All Products
Search

This Product

    Server Load Balancer:Sample custom policies for NLB

    Document Center

    Server Load Balancer:Sample custom policies for NLB

    Last Updated:Nov 13, 2023

    This topic provides some sample custom Resource Access Management (RAM) policies for Network Load Balancer (NLB).

    Background Information

    RAM policies are classified into system policies and custom policies. We recommend that you read the information about system policies for NLB before you manage NLB permissions.

    If the system policies cannot meet your business requirements, you can create custom policies. For more information, see the Create a custom policy on the JSON tab section of the "Create a custom policy" topic.

    We recommend that you read the NLB permission definitions before you use RAM to manage NLB permissions. For more information, see RAM authentication.

    Sample custom policies

    • Example 1: The following policy authorizes a RAM user to manage two specified NLB instances.

      In this example, you have multiple NLB instances and you want to allow a RAM user to manage only two of the NLB instances. The IDs of the NLB instances are nlb-001 and nlb-002. 

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "nlb:*",
      "Resource": [
                  "acs:nlb:*:*:loadbalancer/nlb-001",
                  "acs:nlb:*:*:loadbalancer/nlb-002"
                  ]
    },
    {
      "Effect": "Allow",
      "Action": "nlb:Get*",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

    • Example 2: The following policy authorizes a RAM user to add an Elastic Compute Service (ECS) instance to the sgp-001 server group. The ID of the ECS instance is i-001. 

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "nlb:AddServersToServerGroup",
      "Resource": ["acs:nlb:*:*:servergroup/sgp-001"]
    },
    {
      "Effect": "Allow",
      "Action": "nlb:AddServersToServerGroup",
      "Resource": ["acs:ecs:*:*:instance/i-001"]
    },
    {
       "Effect": "Allow",
       "Action": "nlb:ListServerGroups",
       "Resource": "acs:nlb:*:*:servergroup/*"
    }
  ],
  "Version": "1"
}

    • Example 3: The following policy authorizes a RAM user to manage the ECS instances in specified NLB server groups. The IDs of the NLB server groups are sgp-001 and sgp-002. 

      {
    "Statement": [{
            "Effect": "Allow",
            "Action": "nlb:*",
            "Resource": [
                "acs:nlb:*:*:servergroup/sgp-001",
                "acs:nlb:*:*:servergroup/sgp-002"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "nlb:List*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ecs:DescribeInstances",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "nlb:*",
            "Resource": [
                "acs:ecs:*:*:instance/i-instance001",
                "acs:ecs:*:*:instance/i-instance002"
            ]
        }
    ],
    "Version": "1"
}