Policies and examples - - Alibaba Cloud Documentation Center

This topic describes the Resource Access Management (RAM) policies for Network Load Balancer (NLB) and provides sample policies.

Background information

Permission policies include system policies and custom policies. Before you manage the NLB permissions of a RAM user, take note of the following system policies.


Policy name	Purpose	Scenario
AliyunNLBFullAccess	Grants full permissions on Network Load Balancer (NLB) to a RAM user.	Authorizes the RAM user to perform all operations in the NLB console. Authorizes the RAM user to perform all API operations of NLB.
AliyunNLBReadOnlyAccess	Grants read-only permissions on Network Load Balancer (NLB) to a RAM user.	Authorizes the RAM user to view all pages in the NLB console. However, the RAM user cannot create or delete instances. Authorizes the RAM user to perform query operations of NLB.

If the system policies cannot meet your business requirements, you can create custom policies. For more information, see Create a custom policy on the JSON tab.

Before you use RAM to manage the permissions on NLB, make sure that you understand the permissions on NLB. For more information, see RAM authentication.

Sample custom policies

Example 1: Authorize a RAM user to manage two specified NLB instances.

For example, you want to authorize a RAM user to manage two of the NLB instances that you have purchased. The IDs of the NLB instances are nlb-001 and nlb-002.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "nlb:*",
      "Resource": [
                  "acs:nlb:*:*:loadbalancer/nlb-001",
                  "acs:nlb:*:*:loadbalancer/nlb-002"
                  ]
    },
    {
      "Effect": "Allow",
      "Action": "nlb:Get*",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Example 2: Add an Elastic Compute Service (ECS) instance to the sgp-001 server group. The ID of the ECS instance is i-001.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "nlb:AddServersToServerGroup",
      "Resource": ["acs:nlb:*:*:servergroup/sgp-001"]
    },
    {
      "Effect": "Allow",
      "Action": "slb:AddServersToServerGroup",
      "Resource": ["acs:ecs:*:*:instance/i-001"]
    },
    {
       "Effect": "Allow",
       "Action": "slb:ListServerGroups",
       "Resource": "acs:slb:*:*:servergroup/*"
    }
  ],
  "Version": "1"
}

Example 3: Authorize a RAM user to perform ECS-related operations on the server groups of a specific NLB instance. The ID of the servers groups on the NLB instance are sgp-001 and sgp-002.

{
    "Statement": [{
            "Effect": "Allow",
            "Action": "nlb:*",
            "Resource": [
                "acs:nlb:*:*:servergroup/sgp-001",
                "acs:nlb:*:*:servergroup/sgp-002"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "nlb:List*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ecs:DescribeInstances",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "nlb:*",
            "Resource": [
                "acs:ecs:*:*:instance/i-instance001",
                "acs:ecs:*:*:instance/i-instance002"
            ]
        }
    ],
    "Version": "1"
}