EntryDescription

string

No

The description of the access control policy group entry.

You can add descriptions for up to 50 entries at a time.

The description must be 1 to 256 characters in length and can contain letters, digits, hyphens (-), forward slashes (/), periods (.), underscores (_), and Chinese characters.

test-entry

ClientToken

string

No

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters.

Note

If you do not specify this parameter, the system uses the RequestId value as the ClientToken value. The RequestId value is different for each API request.

5A2CFF0E-5718-45B5-9D4D-70B3FF3898

DryRun

boolean

No

Specifies whether to perform a dry run. Valid values:

  • true: performs a dry run without creating the access control policy group. The system checks the required parameters, request format, and business limits. If the request fails the dry run, an error message is returned. If the request passes the dry run, the DryRunOperation error code is returned.

  • false (default): sends a Normal request, passes the dry run, and returns an HTTP 2xx status code and directly performs the operation.

false

ResourceGroupId

string

No

The resource group ID.

rg-acfmwj7wvng3jbi

Tag

array<object>

No

The label information of the access control policy group.

object

No

The label information of the access control policy group.

Key

string

No

The label key of the access control policy group. Once specified, the label key cannot be an empty string.

The label key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.

You can specify up to 20 label keys.

tag-key

Value

string

No

The label value of the access control policy group. Once specified, the label value can be an empty string.

The label value can be up to 128 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.

You can specify up to 20 label values.

tag-value

Response elements

Element

Type

Description

Example

object

The response parameters.

RequestId

string

The request ID.

CEF72CEB-54B6-4AE8-B225-F876FF7BA984

AclId

string

The access control policy group ID.

nacl-hp34s2h0xx1ht4nwo****

Examples

Success response

JSON format

{
  "RequestId": "CEF72CEB-54B6-4AE8-B225-F876FF7BA984",
  "AclId": "nacl-hp34s2h0xx1ht4nwo****"
}

Error codes

HTTP status code

Error code

Error message

Description

400 IsExist.AclEntriesIsExist acl entries %s is exist The ACL entry %s already exists.
400 QuotaExceeded.AclEntries The number of acl entries exceeds the limit The number of entries in the ACL exceeds the upper limit.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.