RAM鉴权 - 专有网络 VPC

在使用RAM用户调用VPC API前，需要阿里云账号通过创建授权策略对RAM用户进行授权。在授权策略中，使用资源描述符（Alibaba Cloud Resource Name, ARN）指定授权资源。

可授权的专有网络资源类型

下表列举了VPC中可授权的资源及其描述方式，其中$regionid/$accoutid/$vrouterid... 为具体的资源ID，*代表对应的所有资源。

资源类型	授权策略中的资源描述方法
专有网络（VPC）	`acs:vpc:$regionid:$accountid:vpc/$vpcid`
	`acs:vpc:$regionid:$accountid:vpc/*`
	`acs:vpc::$accountid:vpc/`
路由器（vRouter）	`acs:vpc:$regionid:$accountid:vrouter/$vrouterid`
	`acs:vpc:$regionid:$accountid:vrouter/*`
	`acs:vpc::$accountid:vrouter/`
交换机（vSwitch）	`acs:vpc:$regionid:$accountid:vswitch/$vswitchid`
	`acs:vpc:$regionid:$accountid:vswitch/*`
	`acs:vpc::$accountid:vswitch/`
路由表（Route Table）	`acs:vpc:$regionid:$accountid:routetable/$routetableid`
	`acs:vpc:$regionid:$accountid:routetable/*`
	`acs:vpc::$accountid:routetable/`
DHCP选项集（DHCP Options Set）	`acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid`
	`acs:vpc:$regionid:$accountid:dhcpoptionsset/*`
	`acs:vpc::$accountid:dhcpoptionsset/`
高可用IP （HaVip）	`acs:vpc:$regionid:$accountid:havip/$havipid`
	`acs:vpc:$regionid:$accountid:havip/*`
	`acs:vpc::$accountid:havip/`
弹性公网IP（EIP）	`acs:vpc:$regionid:$accountid:eip/$allocationid`
	`acs:vpc:$regionid:$accountid:eip/*`
	`acs:vpc::$accountid:eip/`
NAT网关（NAT Gateway）	`acs:vpc:$regionid:$accountid:natgateway/$natgatewayid`
	`acs:vpc:$regionid:$accountid:natgateway/*`
	`acs:vpc:$accountid:vpc/`
NAT网关带宽包（NAT Gateway Bandwidth Package）	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
	`acs:vpc:$regionid:$accountid:bandwidthpackage/*`
	`aacs:vpc::$accountid:vpc/`
端口转发表（Forward Table）	`acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid`
	`acs:vpc:$regionid:$accountid:forwardtable/*`
	`acs:vpc::$accountid:vpc/`
SNAT表（SNAT Table）	`acs:vpc:$regionid:$accountid:snattable/$snattableid`
	`acs:vpc:$regionid:$accountid:snattable/*`
	`acs:vpc::$accountid:vpc/`
用户网关（Customer Gateway）	`acs:vpc:$regionid:$accountid:customergateway/$customergatewayid`
	`acs:vpc:$regionid:$accountid:customergateway/*`
	`acs:vpc::$accountid:customergateway/`
IPsec连接（IPsec Connection）	`acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid`
	`acs:vpc:$regionid:$accountid:vpnconnection/*`
	`acs:vpc::$accountid:vpnconnection/`
VPN网关（VPN Gateway）	`acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid`
	`acs:vpc:$regionid:$accountid:vpngateway/*`
	`acs:vpc::$accountid:vpngateway/`
网络ACL（Network ACL）	`acs:vpc:$regionid:$accountid:networkacl/$networkaclid`
	`acs:vpc:$regionid:$accountid:networkacl/*`
	`acs:vpc::$accountid:networkacl/`
附加网段（SecondaryCidrBlock）	`acs:vpc:$regionid:$accountid:vpc/$vpcid`
IPv6网关（IPv6 Gateway）	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
	`acs:vpc:$regionid:$accountid:ipv6gateway/*`
	`acs:vpc::$accountid:ipv6gateway/`
IPv6公网带宽（IPV6 Bandwidth）	`acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6instanceid`
	`acs:vpc:$regionid:$accountid:ipv6bandwidth/*`
	`acs:vpc::$accountid:ipv6bandwidth/`
通用资源	`acs:vpc:$regionid:$accountid:*`
通用资源	`acs:vpc::$accountid:`

可授权的VPC接口

下表列举了VPC中可授权的API及其描述方式，其中$regionid/accoutid/vrouterid... 为具体的资源ID，*代表对应的所有资源。

API	资源描述
CreateVpc	`acs:vpc:$regionid:$accountid:vpc/*`
DeleteVpc	`acs:vpc:$regionid:$accountid:vpc/$vpcid`
DescribeVpcs	`acs:vpc:$regionid:$accountid:vpc/*`
ModifyVpcAttribute	`acs:vpc:$regionid:$accountid:vpc/$vpcid`
DescribeVRouters	`acs:vpc:$regionid:$accountid:vrouter/*`
ModifyVRouterAttribute	`acs:vpc::$accountid:`
CreateVSwitch	`acs:vpc:$regionid:$accountid:vswitch/*`
DescribeVSwitchAttributes	`acs:vpc:$regionid:$accountid:vswitch/$VSwitchId`
DeleteVSwitch	`acs:vpc:$regionid:$accountid:vswitch/$vswitchid`
DescribeVSwitches	`acs:vpc:$regionid:$accountid:vswitch/*`
	`acs:vpc:$regionId:$accountId}:vpc/$VpcId`
	`acs:vpc:$regionId:$accountId:vswitch/$VSwitchId`
ModifyVSwitchAttribute	`acs:vpc:$regionid:$accountid:vswitch/$vswitchid`
CreateRouteEntry	`acs:vpc:$regionid:$accountid:routetable/$routetableid`
DeleteRouteEntry	`acs:vpc:$regionid:$accountid:routetable/$routetableid`
DescribeRouteTables	`acs:vpc:$regionid:$accountid:routetable/*`
DescribeRouteTables	`"vpc:VRouter":"acs:vpc$regionid:$accountid:vrouter/$vrouterid"`
CreateDHCPOptionsSet	`acs:vpc:$regionid:$accountid:dhcpoptionsset/*`
DescribeCreateDHCPOptionsSets	`acs:vpc:$regionid:$accountid:dhcpoptionsset/*`
ModifyDHCPOptionsSetAttributes	`acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid`
DeleteDHCPOptionsSet	`acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid`
AssociatedDHCPOptionsSet	`acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid`
AssociatedDHCPOptionsSet	`acs:vpc:$regionid:$accountid:vpc/$vpcid`
UnassociateDHCPOptionsSet	`acs:vpc:$regionid:$accountid:dhcpoptionsset/$dhcpoptionssetid`
UnassociateDHCPOptionsSet	`acs:vpc:$regionid:$accountid:vpc/$vpcid`
CreateHaVip	`acs:vpc:$regionid:$accountid:havip/*`
CreateHaVip	`acs:vpc:$regionid:$accountid:vswitch/$vswitchid`
DeleteHaVip	`acs:vpc:$regionid:$accountid:havip/$havipid`
AssociateHaVip	`acs:vpc:$regionid:$accountid:havip/$havipid`
	`acs:vpc:%s:%s:certificate/%`
	`acs:ecs:$regionid:$accountid:instance/$instanceid`
UnassociateHaVip	`acs:vpc:$regionid:$accountid:havip/$havipid`
UnassociateHaVip	`acs:ecs:$regionid:$accountid:instance/$instanceid`
DescribeHaVips	`acs:vpc:$regionid:$accountid:havip/*`
AllocateEipAddress	`acs:vpc:$regionid:$accountid:eip/*`
AssociateEipAddress	`acs:vpc:$regionid:$accountid:eip/*`
	绑定ECS实例 `acs:vpc:$regionid:$accountid:eip/$allocationid` `acs:ecs:$regionid:$accountid:instance/$instanceid`
	绑定HAVIP `acs:vpc:$regionid:$accountid:eip/$allocationid` `acs:vpc:$regionid:$accountid:havip/$havipid`
DescribeEipAddresses	`acs:vpc:$regionid:$accountid:eip/*`
UnassociateEipAddress	绑定ECS实例 `acs:vpc:$regionid:$accountid:eip/$allocationid` `acs:ecs:$regionid:$accountid:instance/$instanceid`
UnassociateEipAddress	绑定HAVIP `acs:vpc:$regionid:$accountid:eip/$allocationid` `acs:vpc:$regionid:$accountid:havip/$havipid`
ReleaseEipAddress	`acs:vpc:$regionid:$accountid:eip/$allocationid`
DescribeEipMonitorData	`acs:vpc:$regionid:$accountid:eip/$allocationid`
DescribeEipMonitorData	`acs:ecs:$regionid:$accountid:instance/$instanceid`
CreateNatGateway	`acs:vpc:$regionid:$accountid:natgateway/*`
DescribeNatGateways	`acs:vpc:$regionid:$accountid:natgateway/$natgatewayid`
DescribeNatGateways	`acs:vpc:$regionid:$accountid:natgateway/*`
ModifyNatGatewaySpec	`acs:vpc:$regionid:$accountid:natgateway/$natgatewayid`
ModifyNatGatewayAttribute	`acs:vpc:$regionid:$accountid:natgateway/$natgatewayid`
ModifyNatGatewayAttribute	`acs:ecs:$regionid:$accountid:instance/$instanceid`
DeleteNatGateway	`acs:vpc:$regionid:$accountid:natgateway/$natgatewayid`
DeleteNatGateway	`acs:ecs:$regionid:$accountid:instance/$instanceid`
CreateBandwidthPackage	`acs:vpc:$regionid:$accountid:bandwidthpackage/*`
DescribeBandwidthPackages	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
DescribeBandwidthPackages	`acs:vpc:$regionid:$accountid:bandwidthpackage/*`
ModifyBandwidthPackageSpec	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
ModifyBandwidthPackageAttribute	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
AddBandwidthPackageIps	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
RemoveBandwidthPackageIps	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
DeleteBandwidthPackage	`acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid`
CreateForwardEntry	`acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid`
DeleteForwardEntry	`acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid`
ModifyForwardEntry	`acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid`
DescribeForwardTableEntries	`acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid`
CreateSnatEntry	`acs:vpc:$regionid:$accountid:snattable/*`
ModifySnatEntry	`acs:vpc:$regionid:$accountid:snattable/$snattableid`
DescribeSnatTableEntries	`acs:vpc:$regionid:$accountid:snattable/$snattableid`
DeleteSnatEntry	`acs:vpc:$regionid:$accountid:snattable/$snattableid`
CreateCustomerGateway	`acs:vpc:$regionid:$accountid:customergateway/*`
DeleteCustomerGateway	`acs:vpc:$regionid:$accountid:customergateway/$customergatewayid`
DescribeCustomerGateway	`acs:vpc:$regionid:$accountid:customergateway/$customergatewayid`
DescribeCustomerGateways	`acs:vpc:$regionid:$accountid:customergateway/*`
ModifyCustomerGatewayAttribute	`acs:vpc:$regionid:$accountid:customergateway/$customergatewayid`
CreateVpnConnection	`acs:vpc:$regionid:$accountid:vpnconnection/*`
DeleteVpnConnection	`acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid`
DescribeVpnConnection	`acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid`
DescribeVpnConnections	`acs:vpc:$regionid:$accountid:vpnconnection/*`
ModifyVpnConnectionAttribute	`acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid`
DownloadVpnConnectionConfig	`acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid`
DeleteVpnGateway	`acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid`
DescribeVpnGateway	`acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid`
DescribeVpnGateways	`acs:vpc:$regionid:$accountid:vpngateway/*`
ModifyVpnGatewayAttribute	`acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid`
CreateNetworkAcl	`acs:vpc:$regionid:$accountid: networkacl/*`
DeleteNetworkAcl	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
DescribeNetworkAcls	`acs:vpc:$regionid:$accountid: networkacl/*`
DescribeNetworkAclAttributes	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
ModifyNetworkAclAttributes	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
AssociateNetworkAcl	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
AssociateNetworkAcl	`acs:vpc:$regionid:$accountid:vswitch/$vswitchid`
UnassociateNetworkAcl	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
UnassociateNetworkAcl	`acs:vpc:$regionid:$accountid:vswitch/$vswitchid`
UpdateNetworkAclEntries	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
CopyNetworkAclEntries	`acs:vpc:$regionid:$accountid: networkacl/$networkaclid`
AssociateVpcCidrBlock	`acs:vpc:$regionid:$accountid: vpc/$vpcid`
UnassociateVpcCidrBlock	`acs:vpc:$regionid:$accountid: vpc/$vpcid`
CreateIpv6Gateway	`acs:vpc:$regionid:$accountid:ipv6gateway/*`
DeleteIpv6Gateway	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
DescribeIpv6Gateways	`acs:vpc:$regionid:$accountid:ipv6gateway/*`
DescribeIpv6Gateways	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
AllocateIpv6InternetBandwidth	`acs:vpc:$regionid:$accountid:ipv6bandwidth/*`
CreateIpv6EgressOnlyRule	`acs:vpc:$regionid:$accountid:ipv6gateway/*`
DeleteIpv6EgressOnlyRule	`acs:vpc:$regionid:$accountid:ipv6gateway/$ruleid`
DeleteIpv6InternetBandwidth	`acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6bandwidthid`
DescribeIpv6Addresses	`acs:vpc:$regionid:$accountid:vpc/*`
DescribeIpv6EgressOnlyRules	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
DescribeIpv6GatewayAttribute	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
ModifyIpv6AddressAttribute	`acs:vpc:$regionid:$accountid:vpc/$ipv6instanceid`
ModifyIpv6GatewayAttribute	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
ModifyIpv6GatewaySpec	`acs:vpc:$regionid:$accountid:ipv6gateway/$ipv6gatewayid`
ModifyIpv6InternetBandwidth	`acs:vpc:$regionid:$accountid:ipv6bandwidth/$ipv6instanceid`