This topic describes the Resource Access Management (RAM) policies for Network Load Balancer (NLB) and provides sample policies.
Background information
Permission policies include system policies and custom policies. Before you manage the NLB permissions of a RAM user, take note of the following system policies.Policy name | Purpose | Scenario |
---|---|---|
AliyunNLBFullAccess | Grants full permissions on Network Load Balancer (NLB) to a RAM user. |
|
AliyunNLBReadOnlyAccess | Grants read-only permissions on Network Load Balancer (NLB) to a RAM user. |
|
Before you use RAM to manage the permissions on NLB, make sure that you understand the permissions on NLB. For more information, see RAM authentication.
Sample custom policies
- Example 1: Authorize a RAM user to manage two specified NLB instances. For example, you want to authorize a RAM user to manage two of the NLB instances that you have purchased. The IDs of the NLB instances are nlb-001 and nlb-002.
{ "Statement": [ { "Effect": "Allow", "Action": "nlb:*", "Resource": [ "acs:nlb:*:*:loadbalancer/nlb-001", "acs:nlb:*:*:loadbalancer/nlb-002" ] }, { "Effect": "Allow", "Action": "nlb:Get*", "Resource": "*" } ], "Version": "1" }
- Example 2: Add an Elastic Compute Service (ECS) instance to the sgp-001 server group. The ID of the ECS instance is i-001.
{ "Statement": [ { "Effect": "Allow", "Action": "nlb:AddServersToServerGroup", "Resource": ["acs:nlb:*:*:servergroup/sgp-001"] }, { "Effect": "Allow", "Action": "slb:AddServersToServerGroup", "Resource": ["acs:ecs:*:*:instance/i-001"] }, { "Effect": "Allow", "Action": "slb:ListServerGroups", "Resource": "acs:slb:*:*:servergroup/*" } ], "Version": "1" }
- Example 3: Authorize a RAM user to perform ECS-related operations on the server groups of a specific NLB instance. The ID of the servers groups on the NLB instance are sgp-001 and sgp-002.
{ "Statement": [{ "Effect": "Allow", "Action": "nlb:*", "Resource": [ "acs:nlb:*:*:servergroup/sgp-001", "acs:nlb:*:*:servergroup/sgp-002" ] }, { "Effect": "Allow", "Action": "nlb:List*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": "nlb:*", "Resource": [ "acs:ecs:*:*:instance/i-instance001", "acs:ecs:*:*:instance/i-instance002" ] } ], "Version": "1" }