Settings the network access restriction policy for an AccessKey pair of an Alibaba Cloud account or a Resource Access Management (RAM) user.
Try it now
Test
RAM authorization
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| UserPrincipalName |
string |
No |
The logon name of the RAM user. If this parameter is left empty, the network access restriction policy is set for the specified AccessKey pair of the current user by default. |
test@example.onaliyun.com |
| UserAccessKeyId |
string |
Yes |
The AccessKey ID. |
LTAI******************* |
| AccessKeyPolicy |
string |
Yes |
The network access restriction policy. A JSON-formatted string. For more information, see the AccessKeyPolicy structure description. |
{"Status":"Inactive","Statements":[{"Value":"AllowAllVPC","Type":"VPCWhiteList","IPList":["::/0","0.0.0.0/0"]}]} |
AccessKeyPolicy structure description
The AccessKeyPolicy parameter is a JSON-formatted string. The complete structure is as follows:
{
"Version": 1,
"Status": "Active",
"Statements": [
{
"Type": "ClassicWhiteList",
"IPList": ["203.0.113.1", "2001:db8:85a3::8a2e:370:7334", "198.51.100.0/24"]
},
{
"Type": "VPCWhiteList",
"Value": "vpc-bp1234567890abcdef",
"IPList": ["172.16.0.0/16"]
}
]
}
Top-level fields
| Field | Type | Required | Description |
| Version | Integer | No | The policy version number. Currently fixed to 1. |
| Status | String | Yes | The policy status. Valid values: Active (enabled), Inactive (disabled). |
| Statements | Array | Yes | The list of network whitelist rules. This parameter can be an empty array [] but cannot be null. |
Statement object
Each Statement represents a network whitelist rule. Two types are supported:
| Field | Type | Description |
| Type | String | The rule type. Valid values: ClassicWhiteList (classic network whitelist), VPCWhiteList (VPC network whitelist). |
| Value | String | The VPC identifier. This field is used only for the VPCWhiteList type. |
| IPList | Array | The IP address whitelist. IPv4 addresses, IPv6 addresses, and CIDR blocks are supported. |
Rule type details.
1. Classic network whitelist (ClassicWhiteList)
Restricts the AccessKey pair to initiate API calls only from specified public IP addresses.
Type: Fixed to
ClassicWhiteList.Value: Do not specify this field. Leave it empty.
IPList: Required. The list of allowed IP addresses. IPv4 and IPv6 addresses are supported. CIDR notation is supported (such as
203.0.113.5/30).
Default behavior: If no ClassicWhiteList rule is configured in Statements, all classic network access is denied.
Constraint: If IPList contains the IPv4 allow-all address 0.0.0.0/0, it must also contain the IPv6 allow-all address ::/0, and vice versa. Allowing only a single protocol stack is not permitted.
Example:
{
"Type": "ClassicWhiteList",
"IPList": ["203.0.113.5/30", "198.51.100.0/24"]
}
2. VPC network whitelist (VPCWhiteList)
Restricts the AccessKey pair to initiate API calls only from a specified VPC. You can further restrict access to specified IP addresses within the VPC.
Type: Fixed to
VPCWhiteList.- Value: Required. Valid values:
A specific VPC instance ID that starts with
vpc-(such asvpc-bp1234567890abcdef).AllowAllVPC: Allows all VPCs.
IPList: Required. The IP address whitelist within the VPC. CIDR notation is supported (such as
10.0.0.0/24).
Default behavior: If no VPCWhiteList rule is configured in Statements, all VPC network access is denied.
Constraints:
If Value is set to
AllowAllVPC, IPList must contain both0.0.0.0/0and::/0(allow-all), and only these two entries are allowed.If Value is set to a specific VPC ID, IPList cannot contain
0.0.0.0/0or::/0.
Example — Specified VPC:
{
"Type": "VPCWhiteList",
"Value": "vpc-bp1234567890abcdef",
"IPList": ["172.16.0.0/16"]
}
Example — Allow all VPCs:
{
"Type": "VPCWhiteList",
"Value": "AllowAllVPC",
"IPList": ["0.0.0.0/0", "::/0"]
}
Quantity limits
| Limit | Upper limit |
| Total length of AccessKeyPolicy | The JSON string cannot exceed 160,000 characters. |
| Number of Statements entries | Up to 8 entries. |
| Number of IPList entries per Statement | Up to 50 entries. |
Complete request examples.
Example 1: Allow only specific public IP addresses
{
"Version": 1,
"Status": "Active",
"Statements": [
{
"Type": "ClassicWhiteList",
"IPList": ["203.0.113.5/30", "198.51.100.0/24"]
}
]
}
Example 2: Allow only calls from a specified VPC
{
"Version": 1,
"Status": "Active",
"Statements": [
{
"Type": "VPCWhiteList",
"Value": "vpc-bp1234567890abcdef",
"IPList": ["172.16.0.0/16"]
}
]
}
Example 3: Configure both classic network and VPC network whitelists
{
"Version": 1,
"Status": "Active",
"Statements": [
{
"Type": "VPCWhiteList",
"Value": "vpc-bp1234567890abcdef",
"IPList": ["172.16.0.0/16"]
},
{
"Type": "ClassicWhiteList",
"IPList": ["203.0.113.0/30"]
}
]
}
Example 4: Disable the policy (retain rules without enforcing them)
{
"Version": 1,
"Status": "Inactive",
"Statements": [
{
"Type": "ClassicWhiteList",
"IPList": ["203.0.113.5/30"]
}
]
}
Example 5: Clear all whitelist rules
{
"Version": 1,
"Status": "Inactive",
"Statements": []
}
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| AccessKeyPolicy |
string |
The network access restriction policy. A JSON-formatted string. For more information, see the AccessKeyPolicy structure description. |
{"Status":"Inactive","Statements":[{"Value":"AllowAllVPC","Type":"VPCWhiteList","IPList":["::/0","0.0.0.0/0"]}]} |
| RequestId |
string |
The request ID. |
30C9068D-FBAA-4998-9986-8A562FED0BC3 |
| AccessKeyId |
string |
The AccessKey ID. |
LTAI******************* |
Examples
Success response
JSON format
{
"AccessKeyPolicy": "{\"Status\":\"Inactive\",\"Statements\":[{\"Value\":\"AllowAllVPC\",\"Type\":\"VPCWhiteList\",\"IPList\":[\"::/0\",\"0.0.0.0/0\"]}]}",
"RequestId": "30C9068D-FBAA-4998-9986-8A562FED0BC3",
"AccessKeyId": "LTAI*******************"
}
Error codes
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.