All Products
Search
Document Center

File Storage NAS:Manage access points

Last Updated:Jun 03, 2026

This topic describes how to manage access points in the NAS console, including how to create, view, delete, and modify access points.

Prerequisites

A General-purpose NAS NFS file system must exist. For more information, see Create a file system.

Note

You can create and use an access point to access NAS data even if no mount target exists or if an existing one is disabled.

Limitations

  • Only General-purpose NAS NFS file systems support this feature.

  • A single General-purpose NFS file system allows you to create up to 1,000 access points in two vSwitches.

    Note

    An access point can be accessed by ECS instances that belong to different vSwitches in the same virtual private cloud (VPC). We recommend that you create multiple access points in the same vSwitch by default. We recommend that you select a vSwitch that resides in the same zone as the NAS file system to achieve optimal performance.

Create an access point

  1. Log on to the NAS console.

  2. In the navigation pane on the left, choose File System > Access Point.

  3. In the upper-left corner of the page, select the resource group and region where the target file system resides.

    image

  4. On the Access Point page, click Create Access Point.

  5. In the Create Access Point panel, set the following parameters.

    Parameter

    Description

    Basic information

    File System

    Select the General-purpose NAS NFS file system for which you want to create an access point.

    VPC

    Select the VPC that contains your ECS instance. If you have not created a VPC, go to the VPC console to create one.

    Important

    You must select the same VPC as the ECS instance. If you select a different VPC, you must first connect the networks by using Cloud Enterprise Network (CEN) before you can mount the file system. For more information, see Mount a NAS file system across different VPCs in the same region by using CEN.

    vSwitch

    Select a vSwitch in the VPC.

    Permission Group

    Select a permission group.

    By default, a default VPC permission group is automatically created for each account. This group allows any IP address within the same VPC to access the file system through the access point. You can also create a custom permission group based on your business needs. For more information, see Manage permission groups.

    Access Point Name

    Specify a name for the access point.

    • Must be 2 to 128 characters in length.

    • Must start with an uppercase or lowercase letter, or a Chinese character.

    • Can contain digits, underscores (_), and hyphens (-).

    Root Directory of Access Point

    Specify the root directory for the access point within the file system. You can specify a subdirectory in the NAS file system as the root directory of the access point. Users who access the file system through this access point are restricted to this subdirectory.

    Requirements:

    • The path must start with a forward slash (/).

    • The path can contain digits and letters.

    • The path can contain underscores (_), hyphens (-), and periods (.).

    • The path cannot contain symbolic links, such as the current directory (.) or parent directory (..).

    Important
    • If the root directory of the access point does not exist, you must configure the Directory Creation settings. The system then automatically creates the specified root directory based on your settings.

    • If this root directory already exists, you can skip the Directory Creation settings. The system ignores these settings if you provide them.

    Directory creation (Required only if the access point root directory does not exist)

    Owner ID

    Specify the owner ID for the access point root directory.

    Valid values: 0 to 4294967295.

    Owner group ID

    Specify the owner group ID for the access point root directory.

    Valid values: 0 to 4294967295.

    POSIX permission

    Specify the POSIX permission to apply to the access point root directory path.

    The value must be a valid octal number, such as 0755.

    POSIX user (Optional)

    Important

    After you configure a POSIX user, all I/O operations made through this access point use this POSIX identity, overriding the original client's POSIX identity. If you enter a UID, you must also enter a user group ID.

    UID

    Specify the POSIX user ID for all file system operations performed through this access point.

    Valid values: 0 to 4294967295.

    User group ID

    Specify the POSIX user group ID to be used for all file system operations performed through this access point.

    Valid values: 0 to 4294967295.

    Secondary group IDs (Optional)

    Specify the secondary POSIX group IDs to be used for all file system operations performed through this access point.

  6. Click OK.

    Creating an access point takes about 10 minutes. After the access point is created, you can view its status, domain name, file system, root directory, and POSIX user in the access point list. When the access point is in the Running state, you can use the access point to mount the NAS file system. For more information, see Access a file system by using an access point on a Linux instance.

(Optional) Configure an access point policy

An access point policy is a custom authorization policy that Alibaba Cloud NAS provides for access point clients. You can use it to directly grant permissions to different RAM users or RAM roles under the same account. For example, you can grant read/write access or permission to use the root account to access resources within the file system. This enables fine-grained and flexible permission management.

Authorization

When NAS receives a request from a compute node, it checks the corresponding access point policy to verify whether the requester has the required permissions.

Usage limits

  • After an access point policy is enabled, all accounts (root accounts, RAM users, and RAM roles) are denied access by default. They cannot use the access point to mount and access data. To allow a RAM user or RAM role to use the access point, configure a client permission policy and grant permissions to that user or role.

  • Enabling an access point policy for an access point that is already mounted and in use may disrupt running services.

  • A RAM user or RAM role that is granted the AliyunNASFullAccess permission for full management of NAS file systems also has all client permissions for the access point by default. This permission is high-risk and not recommended. For more information, see What is the relationship between access point policies and the system policies AliyunNASFullAccess and AliyunNASReadOnlyAccess?.

Procedure

  1. Enable the RAM policy for the file system to which the access point belongs.

    1. Log on to the NAS console.

    2. In the navigation pane on the left, choose File System > Access Point.

    3. In the upper-left corner of the page, select the resource group and region where the target file system is located.

      image

    4. On the Access Point page, find the target access point and click Manage in the Actions column.

    5. On the access point details page, click the Access Point Policy tab, turn on the RAM Policy switch, and then confirm the action.

      image.png The status indicates that the RAM policy is enabled.

  2. Configure a permission policy for the access point client.

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the navigation pane on the left, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the Script Editor tab.

    5. Configure the following policy content as needed, and then click OK.

      • Single operation permission

        {
          "Version": "1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "nas:ClientMount",
              "Resource": "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>",
              "Condition": {
                "StringEquals": {
                  "nas:AccessPointArn": "<AccessPointARN>"
                }
              }
            }
          ]
        }
      • Multiple operation permissions

        {
          "Version": "1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "nas:ClientMount",
                "nas:ClientWrite"
               ],
              "Resource": [
                "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>"
               ],
              "Condition": {
                "StringEquals": {
                  "nas:AccessPointArn": "<AccessPointARN>"
                }
              }
            }
          ]
        }

        The following table describes the important parameters.

        Parameter

        Description

        Action

        You can configure multiple operation permissions for the access point client. Valid values:

        • nas:ClientMount: Allows mounting the file system and reading data.

        • nas:ClientWrite: Allows writing data. This permission must be used with the ClientMount permission to allow mounting the file system and performing read and write operations.

        • nas:ClientRootAccess: Allows access using the root account.

          • If this permission is not granted, access as the root user is mapped to the nobody user.

          • If a POSIX user is bound to the access point, ClientRootAccess also affects that user. For example, if the bound POSIX user is root but ClientRootAccess is not granted, all I/O operations from the POSIX user are mapped to the nobody user after the file system is mounted through the access point.

          • The nobody user is a default user in Linux systems. It has low permissions and high security, and can only access public content on the server.

        Resource

        The file system resource to which the access point belongs. The format is acs:nas:<region>:<account-id>:filesystem/<FilesystemId>. The format is described as follows:

        • region: The region where the file system of the access point is located. Example: cn-hangzhou. You can find the region information in the Alibaba Cloud Resource Name (ARN) of the access point. For more information, see View the ARN of an access point.

        • account-id: The ID of the Alibaba Cloud account. Example: 123456789012***.

        • FilesystemId: The ID of the file system to which the access point belongs. Example: 0d9f24****. You can obtain the file system ID from the file system list page.

        nas:AccessPointArn

        The ARN of the access point. Example: acs:nas:cn-hangzhou:117848947****:accesspoint/fsap-1. You can obtain the ARN from the basic information page of the access point. For more information, see View the ARN of an access point.

    6. In the Create Policy dialog box, enter a Policy Name and a Description.

    7. Click OK.

  3. Grant the access point client permission policy to a RAM user or RAM role.

    Note
    • A RAM role does not have permanent credentials. It can only obtain temporary credentials, called Security Token Service (STS) tokens, which have custom validity periods and access permissions. This method is suitable only for short-term access to NAS. If the RAM role continues to access the file system after the STS token expires, an I/O error occurs.

    • After you grant permissions to a RAM user or RAM role, the changes require some time to take effect due to the permission distribution mechanism. You must wait for a period of time before the permissions are effective in the cloud service. For more information, see Why do permissions not take effect immediately after I grant them in RAM?.

    • Grant permissions to a RAM user.

      1. Create a RAM user. For more information, see Create a RAM user.

        If a RAM user already exists, skip this step.

      2. Grant the access point client permission policy (a custom policy) to the RAM user. For more information, see Manage permissions for a RAM user.

    • Grant permissions to a RAM role.

      1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

        If a RAM role already exists, skip this step.

      2. Grant the access point client permission policy (a custom policy) to the RAM role. You must also grant the AliyunSTSAssumeRoleAccess permission, which is required for STS management, to the RAM role. For more information, see Manage permissions for a RAM role.

After you configure the access point policy, you can mount the NAS file system through the access point. For more information, see Mount a file system on a Linux client by using an access point.

View access point domain name

You can view the domain name of an access point in the following ways:

  • On the access point page

    On the Access Point page, view the domain name in the Domain Name of Access Point column for the target access point.

  • On the file system details page

    On the File System List page, find the target file system and click Manage. On the file system details page, click Mount Targets in the navigation pane on the left. Then, click the Access Point tab and view the Domain Name of Access Point.

View access point root directory

You can view the root directory of an access point in the following ways:

  • On the access point page

    On the Access Point page, view the root directory in the Root Directory of Access Point column for the target access point.

  • On the file system details page

    On the File System List page, find the target file system and click Manage. On the file system details page, click Mount Targets in the navigation pane on the left. Then, click the Access Point tab and view the Root Directory of Access Point.

View access point ARN

You can view the ARN of an access point in the following ways:

  • On the access point page

    1. On the Access Point page, find the target access point and click Manage in the Actions column.

    2. On the Basic Information tab, find the ARN section to obtain the ARN of the access point.

  • On the file system details page

    1. On the File System List page, find the target file system and click Manage.

    2. On the file system details page, click Mount Targets in the navigation pane on the left, and then click the Access Point tab.

    3. Click the name of the target access point to go to its details page. On the Basic Information tab, find the ARN section to obtain the ARN of the access point.

Remove an access point

In the access point list, find the target access point and click Remove in the Actions column.

Important

Removing an access point immediately interrupts all I/O operations in progress through the access point. Proceed with caution.

Modify access point permission group

In the access point list, find the target access point and click Manage in the Actions column. On the access point details page, on the Basic Information tab, click Modify next to the permission group to change it. For more information about permission groups, see Manage permission groups.