edit-icon download-icon

Authorization for SLB instances

Last Updated: Mar 29, 2018

Questions

View SLB permission definitions

See Resource authorization definition in the SLB OpenAPI document.

Assign the SLB read-only permission to a RAM user

Create a RAM user in the RAM console and add the system authorization policy AliyunSLBReadOnlyAccess to the user. For more information about how to add an authorization policy, see Authorization.

Assign the SLB full access permission to a RAM user

Add the system authorization policy AliyunSLBFullAccess to the RAM user in the RAM console.

Authorize a RAM user to manage two specified SLB instances

You must use the function of customizing authorization policies.

For example, you have two instances and the IDs are i-001 and i-002:

First, you must create a custom authorization policy that includes permissions for managing i-001 and i-002 and viewing all SLB resources:

  1. {
  2. "Statement": [
  3. {
  4. "Effect": "Allow",
  5. "Action": "slb:*",
  6. "Resource": [
  7. "acs:slb:*:*:loadbalancer/i-001",
  8. "acs:slb:*:*:loadbalancer/i-002"
  9. ]
  10. },
  11. {
  12. "Effect": "Allow",
  13. "Action": "slb:Describe*",
  14. "Resource": "*"
  15. }
  16. ],
  17. "Version": "1"
  18. }

Then, add the authorization policy for this user.

A RAM user authorized to manage an SLB instance is notified of no operation permission when the user adds or removes ECS servers in the instance or sets weights

In the SLB, ECS server operation interfaces check not only the permissions for SLB resources, but also the permissions for ECS servers. This eliminates the situations in which a RAM user arbitrarily adds servers to an SLB instance after obtaining the permission for the instance.

For example, if you want to add the i-001 ECS server to the slb-001 SLB, you must grant the following permissions to your account:

  1. {
  2. "Statement": [
  3. {
  4. "Effect": "Allow",
  5. "Action": "slb:AddBackendServers",
  6. "Resource": ["acs:slb:*:*:loadbalancer/slb-001"]
  7. },
  8. {
  9. "Effect": "Allow",
  10. "Action": "slb:AddBackendServers",
  11. "Resource": ["acs:ecs:*:*:instance/i-001"]
  12. },
  13. {
  14. "Effect": "Allow",
  15. "Action": "slb:DescribeLoadBalancers",
  16. "Resource": "acs:slb:*:*:loadbalancer/*"
  17. }
  18. ],
  19. "Version": "1"
  20. }

You can make the authorization process more efficient so that you can grant management permissions for one SLB instance. This allows a user to add any servers to the instance and set the weight of any instances. See the following authorization policy.

This authorization policy adds permissions for operations on all the SLB instances to the ECS resource.

  1. {
  2. "Statement": [
  3. {
  4. "Effect": "Allow",
  5. "Action": "slb:*",
  6. "Resource": [
  7. "acs:slb:*:*:loadbalancer/i-001",
  8. "acs:slb:*:*:loadbalancer/i-002"
  9. ]
  10. },
  11. {
  12. "Effect": "Allow",
  13. "Action": "slb:Describe*",
  14. "Resource": "*"
  15. },
  16. {
  17. "Effect": "Allow",
  18. "Action": "slb:*",
  19. "Resource": "acs:ecs:*:*:*"
  20. }
  21. ],
  22. "Version": "1"
  23. }
Thank you! We've received your feedback.