All Products
Search

This Product

    File Storage NAS:Manage access points

    Document Center

    File Storage NAS:Manage access points

    Last Updated:Feb 03, 2026

    Create, view, modify, and delete access points in the NAS console.

    Prerequisites

    A General-purpose Network File System (NFS) file system is created. For more information, see Create a file system.

    Note

    Access points do not require a mount target. Create and use an access point to access NAS data even if no mount target exists or is disabled.

    Limits

    • Only General-purpose NFS file systems support access points.

    • A single General-purpose NFS file system allows you to create up to 1,000 access points in two vSwitches.

      Note

      An access point can be accessed by ECS instances that belong to different vSwitches in the same virtual private cloud (VPC). We recommend that you create multiple access points in the same vSwitch by default. We recommend that you select a vSwitch that resides in the same zone as the NAS file system to achieve optimal performance.

    Create an access point

    1. Log on to the NAS console.

    2. In the left-side navigation pane, choose File System > Access Point.

    3. In the top navigation bar, select the resource group and region where your file system resides.

    4. On the Access Point page, click Create Access Point.

    5. In the Create Access Point panel, configure the parameters.

      Parameter

      Description

      Basic Information

      File System

      Select the General-purpose NFS file system for which to create an access point.

      VPC

      Select the VPC where the ECS instance resides. If no VPC is available, create a VPC in the VPC console.

      Important

      Select the VPC where the ECS instance to mount the file system resides. If you select a different VPC, use Cloud Enterprise Network (CEN) to connect the VPCs, then mount the file system across VPCs. For more information, see Use CEN to mount a NAS file system across VPCs in the same region.

      vSwitch

      Select a vSwitch that resides in the VPC.

      Permission Group

      Select a permission group.

      A permission group named VPC default permission group (all allowed) is automatically created for each Alibaba Cloud account. This permission group allows access from all IP addresses in the VPC to the file system by using the access point. To create a custom permission group, see Manage permission groups.

      Access Point Name

      Enter a name for the access point.

      • The name must be 2 to 128 characters in length.

      • The name must start with a letter.

      • The name can contain letters, digits, underscores (_), and hyphens (-).

      Root Directory of Access Point

      Specify the root directory of the access point. A subdirectory can serve as the root directory, limiting users to access only that directory.

      Limits:

      • The directory must start with a forward slash (/).

      • The directory can contain digits and letters.

      • The directory can contain underscores (_), hyphens (-), and periods (.).

      • The directory cannot contain the current directory reference (.), the parent directory reference (..), or symbolic links.

      Important

      • If the root directory of the access point does not exist, configure the parameters in the Create Directory Information section. The system then automatically creates the specified root directory based on your settings.

      • If the root directory of the access point exists, you do not need to configure the parameters in the Create Directory Information section. The configurations in the Create Directory Information section are ignored even if you configure the parameters.

      Create Directory Information (Required only if the root directory of the access point does not exist)

      Owner ID

      Specify the ID of the owner for the root directory of the access point.

      Valid values: 0 to 4294967295.

      Owner Group ID

      Specify the ID of the owner group for the root directory of the access point.

      Valid values: 0 to 4294967295.

      POSIX Permission

      Specify the Portable Operating System Interface (POSIX) permissions applied to the root directory of the access point.

      The value is a valid octal number, such as 0755.

      POSIX User (Optional)

      Important

      After you configure a POSIX user, all I/O operations over the access point use the specified POSIX user information, overwriting the original client user information for verification. If you specify a user ID, you must also specify a user group ID.

      UID

      Specify the ID of the POSIX user that uses the access point and performs all operations on the file system.

      Valid values: 0 to 4294967295.

      User Group ID

      Specify the ID of the POSIX user group that uses the access point and performs all operations on the file system.

      Valid values: 0 to 4294967295.

      Secondary User Group Information (Optional)

      Specify the ID of the secondary POSIX user group that uses the access point and performs all operations on the file system.

    6. Click OK.

      Creating an access point takes about 10 minutes. After creation, view the status, domain name, file system, root directory, and POSIX user on the Access Point page. When the access point is in the Running state, use it to mount a NAS file system. For more information, see Use an access point to access a file system on Linux.

    (Optional) Configure a policy for the access point

    Access point policies are custom RAM policies for access point clients. Grant mount, read, and write permissions on a file system to different RAM users or roles within the same Alibaba Cloud account. Configure root user access permissions for fine-grained permission control.

    Authentication description

    When NAS receives a request from a compute node, NAS checks whether the requester has the required permissions based on the RAM policy configured for the access point.

    Limits

    • After enabling the RAM policy feature, no accounts (including Alibaba Cloud accounts, RAM users, and RAM roles) can use the access point to mount and access data by default. To use the access point as a RAM user or role, configure a policy for the access point client and attach it to the RAM user or role.

    • If an access point has been used for mounting but the RAM policy feature is disabled, services that are running may be interrupted when you enable the RAM policy feature.

    • If a RAM user or role has full access (AliyunNASFullAccess) to a NAS file system, it has all permissions on the access point client by default. To ensure file system security, do not grant full access to RAM users or roles. For more information, see What are the relationships between RAM policies for access points and system policies AliyunNASFullAccess and AliyunNASReadOnlyAccess?

    Procedure

    1. Enable the RAM policy feature for the file system of the access point.

      1. Log on to the NAS console.

      2. In the left-side navigation pane, choose File System > Access Point.

      3. In the top navigation bar, select the resource group and region where your file system resides.

      4. On the Access Point page, click Manage in the Actions column of the access point.

      5. On the details page, click the Access Point Policy tab and enable the RAM policy feature. This feature is disabled by default.

    2. Configure a RAM policy for the access point client.

      1. Log on to the RAM console with an Alibaba Cloud account.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the Policies page, click Create Policy.

      4. On the Create Policy page, click the JSON tab.

      5. Configure the following policy content and click OK.

        • Permissions on a single operation

          {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "nas:ClientMount",
      "Resource": "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>",
      "Condition": {
        "StringEquals": {
          "nas:AccessPointArn": "<ARN of the access point>"
        }
      }
    }
  ]
}

        • Permissions on multiple operations

          {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "nas:ClientMount",
        "nas:ClientWrite"
       ],
      "Resource": [
        "acs:nas:<Region>:<account-id>:filesystem/<FilesystemId>"
       ],
      "Condition": {
        "StringEquals": {
          "nas:AccessPointArn": "<ARN of the access point>"
        }
      }
    }
  ]
}

          Parameter

          Description

          Action

          The operation permissions for the access point client. Valid values:

          • nas:ClientMount: the permission to mount a file system and read data.

          • nas:ClientWrite: the permission to write data. Must be used with nas:ClientMount.

          • nas:ClientRootAccess: the permission to access a file system as a root user.

            • Without this permission, root user access is downgraded to the nobody user with minimal permissions.

            • If a POSIX user is bound to the access point as root but lacks nas:ClientRootAccess permission, all I/O operations are downgraded to nobody user permissions.

            • The nobody user has the least permissions on Linux and can access only the public content of the file system. This ensures the security of the file system.

          Resource

          The resources of the file system for the access point. Format: acs:nas:<region>:<account-id>:filesystem/<FilesystemId>. The Resource parameter contains the following fields:

          • region: the region where the file system of the access point resides. Example: cn-hangzhou. Find the region in the ARN of the access point. For more information, see the View the ARN of an access point section in this topic.

          • account-id: the ID of the Alibaba Cloud account. Example: 123456789012***.

          • FilesystemId: the ID of the file system for the access point. Example: 0d9f24****. Obtain the file system ID on the File System List page.

          nas:AccessPointArn

          The ARN of the access point. Example: acs:nas:cn-hangzhou:117848947****:accesspoint/fsap-1. Obtain the ARN on the Basic Information tab of the access point. For more information, see the View the ARN of an access point section in this topic.

      6. In the Create Policy dialog box, enter a name and description for the policy.

      7. Click OK.

    3. Attach the policy for the access point client to a RAM user or RAM role.

      Note

      • A RAM role does not have permanent identity credentials. It can access NAS resources only by using a Security Token Service (STS) token. Specify a validity period and access permissions when issuing an STS token. The token provides only temporary access to a NAS file system. Accessing the file system after the token expires causes an I/O error.

      • After granting permissions to a RAM user or role, wait for the permissions to take effect on cloud services. For more information, see Why don't my RAM permissions work immediately?

    After you configure the policy for the access point, use the access point to mount a NAS file system. For more information, see Use an access point to access a file system on Linux.

    View the domain name of the access point

    View the domain name of the access point:

    • On the Access Point page

      View the information in the Domain Name of Access Point column.

    • On the details page of the file system

      On the File System List page, click Manage in the Actions column of the file system. On the file system details page, click the Mount Targets tab. Then, click the Access Point tab and view the information in the Domain Name of Access Point column.

    View the root directory of the access point

    View the root directory of the access point:

    • On the Access Point page

      View the information in the Root Directory column.

    • On the details page of the file system

      On the File System List page, click Manage in the Actions column of the file system. On the file system details page, click the Mount Targets tab. Then, click the Access Point tab and view the information in the Root Directory column.

    View the ARN of the access point

    View the ARN of the access point:

    • On the Access Point page

      1. Click Manage in the Actions column of the access point.

      2. Click the Basic Information tab. In the ARN section, view the ARN of the access point.

    • On the details page of the file system

      1. On the File System List page, click Manage in the Actions column of the file system.

      2. On the file system details page, click the Mount Targets tab. Then, click the Access Point tab.

      3. Click the access point name and view the ARN in the ARN section.

    Remove the access point

    On the Access Point page, click Remove in the Actions column of the access point.

    Important

    After you remove an access point, all I/O operations that are being performed on the directory accessed over the access point are interrupted immediately. Proceed with caution.

    Modify the permission group of the access point

    Click Manage in the Actions column of the access point. On the details page, click Modify next to the permission group. For more information, see Manage permission groups.