This topic describes how to manage access points in the NAS console, including how to create, view, delete, and modify access points.
Prerequisites
A General-purpose NAS NFS file system must exist. For more information, see Create a file system.
You can create and use an access point to access NAS data even if no mount target exists or if an existing one is disabled.
Limitations
Only General-purpose NAS NFS file systems support this feature.
A single General-purpose NFS file system allows you to create up to 1,000 access points in two vSwitches.
NoteAn access point can be accessed by ECS instances that belong to different vSwitches in the same virtual private cloud (VPC). We recommend that you create multiple access points in the same vSwitch by default. We recommend that you select a vSwitch that resides in the same zone as the NAS file system to achieve optimal performance.
Create an access point
Log on to the NAS console.
In the navigation pane on the left, choose .
In the upper-left corner of the page, select the resource group and region where the target file system resides.

On the Access Point page, click Create Access Point.
In the Create Access Point panel, set the following parameters.
Parameter
Description
Basic information
File System
Select the General-purpose NAS NFS file system for which you want to create an access point.
VPC
Select the VPC that contains your ECS instance. If you have not created a VPC, go to the VPC console to create one.
ImportantYou must select the same VPC as the ECS instance. If you select a different VPC, you must first connect the networks by using Cloud Enterprise Network (CEN) before you can mount the file system. For more information, see Mount a NAS file system across different VPCs in the same region by using CEN.
vSwitch
Select a vSwitch in the VPC.
Permission Group
Select a permission group.
By default, a default VPC permission group is automatically created for each account. This group allows any IP address within the same VPC to access the file system through the access point. You can also create a custom permission group based on your business needs. For more information, see Manage permission groups.
Access Point Name
Specify a name for the access point.
Must be 2 to 128 characters in length.
Must start with an uppercase or lowercase letter, or a Chinese character.
Can contain digits, underscores (_), and hyphens (-).
Root Directory of Access Point
Specify the root directory for the access point within the file system. You can specify a subdirectory in the NAS file system as the root directory of the access point. Users who access the file system through this access point are restricted to this subdirectory.
Requirements:
The path must start with a forward slash (/).
The path can contain digits and letters.
The path can contain underscores (_), hyphens (-), and periods (.).
The path cannot contain symbolic links, such as the current directory (.) or parent directory (..).
ImportantIf the root directory of the access point does not exist, you must configure the Directory Creation settings. The system then automatically creates the specified root directory based on your settings.
If this root directory already exists, you can skip the Directory Creation settings. The system ignores these settings if you provide them.
Directory creation (Required only if the access point root directory does not exist)
Owner ID
Specify the owner ID for the access point root directory.
Valid values: 0 to 4294967295.
Owner group ID
Specify the owner group ID for the access point root directory.
Valid values: 0 to 4294967295.
POSIX permission
Specify the POSIX permission to apply to the access point root directory path.
The value must be a valid octal number, such as 0755.
POSIX user (Optional)
ImportantAfter you configure a POSIX user, all I/O operations made through this access point use this POSIX identity, overriding the original client's POSIX identity. If you enter a UID, you must also enter a user group ID.
UID
Specify the POSIX user ID for all file system operations performed through this access point.
Valid values: 0 to 4294967295.
User group ID
Specify the POSIX user group ID to be used for all file system operations performed through this access point.
Valid values: 0 to 4294967295.
Secondary group IDs (Optional)
Specify the secondary POSIX group IDs to be used for all file system operations performed through this access point.
Click OK.
Creating an access point takes about 10 minutes. After the access point is created, you can view its status, domain name, file system, root directory, and POSIX user in the access point list. When the access point is in the Running state, you can use the access point to mount the NAS file system. For more information, see Access a file system by using an access point on a Linux instance.
(Optional) Configure an access point policy
An access point policy is a custom authorization policy that Alibaba Cloud NAS provides for access point clients. You can use it to directly grant permissions to different RAM users or RAM roles under the same account. For example, you can grant read/write access or permission to use the root account to access resources within the file system. This enables fine-grained and flexible permission management.
Authorization
When NAS receives a request from a compute node, it checks the corresponding access point policy to verify whether the requester has the required permissions.
Usage limits
After an access point policy is enabled, all accounts (root accounts, RAM users, and RAM roles) are denied access by default. They cannot use the access point to mount and access data. To allow a RAM user or RAM role to use the access point, configure a client permission policy and grant permissions to that user or role.
Enabling an access point policy for an access point that is already mounted and in use may disrupt running services.
A RAM user or RAM role that is granted the AliyunNASFullAccess permission for full management of NAS file systems also has all client permissions for the access point by default. This permission is high-risk and not recommended. For more information, see What is the relationship between access point policies and the system policies AliyunNASFullAccess and AliyunNASReadOnlyAccess?.
Procedure
Enable the RAM policy for the file system to which the access point belongs.
Log on to the NAS console.
In the navigation pane on the left, choose .
In the upper-left corner of the page, select the resource group and region where the target file system is located.

On the Access Point page, find the target access point and click Manage in the Actions column.
On the access point details page, click the Access Point Policy tab, turn on the RAM Policy switch, and then confirm the action.
The status indicates that the RAM policy is enabled.
Configure a permission policy for the access point client.
Log on to the RAM console with an Alibaba Cloud account.
In the navigation pane on the left, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the Script Editor tab.
Configure the following policy content as needed, and then click OK.
Single operation permission
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "nas:ClientMount", "Resource": "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>", "Condition": { "StringEquals": { "nas:AccessPointArn": "<AccessPointARN>" } } } ] }Multiple operation permissions
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "nas:ClientMount", "nas:ClientWrite" ], "Resource": [ "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>" ], "Condition": { "StringEquals": { "nas:AccessPointArn": "<AccessPointARN>" } } } ] }The following table describes the important parameters.
Parameter
Description
Action
You can configure multiple operation permissions for the access point client. Valid values:
nas:ClientMount: Allows mounting the file system and reading data.
nas:ClientWrite: Allows writing data. This permission must be used with the ClientMount permission to allow mounting the file system and performing read and write operations.
nas:ClientRootAccess: Allows access using the root account.
If this permission is not granted, access as the root user is mapped to the
nobodyuser.If a POSIX user is bound to the access point,
ClientRootAccessalso affects that user. For example, if the bound POSIX user isrootbutClientRootAccessis not granted, all I/O operations from the POSIX user are mapped to thenobodyuser after the file system is mounted through the access point.The
nobodyuser is a default user in Linux systems. It has low permissions and high security, and can only access public content on the server.
Resource
The file system resource to which the access point belongs. The format is
acs:nas:<region>:<account-id>:filesystem/<FilesystemId>. The format is described as follows:region: The region where the file system of the access point is located. Example:cn-hangzhou. You can find the region information in the Alibaba Cloud Resource Name (ARN) of the access point. For more information, see View the ARN of an access point.account-id: The ID of the Alibaba Cloud account. Example:123456789012***.FilesystemId: The ID of the file system to which the access point belongs. Example:0d9f24****. You can obtain the file system ID from the file system list page.
nas:AccessPointArn
The ARN of the access point. Example:
acs:nas:cn-hangzhou:117848947****:accesspoint/fsap-1. You can obtain the ARN from the basic information page of the access point. For more information, see View the ARN of an access point.
In the Create Policy dialog box, enter a Policy Name and a Description.
Click OK.
Grant the access point client permission policy to a RAM user or RAM role.
NoteA RAM role does not have permanent credentials. It can only obtain temporary credentials, called Security Token Service (STS) tokens, which have custom validity periods and access permissions. This method is suitable only for short-term access to NAS. If the RAM role continues to access the file system after the STS token expires, an I/O error occurs.
After you grant permissions to a RAM user or RAM role, the changes require some time to take effect due to the permission distribution mechanism. You must wait for a period of time before the permissions are effective in the cloud service. For more information, see Why do permissions not take effect immediately after I grant them in RAM?.
Grant permissions to a RAM user.
Create a RAM user. For more information, see Create a RAM user.
If a RAM user already exists, skip this step.
Grant the access point client permission policy (a custom policy) to the RAM user. For more information, see Manage permissions for a RAM user.
Grant permissions to a RAM role.
Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
If a RAM role already exists, skip this step.
Grant the access point client permission policy (a custom policy) to the RAM role. You must also grant the
AliyunSTSAssumeRoleAccesspermission, which is required for STS management, to the RAM role. For more information, see Manage permissions for a RAM role.
After you configure the access point policy, you can mount the NAS file system through the access point. For more information, see Mount a file system on a Linux client by using an access point.
View access point domain name
You can view the domain name of an access point in the following ways:
On the access point page
On the Access Point page, view the domain name in the Domain Name of Access Point column for the target access point.
On the file system details page
On the File System List page, find the target file system and click Manage. On the file system details page, click Mount Targets in the navigation pane on the left. Then, click the Access Point tab and view the Domain Name of Access Point.
View access point root directory
You can view the root directory of an access point in the following ways:
On the access point page
On the Access Point page, view the root directory in the Root Directory of Access Point column for the target access point.
On the file system details page
On the File System List page, find the target file system and click Manage. On the file system details page, click Mount Targets in the navigation pane on the left. Then, click the Access Point tab and view the Root Directory of Access Point.
View access point ARN
You can view the ARN of an access point in the following ways:
On the access point page
On the Access Point page, find the target access point and click Manage in the Actions column.
On the Basic Information tab, find the ARN section to obtain the ARN of the access point.
On the file system details page
On the File System List page, find the target file system and click Manage.
On the file system details page, click Mount Targets in the navigation pane on the left, and then click the Access Point tab.
Click the name of the target access point to go to its details page. On the Basic Information tab, find the ARN section to obtain the ARN of the access point.
Remove an access point
In the access point list, find the target access point and click Remove in the Actions column.
Removing an access point immediately interrupts all I/O operations in progress through the access point. Proceed with caution.
Modify access point permission group
In the access point list, find the target access point and click Manage in the Actions column. On the access point details page, on the Basic Information tab, click Modify next to the permission group to change it. For more information about permission groups, see Manage permission groups.