Add members to an IPAM for multi-account management using AddIpamMembers - Virtual Private Cloud

Operation description

Only the delegated administrator of an IPAM instance in a resource directory can perform multi-account management.
An IPAM delegated administrator can use an IPAM instance in only one region for multi-account management. A maximum of 1,000 member accounts can be added.

Important
If you add a folder as a member, the system counts all member accounts of the resource directory that are in the folder.
Members can be of the Folder or Account type.
- Folder: The delegated IPAM administrator can view IP usage in the IPAM effective region for all resource directory member accounts in the folder.
- Account: The delegated IPAM administrator can view IP usage in the IPAM effective region for the specified resource directory member account.
A managed member cannot share its resource discovery with the IPAM delegated administrator. The IPAM delegated administrator cannot add a member if that member has already shared its resource discovery.
Adding the first member enables the IPAM trusted service for the resource directory.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request syntax

POST  HTTP/1.1

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The ID of the IPAM hosted region. Call the DescribeRegions operation to get the region ID.	cn-hangzhou
DryRun	boolean	No	Specifies whether to perform a dry run. Valid values: true: Performs a dry run. The request is checked for required parameters, request format, and service limits. Members are not added to the IPAM trusted service. If the check passes, the DryRunOperation error code is returned. If the check fails, an error is returned. false (Default): Sends a request. If the request passes the check, the members are added to the IPAM trusted service and an HTTP 2xx status code is returned.	false
ClientToken	string	No	A client token to ensure the idempotence of the request. Generate a unique value from your client for each request. The ClientToken parameter supports only ASCII characters. Note If you do not specify this parameter, the system uses the RequestId of the API request as the ClientToken. The RequestId may be different for each API request.	123e4567-e89b-12d3-a456-426655440000
Members	array<object>	Yes	The members managed by the IPAM trusted service.
	object	No
MemberId	string	No	The member ID. Folder ID: The ID of the folder. Account UID: The UID of a member account in the resource directory.	fd-ccccncASqa
MemberType	string	No	The member type. Valid values: Folder: A folder. Account: A member account in a resource directory. Valid values: Account: A member account in a resource directory Folder: A folder in a resource directory	Folder

Response elements

Element	Type	Description	Example
	object	BaseResult
RequestId	string	The request ID.	BB2C39DE-CEB8-595A-981A-F2EFCBE7324E

Examples

Success response

JSON format

{
  "RequestId": "BB2C39DE-CEB8-595A-981A-F2EFCBE7324E"
}

Error codes

HTTP status code	Error code	Error message	Description
400	OperationDenied.MemberIdNotMatchMemberType	The operation is not allowed because the Member ID and Member Type of members [%s] in the input parameters do not match.	The Member Id and Member Type of [%s] in the input Members do not match.
400	OperationDenied.MemberExistInIpamRDService	The operation is not allowed because %s is under the management of the IPAM.	The input parameter %s has already been managed by IPAM trusted service. The same member cannot be managed repeatedly.
400	QuotaExceeded.MemberAccount	The operation is not allowed because the number of % managed by IPAM has exceeded the limit, %s/%s.	The member account managed by IPAM trusted service exceeds the quota limit.
400	OperationDenied.IpamResourceDiscoveryAlreadySharedWithAdmin	The operation is not allowed because the resource discovery has been shared with the IPAM delegated administrator by %s.	The IPAM Trusted Service does not allow the management of accounts that have already shared their resource discovery with the delegated administrator.
400	OperationDenied.IpamRDServiceAlreadyEnabledInOtherRegion	The operation is not allowed because the IPAM Resource Directory service is already enabled in another region.	Only one IPAM instance can be selected to manage resource directory members.
400	OperationDenied.AccountNotRDEntity	The operation is not allowed because the caller does not belong to the resource directory.	The caller does not belong to any resource directory and is not allowed to manage IPAM trusted service members.
400	OperationDenied.NotDelegatedAdminAccount	The operation is not allowed because the caller is not the delegated IPAM admin for the resource directory.	The caller is not the delegated administrator of the IPAM trusted service in the resource directory. IPAM trusted service members are not allowed to be managed.
400	OperationDenied.IpamNotExist	The operation is not allowed because the IPAM does not exist.	IPAM does not exist in the current region. IPAM trusted service members cannot be managed.
400	OperationDenied.DelegateAdminAsMember	The operation is not allowed because the IPAM delegate administrator cannot be a member.	IPAM delegated administrators cannot add themselves as members of the IPAM trusted service.
400	OperationDenied.NoServicePrincipalAdminPrivileges	The operation is not allowed because the caller is not the delegated IPAM admin for the resource directory.	The caller is not the delegated administrator of the IPAM trusted service in the resource directory. IPAM trusted service members are not allowed to be managed.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.