Before you call the Virtual Private Cloud (VPC) API operations by using a Resource Access Management (RAM) user, you must use an Alibaba Cloud account to create a permission policy and grant required permissions to the RAM user. In the permission policy, Alibaba Cloud Resource Names (ARNs) are used to specify resources.
VPC resources
The following table lists the VPC resources that can be authorized and the ARN formats
of the VPC resources. $regionid/accoutid/vrouterid... specifies the ID of a specific resource, and * specifies all VPC resources.
| Resource type | ARN |
|---|---|
| VPC | acs:vpc:$regionid:$accountid:vpc/$vpcid |
acs:vpc:$regionid:$accountid:vpc/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| VRouter | acs:vpc:$regionid:$accountid:vrouter/$vrouterid |
acs:vpc:$regionid:$accountid:vrouter/* |
|
acs:vpc:*:$accountid:vrouter/* |
|
| VSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
acs:vpc:$regionid:$accountid:vswitch/* |
|
acs:vpc:*:$accountid:vswitch/* |
|
| Route table | acs:vpc:$regionid:$accountid:routetable/$routetableid |
acs:vpc:$regionid:$accountid:routetable/* |
|
acs:vpc:*:$accountid:routetable/* |
|
| DHCP options set | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
|
acs:vpc:*:$accountid:dhcpoptionsset/* |
|
| High-availability virtual IP address (HAVIP) | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:$regionid:$accountid:havip/* |
|
acs:vpc:*:$accountid:havip/* |
|
| Elastic IP address (EIP) | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:vpc:$regionid:$accountid:eip/* |
|
acs:vpc:*:$accountid:eip/* |
|
| NAT gateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
acs:vpc*:$accountid:vpc/* |
|
| NAT service plan | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
aacs:vpc:*:$accountid:vpc/* |
|
| Forward table | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
acs:vpc:$regionid:$accountid:forwardtable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| SNAT table | acs:vpc:$regionid:$accountid:snattable/$snattableid |
acs:vpc:$regionid:$accountid:snattable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
| Customer gateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
acs:vpc:$regionid:$accountid:customergateway/* |
|
acs:vpc:*:$accountid:customergateway/* |
|
| IPsec-VPN connection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
acs:vpc:$regionid:$accountid:vpnconnection/* |
|
acs:vpc:*:$accountid:vpnconnection/* |
|
| VPN gateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
acs:vpc:$regionid:$accountid:vpngateway/* |
|
acs:vpc:*:$accountid:vpngateway/* |
|
| Global Accelerator instance | acs:vpc:$regionid:$accountid:globalaccelerationinstance /$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:globalaccelerationinstance /* |
|
acs:vpc::$accountid:globalaccelerationinstance /* |
|
| Network access control list (ACL) | acs:vpc:$regionid:$accountid:networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:networkacl/* |
|
acs:vpc:*:$accountid:networkacl/* |
|
| Secondary CIDR block | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| General resources | acs:vpc:$regionid:$accountid:* |
acs:vpc:*:$accountid:* |
VPC API operations
The following table lists the API operations that can be used to authorize resources
in VPCs. $regionid/accoutid/vrouterid... is the resource ID, and * represents the corresponding resources.
| API | ARN |
|---|---|
| CreateVpc | acs:vpc:$regionid:$accountid:vpc/* |
| DeleteVpc | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DescribeVpcs | acs:vpc:$regionid:$accountid:vpc/* |
| ModifyVpcAttribute | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DescribeVRouters | acs:vpc:$regionid:$accountid:vrouter/* |
| Specifies the VRouter ID that you want to query:
|
|
| Specifies the VRouter ID that you want to query:
|
|
| ModifyVRouterAttribute | acs:vpc:*:$accountid:* |
| CreateVSwitch | acs:vpc:$regionid:$accountid:vswitch/* |
| DescribeVSwitchAttributes | acs:vpc:$regionid:$accountid:vpc/$vpcid |
| DeleteVSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
| DescribeVSwitches | acs:vpc:$regionid:$accountid:vswitch/* |
"vpc:Vpc":"acs:vpc:$regionid:$accountid:vpc/$vpcid" |
|
| ModifyVSwitchAttribute | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
| CreateRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
| DeleteRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
| DescribeRouteTables | acs:vpc:$regionid:$accountid:routetable/* |
"vpc:VRouter":"acs:vpc$regionid:$accountid:vrouter/$vrouterid" |
|
| CreateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
| DescribeCreateDHCPOptionsSets | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
| ModifyDHCPOptionsSetAttributes | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
| DeleteDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
| AssociatedDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
| UnassociateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
| CreateHaVip | acs:vpc:$regionid:$accountid:havip/* |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| DeleteHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
| AssociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:%s:%s:certificate/% |
|
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| UnassociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| DescribeHaVips | acs:vpc:$regionid:$accountid:havip/* |
| AllocateEipAddress | acs:vpc:$regionid:$accountid:eip/* |
| AssociateEipAddres | acs:vpc:$regionid:$accountid:eip/* |
| Associates an EIP with a specified ECS instance
|
|
| Associates an EIP with an HAVIP.
|
|
| DescribeEipAddresses | acs:vpc:$regionid:$accountid:eip/* |
| UnassociateEipAddress | Associates an EIP with a specified ECS instance.
|
| Associates an EIP with an HAVIP.
|
|
| ReleaseEipAddress | acs:vpc:$regionid:$accountid:eip/$allocationid |
| DescribeEipMonitorData | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateNatGateway | acs:vpc:$regionid:$accountid:natgateway/* |
| DescribeNatGateways | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
| ModifyNatGatewaySpec | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
| ModifyNatGatewayAttribute | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| DeleteNatGateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/* |
| DescribeBandwidthPackages | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
| ModifyBandwidthPackageSpec | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| ModifyBandwidthPackageAttribute | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| AddBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| RemoveBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| DeleteBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
| CreateForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| DeleteForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| ModifyForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| DescribeForwardTableEntries | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
| CreateSnatEntry | acs:vpc:$regionid:$accountid:snattable/* |
| ModifySnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| DescribeSnatTableEntries | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| DeleteSnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
| CreateCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/* |
| DeleteCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| DescribeCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| DescribeCustomerGateways | acs:vpc:$regionid:$accountid:customergateway/* |
| ModifyCustomerGatewayAttribute | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
| CreateVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/* |
| DeleteVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DescribeVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DescribeVpnConnections | acs:vpc:$regionid:$accountid:vpnconnection/* |
| ModifyVpnConnectionAttribute | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DownloadVpnConnectionConfig | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
| DeleteVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| DescribeVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| DescribeVpnGateways | acs:vpc:$regionid:$accountid:vpngateway/* |
| ModifyVpnGatewayAttribute | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
| CreateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
| AssociateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| UnassociateGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
| ModifyGlobalAccerlationInstanceSpec | acs:ecs:$regionid:$accountid:instance/$instanceid |
| ModifyGlobalAccerlationInstanceAttributes | acs:ecs:$regionid:$accountid:instance/$instanceid |
| DeleteGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
| DescribeGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
| AddGlobalAccelerationInstanceIp | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:eip/$allocationid |
|
| RemoveGlobalAccelerationInstanceIp | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:eip/$allocationid |
|
| DescribeServerRelatedGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
| CreateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/* |
| DeleteNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| DescribeNetworkAcls | acs:vpc:$regionid:$accountid: networkacl/* |
| DescribeNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| ModifyNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| AssociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| UnassociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
| UpdateNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| CopyNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
| AssociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |
| UnassociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |