This topic describes the Resource Access Management (RAM) policies for Network Load Balancer (NLB) and provides sample policies.

Background information

Permission policies include system policies and custom policies. Before you manage the NLB permissions of a RAM user, take note of the following system policies.
Permission name Purpose Scenarios
AliyunNLBFullAccess Grants full permissions on Network Load Balancer (NLB) to a RAM user.
  • Authorizes the RAM user to perform all operations in the NLB console.
  • Authorizes the RAM user to perform all API operations of NLB.
AliyunNLBReadOnlyAccess Grants a RAM user the read-only permissions on Network Load Balancer (NLB).
  • Authorizes the RAM user to view all pages in the NLB console. However, the RAM user cannot create or delete instances.
  • Authorizes the RAM user to perform query operations of NLB.
If the system policies cannot meet your business requirements, you can create custom policies. For more information, see Create a custom policy on the JSON tab.

Sample custom policies

  • Example 1: Authorize a RAM user to manage two specified NLB instances.
    For example, you want to authorize a RAM user to manage two of the NLB instances that you have purchased. The IDs of the NLB instances are nlb-001 and nlb-002.
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "nlb:*",
          "Resource": [
                      "acs:nlb:*:*:loadbalancer/nlb-001",
                      "acs:nlb:*:*:loadbalancer/nlb-002"
                      ]
        },
        {
          "Effect": "Allow",
          "Action": "nlb:Get*",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
  • Example 2: Add an Elastic Compute Service (ECS) instance to the sgp-001 server group. The ID of the ECS instance is i-001.
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "nlb:AddServersToServerGroup",
          "Resource": ["acs:nlb:*:*:servergroup/sgp-001"]
        },
        {
          "Effect": "Allow",
          "Action": "slb:AddServersToServerGroup",
          "Resource": ["acs:ecs:*:*:instance/i-001"]
        },
        {
           "Effect": "Allow",
           "Action": "slb:ListServerGroups",
           "Resource": "acs:slb:*:*:servergroup/*"
        }
      ],
      "Version": "1"
    }
    
                        
  • Example 3: Authorize a RAM user to perform ECS-related operations on the server groups of a specific NLB instance. The ID of the servers groups on the NLB instance are sgp-001 and sgp-002.
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": "nlb:*",
                "Resource": [
                    "acs:nlb:*:*:servergroup/sgp-001",
                    "acs:nlb:*:*:servergroup/sgp-002"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "nlb:List*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ecs:DescribeInstances",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "nlb:*",
                "Resource": [
                    "acs:ecs:*:*:instance/i-instance001",
                    "acs:ecs:*:*:instance/i-instance002"
                ]
            }
        ],
        "Version": "1"
    }