Before you call the Virtual Private Cloud (VPC) API operations by using a Resource Access Management (RAM) user, you must use an Alibaba Cloud account to create a permission policy and grant required permissions to the RAM user. In the permission policy, Alibaba Cloud Resource Names (ARNs) are used to specify resources.
VPC resources
The following table lists the VPC resources that can be authorized and the ARN formats
of the VPC resources. $regionid/accoutid/vrouterid...
specifies the ID of a specific resource, and *
specifies all VPC resources.
Resource type | ARN |
---|---|
VPC | acs:vpc:$regionid:$accountid:vpc/$vpcid |
acs:vpc:$regionid:$accountid:vpc/* |
|
acs:vpc:*:$accountid:vpc/* |
|
VRouter | acs:vpc:$regionid:$accountid:vrouter/$vrouterid |
acs:vpc:$regionid:$accountid:vrouter/* |
|
acs:vpc:*:$accountid:vrouter/* |
|
VSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
acs:vpc:$regionid:$accountid:vswitch/* |
|
acs:vpc:*:$accountid:vswitch/* |
|
Route table | acs:vpc:$regionid:$accountid:routetable/$routetableid |
acs:vpc:$regionid:$accountid:routetable/* |
|
acs:vpc:*:$accountid:routetable/* |
|
DHCP options set | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
|
acs:vpc:*:$accountid:dhcpoptionsset/* |
|
High-availability virtual IP address (HAVIP) | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:$regionid:$accountid:havip/* |
|
acs:vpc:*:$accountid:havip/* |
|
Elastic IP address (EIP) | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:vpc:$regionid:$accountid:eip/* |
|
acs:vpc:*:$accountid:eip/* |
|
NAT gateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
acs:vpc*:$accountid:vpc/* |
|
NAT service plan | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
aacs:vpc:*:$accountid:vpc/* |
|
Forward table | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
acs:vpc:$regionid:$accountid:forwardtable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
SNAT table | acs:vpc:$regionid:$accountid:snattable/$snattableid |
acs:vpc:$regionid:$accountid:snattable/* |
|
acs:vpc:*:$accountid:vpc/* |
|
Customer gateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
acs:vpc:$regionid:$accountid:customergateway/* |
|
acs:vpc:*:$accountid:customergateway/* |
|
IPsec-VPN connection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
acs:vpc:$regionid:$accountid:vpnconnection/* |
|
acs:vpc:*:$accountid:vpnconnection/* |
|
VPN gateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
acs:vpc:$regionid:$accountid:vpngateway/* |
|
acs:vpc:*:$accountid:vpngateway/* |
|
Global Accelerator instance | acs:vpc:$regionid:$accountid:globalaccelerationinstance /$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:globalaccelerationinstance /* |
|
acs:vpc::$accountid:globalaccelerationinstance /* |
|
Network access control list (ACL) | acs:vpc:$regionid:$accountid:networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:networkacl/* |
|
acs:vpc:*:$accountid:networkacl/* |
|
Secondary CIDR block | acs:vpc:$regionid:$accountid:vpc/$vpcid |
General resources | acs:vpc:$regionid:$accountid:* |
acs:vpc:*:$accountid:* |
VPC API operations
The following table lists the API operations that can be used to authorize resources
in VPCs. $regionid/accoutid/vrouterid...
is the resource ID, and *
represents the corresponding resources.
API | ARN |
---|---|
CreateVpc | acs:vpc:$regionid:$accountid:vpc/* |
DeleteVpc | acs:vpc:$regionid:$accountid:vpc/$vpcid |
DescribeVpcs | acs:vpc:$regionid:$accountid:vpc/* |
ModifyVpcAttribute | acs:vpc:$regionid:$accountid:vpc/$vpcid |
DescribeVRouters | acs:vpc:$regionid:$accountid:vrouter/* |
Specifies the VRouter ID that you want to query:
|
|
Specifies the VRouter ID that you want to query:
|
|
ModifyVRouterAttribute | acs:vpc:*:$accountid:* |
CreateVSwitch | acs:vpc:$regionid:$accountid:vswitch/* |
DescribeVSwitchAttributes | acs:vpc:$regionid:$accountid:vpc/$vpcid |
DeleteVSwitch | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
DescribeVSwitches | acs:vpc:$regionid:$accountid:vswitch/* |
"vpc:Vpc":"acs:vpc:$regionid:$accountid:vpc/$vpcid" |
|
ModifyVSwitchAttribute | acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
CreateRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
DeleteRouteEntry | acs:vpc:$regionid:$accountid:routetable/$routetableid |
DescribeRouteTables | acs:vpc:$regionid:$accountid:routetable/* |
"vpc:VRouter":"acs:vpc$regionid:$accountid:vrouter/$vrouterid" |
|
CreateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
DescribeCreateDHCPOptionsSets | acs:vpc:$regionid:$accountid:dhcpoptionsset/* |
ModifyDHCPOptionsSetAttributes | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
DeleteDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
AssociatedDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
UnassociateDHCPOptionsSet | acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid |
acs:vpc:$regionid:$accountid:vpc/$vpcid |
|
CreateHaVip | acs:vpc:$regionid:$accountid:havip/* |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
DeleteHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
AssociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:vpc:%s:%s:certificate/% |
|
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
UnassociateHaVip | acs:vpc:$regionid:$accountid:havip/$havipid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
DescribeHaVips | acs:vpc:$regionid:$accountid:havip/* |
AllocateEipAddress | acs:vpc:$regionid:$accountid:eip/* |
AssociateEipAddres | acs:vpc:$regionid:$accountid:eip/* |
Associates an EIP with a specified ECS instance
|
|
Associates an EIP with an HAVIP.
|
|
DescribeEipAddresses | acs:vpc:$regionid:$accountid:eip/* |
UnassociateEipAddress | Associates an EIP with a specified ECS instance.
|
Associates an EIP with an HAVIP.
|
|
ReleaseEipAddress | acs:vpc:$regionid:$accountid:eip/$allocationid |
DescribeEipMonitorData | acs:vpc:$regionid:$accountid:eip/$allocationid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
CreateNatGateway | acs:vpc:$regionid:$accountid:natgateway/* |
DescribeNatGateways | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:vpc:$regionid:$accountid:natgateway/* |
|
ModifyNatGatewaySpec | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
ModifyNatGatewayAttribute | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
DeleteNatGateway | acs:vpc:$regionid:$accountid:natgateway/$natgatewayid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
CreateBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/* |
DescribeBandwidthPackages | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
acs:vpc:$regionid:$accountid:bandwidthpackage/* |
|
ModifyBandwidthPackageSpec | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
ModifyBandwidthPackageAttribute | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
AddBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
RemoveBandwidthPackageIps | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
DeleteBandwidthPackage | acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid |
CreateForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
DeleteForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
ModifyForwardEntry | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
DescribeForwardTableEntries | acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid |
CreateSnatEntry | acs:vpc:$regionid:$accountid:snattable/* |
ModifySnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
DescribeSnatTableEntries | acs:vpc:$regionid:$accountid:snattable/$snattableid |
DeleteSnatEntry | acs:vpc:$regionid:$accountid:snattable/$snattableid |
CreateCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/* |
DeleteCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
DescribeCustomerGateway | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
DescribeCustomerGateways | acs:vpc:$regionid:$accountid:customergateway/* |
ModifyCustomerGatewayAttribute | acs:vpc:$regionid:$accountid:customergateway/$customergatewayid |
CreateVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/* |
DeleteVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DescribeVpnConnection | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DescribeVpnConnections | acs:vpc:$regionid:$accountid:vpnconnection/* |
ModifyVpnConnectionAttribute | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DownloadVpnConnectionConfig | acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid |
DeleteVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
DescribeVpnGateway | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
DescribeVpnGateways | acs:vpc:$regionid:$accountid:vpngateway/* |
ModifyVpnGatewayAttribute | acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid |
CreateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
AssociateGlobalAccelerationInstance | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
UnassociateGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
ModifyGlobalAccerlationInstanceSpec | acs:ecs:$regionid:$accountid:instance/$instanceid |
ModifyGlobalAccerlationInstanceAttributes | acs:ecs:$regionid:$accountid:instance/$instanceid |
DeleteGlobalAccelerationInstance | acs:ecs:$regionid:$accountid:instance/$instanceid |
DescribeGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
AddGlobalAccelerationInstanceIp | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:eip/$allocationid |
|
RemoveGlobalAccelerationInstanceIp | acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid |
acs:vpc:$regionid:$accountid:eip/$allocationid |
|
DescribeServerRelatedGlobalAccelerationInstances | acs:vpc:$regionid:$accountid:globalaccelerationinstance/* |
acs:ecs:$regionid:$accountid:instance/$instanceid |
|
CreateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/* |
DeleteNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
DescribeNetworkAcls | acs:vpc:$regionid:$accountid: networkacl/* |
DescribeNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
ModifyNetworkAclAttributes | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
AssociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
UnassociateNetworkAcl | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
acs:vpc:$regionid:$accountid:vswitch/$vswitchid |
|
UpdateNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
CopyNetworkAclEntries | acs:vpc:$regionid:$accountid: networkacl/$networkaclid |
AssociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |
UnassociateVpcCidrBlock | acs:vpc:$regionid:$accountid: vpc/$vpcid |