Before a Resource Access Management (RAM) user can call the API operations of Virtual Private Cloud (VPC), you must use an Alibaba Cloud account to grant the required permissions to the RAM user. Alibaba Cloud Resource Names (ARNs) are used to specify resources in policies.
Types of VPC resources that can be accessed by an authorized RAM user
The following table lists the types of VPC resources that can be accessed by an authorized
RAM user and the corresponding ARN formats. $regionid/accoutid/vrouterid... specifies the resource ID and * specifies all resources.
| Resource type | ARN format |
|---|---|
| VPC | acs:vpc:$regionid:$accountid:vpc/$vpcid |
acs:vpc:$regionid:$accountid:vpc/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| vRouter | acs:vpc:$regionid:$accountid:vrouter/$vrouterid |
acs:vpc:$regionid:$accountid:vrouter/* |
|
acs:vpc:*:$accountid:vrouter/* |
|
| vSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
acs:vpc:$regionid:$accountid:vswitch/* |
|
acs:vpc:*:$accountid:vswitch/* |
|
| Route table | acs:vpc:$regionid:$accountid:routetable/$routetableid |
acs:vpc:$regionid:$accountid:routetable/* |
|
acs:vpc:*:$accountid:routetable/* |
|
| DHCP options set | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
|
acs:vpc:*:$accountid:dhcpoptionsset/* |
|
| High-availability virtual IP address (HAVIP) | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:$regionid:$accountid:havip/* |
|
acs:vpc:*:$accountid:havip/* |
|
| Elastic IP address (EIP) | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:vpc:$regionid:$accountid:eip/* |
|
acs:vpc:*:$accountid:eip/* |
|
| NAT gateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
acs:vpc*:$accountid:vpc/* |
|
| NAT service plan | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
aacs:vpc:*:$accountid:vpc/* |
|
| Port forwarding table | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
acs:vpc:$regionid:$accountid:forwardtable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| SNAT table | acs:vpc:$regionid:$accountid:snattable/$snattableid |
acs:vpc:$regionid:$accountid:snattable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| Customer gateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
acs:vpc:$regionid:$accountid:customergateway/* |
|
acs:vpc:*:$accountid:customergateway/* |
|
| IPsec-VPN connection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
acs:vpc:$regionid:$accountid:vpnconnection/* |
|
acs:vpc:*:$accountid:vpnconnection/* |
|
| VPN gateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
acs:vpc:$regionid:$accountid:vpngateway/* |
|
acs:vpc:*:$accountid:vpngateway/* |
|
| Network access control list (ACL) | acs:vpc:$regionid:$accountid:networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:networkacl/* |
|
acs:vpc:*:$accountid:networkacl/* |
|
| Secondary CIDR block | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| IPv6 gateway | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
acs:vpc:$regionid:$accountid:ipv6gateway/* |
|
acs:vpc:*:$accountid:ipv6gateway/* |
|
| IPv6 Internet bandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6instanceid |
acs:vpc:$regionid:$accountid:ipv6bandwidth/* |
|
acs:vpc:*:$accountid:ipv6bandwidth/* |
|
| General resources | acs:vpc:$regionid:$accountid:* |
acs:vpc:*:$accountid:* |
VPC operations that can be called by an authorized RAM user
The following table lists the VPC operations that can be called by an authorized RAM
user and the corresponding ARN formats. $regionid/accountid/vrouterid... specifies the resource ID and * specifies all resources.
| API | ARN format |
|---|---|
| CreateVpc | acs:vpc:$regionid:$accountid:vpc/* |
| DeleteVpc | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DescribeVpcs | acs:vpc:$regionid:$accountid:vpc/* |
| ModifyVpcAttribute | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DescribeVRouters | acs:vpc:$regionid:$accountid:vrouter/* |
| ModifyVRouterAttribute | acs:vpc:*:$accountid:* |
| CreateVSwitch | acs:vpc:$regionid:$accountid:vswitch/* |
| DescribeVSwitchAttributes | acs:vpc:$regionid:$accountid:vswitch/$VSwitchId |
| DeleteVSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
| DescribeVSwitches | acs:vpc:$regionid:$accountid:vswitch/* |
acs:vpc:$regionId:$accountId}:vpc/$VpcId |
|
acs:vpc:$regionId:$accountId:vswitch/$VSwitchId |
|
| ModifyVSwitchAttribute | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
| CreateRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
| DeleteRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
| DescribeRouteTables | acs:vpc:$regionid:$accountid:routetable/* |
"vpc:VRouter":"acs:vpc$regionid:$accountid:vrouter/$vrouterid" |
|
| CreateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
| DescribeCreateDHCPOptionsSets | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
| ModifyDHCPOptionsSetAttributes | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
| DeleteDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
| AssociatedDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
| UnassociateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
| CreateHaVip | acs:vpc:$regionid:$accountid:havip/* |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| DeleteHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
| AssociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:%s:%s:certificate/% |
|
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| UnassociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| DescribeHaVips | acs:vpc:$regionid:$accountid:havip/* |
| AllocateEipAddress | acs:vpc:$regionid:$accountid:eip/* |
| AssociateEipAddres | acs:vpc:$regionid:$accountid:eip/* |
| Associates an EIP with an Elastic Compute Service (ECS) instance
|
|
| Associates an EIP with an HAVIP
|
|
| DescribeEipAddresses | acs:vpc:$regionid:$accountid:eip/* |
| UnassociateEipAddress | Associates an EIP with an ECS instance
|
| Associates an EIP with an HAVIP
|
|
| ReleaseEipAddress | acs:vpc:$regionid:$accountid:eip/$allocationid |
| DescribeEipMonitorData | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateNatGateway | acs:vpc:$regionid:$accountid:natgateway/* |
| DescribeNatGateways | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
| ModifyNatGatewaySpec | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
| ModifyNatGatewayAttribute | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| DeleteNatGateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/* |
| DescribeBandwidthPackages | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
| ModifyBandwidthPackageSpec | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| ModifyBandwidthPackageAttribute | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| AddBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| RemoveBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| DeleteBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| CreateForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| DeleteForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| ModifyForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| DescribeForwardTableEntries | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| CreateSnatEntry | acs:vpc:$regionid:$accountid:snattable/* |
| ModifySnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| DescribeSnatTableEntries | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| DeleteSnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| CreateCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/* |
| DeleteCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| DescribeCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| DescribeCustomerGateways | acs:vpc:$regionid:$accountid:customergateway/* |
| ModifyCustomerGatewayAttribute | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| CreateVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/* |
| DeleteVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DescribeVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DescribeVpnConnections | acs:vpc:$regionid:$accountid:vpnconnection/* |
| ModifyVpnConnectionAttribute | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DownloadVpnConnectionConfig | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DeleteVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| DescribeVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| DescribeVpnGateways | acs:vpc:$regionid:$accountid:vpngateway/* |
| ModifyVpnGatewayAttribute | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| CreateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/* |
| DeleteNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| DescribeNetworkAcls | acs:vpc:$regionid:$accountid: networkacl/* |
| DescribeNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| ModifyNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| AssociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| UnassociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| UpdateNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| CopyNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| AssociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |
| UnassociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |
| CreateIpv6Gateway | acs:vpc:$regionid:$accountid:ipv6gateway/* |
| DeleteIpv6Gateway | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| DescribeIpv6Gateways | acs:vpc:$regionid:$accountid:ipv6gateway/* |
acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
|
| AllocateIpv6InternetBandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/* |
| CreateIpv6EgressOnlyRule | acs:vpc:$regionid:$accountid:ipv6gateway/* |
| DeleteIpv6EgressOnlyRule | acs:vpc:$regionid:$accountid:ipv6gateway/$ruleid |
| DeleteIpv6InternetBandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6bandwidthid |
| DescribeIpv6Addresses | acs:vpc:$regionid:$accountid:vpc/* |
| DescribeIpv6EgressOnlyRules | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| DescribeIpv6GatewayAttribute | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| ModifyIpv6AddressAttribute | acs:vpc:$regionid:$accountid:vpc/$ipv6instanceid |
| ModifyIpv6GatewayAttribute | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| ModifyIpv6GatewaySpec | acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid |
| ModifyIpv6InternetBandwidth | acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6instanceid |