RAM authorization - Server Load Balancer - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by ALB. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ALB is alb. You can grant permissions on ALB at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

ALB defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
alb:DeleteServerGroup	DeleteServerGroup	delete	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:AddEntriesToAcl	AddEntriesToAcl	create	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId}	None	None
alb:LoadBalancerJoinSecurityGroup	LoadBalancerJoinSecurityGroup	none	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:DisableDeletionProtection	DisableDeletionProtection	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:UpdateLoadBalancerAttribute	UpdateLoadBalancerAttribute	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListAclEntries	ListAclEntries	get	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId}	None	None
alb:ReplaceServersInServerGroup	ReplaceServersInServerGroup	update	All Resources *	None	None
alb:GetListenerAttribute	GetListenerAttribute	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	acs:ResourceTag	None
alb:DissociateAdditionalCertificatesFromListener	DissociateAdditionalCertificatesFromListener	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:CreateServerGroup	CreateServerGroup	create	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/*	alb:ServerGroupProtocol	None
alb:DeleteHealthCheckTemplates	DeleteHealthCheckTemplates	delete	HealthCheckTemplate acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplatesId}	None	None
alb:AssociateAdditionalCertificatesWithListener	AssociateAdditionalCertificatesWithListener	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListServerGroups	ListServerGroups	get	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/*	None	None
alb:UpdateSecurityPolicyAttribute	UpdateSecurityPolicyAttribute	update	SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}	None	None
alb:ListTagValues	ListTagValues	list	All Resources *	None	None
alb:DisableLoadBalancerAccessLog	DisableLoadBalancerAccessLog	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:CreateHealthCheckTemplate	CreateHealthCheckTemplate	create	HealthCheckTemplate acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*	None	None
alb:ListRules	ListRules	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:LoadBalancerLeaveSecurityGroup	LoadBalancerLeaveSecurityGroup	none	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:CreateSecurityPolicy	CreateSecurityPolicy	create	SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/*	None	None
alb:DetachCommonBandwidthPackageFromLoadBalancer	DetachCommonBandwidthPackageFromLoadBalancer	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:CreateListener	CreateListener	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	alb:ListenerProtocol	None
alb:UpdateLoadBalancerEdition	UpdateLoadBalancerEdition	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:EnableDeletionProtection	EnableDeletionProtection	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:AddServersToServerGroup	AddServersToServerGroup	create	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId} Instance acs:alb:{#regionId}:{#accountId}:ecs/{#InstanceId} NetworkInterface acs:alb:{#regionId}:{#accountId}:eni/{#NetworkInterfaceId} ContainerGroup acs:alb:{#regionId}:{#accountId}:eci/{#ContainerGroupId}	None	None
alb:DeleteSecurityPolicy	DeleteSecurityPolicy	delete	SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}	None	None
alb:DeleteListener	DeleteListener	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:UpdateLoadBalancerAddressTypeConfig	UpdateLoadBalancerAddressTypeConfig	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	alb:AddressType	None
alb:ListSecurityPolicyRelations	ListSecurityPolicyRelations	get	SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicy}	None	None
alb:CreateLoadBalancer	CreateLoadBalancer	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/*	alb:AddressType	None
alb:ListListenerCertificates	ListListenerCertificates	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListSecurityPolicies	ListSecurityPolicies	list	SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/*	None	None
alb:UpdateListenerAttribute	UpdateListenerAttribute	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:UpdateHealthCheckTemplateAttribute	UpdateHealthCheckTemplateAttribute	update	HealthCheckTemplate acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}	None	None
alb:UpdateServerGroupServersAttribute	UpdateServerGroupServersAttribute	update	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId} Instance acs:ecs:{#regionId}:{#accountId}:ecs/{#ecsId}	None	None
alb:UnTagResources	UnTagResources	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId} Acl acs:alb:{#regionId}:{#accountId}:acl/{#AclId} SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}	None	None
alb:DeleteRule	DeleteRule	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	acs:ResourceTag	None
alb:MoveResourceGroup	MoveResourceGroup	update	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:UpdateRulesAttribute	UpdateRulesAttribute	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:ListServerGroupServers	ListServerGroupServers	get	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:ListAcls	ListAcls	list	Acl acs:alb:{#regionId}:{#accountId}:acl/*	None	None
alb:GetListenerHealthStatus	GetListenerHealthStatus	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:CancelShiftLoadBalancerZones	CancelShiftLoadBalancerZones		LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:DeleteAcl	DeleteAcl	delete	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId}	None	None
alb:AttachCommonBandwidthPackageToLoadBalancer	AttachCommonBandwidthPackageToLoadBalancer	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:UpdateRuleAttribute	UpdateRuleAttribute	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListTagResources	ListTagResources	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId} SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securityPolicyId} Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId}	None	None
alb:RemoveEntriesFromAcl	RemoveEntriesFromAcl	delete	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId}	None	None
alb:DeleteAScripts	DeleteAScripts	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:StopListener	StopListener	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListHealthCheckTemplates	ListHealthCheckTemplates	list	HealthCheckTemplate acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*	None	None
alb:DeleteRules	DeleteRules	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:UpdateListenerLogConfig	UpdateListenerLogConfig	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:TagResources	TagResources	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId} Acl acs:alb:{#regionId}:{#accountId}:acl/{#AclId} SecurityPolicy acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}	None	None
alb:EnableLoadBalancerIpv6Internet	EnableLoadBalancerIpv6Internet	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	alb:AddressType	None
alb:DisableLoadBalancerIpv6Internet	DisableLoadBalancerIpv6Internet	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:UpdateServerGroupAttribute	UpdateServerGroupAttribute	update	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:StartListener	StartListener	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:AssociateAclsWithListener	AssociateAclsWithListener	create	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId} LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListAScripts	ListAScripts	list	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:CreateRule	CreateRule	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:DissociateAclsFromListener	DissociateAclsFromListener	delete	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId} LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ListLoadBalancers	ListLoadBalancers	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/* LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:UpdateLoadBalancerZones	UpdateLoadBalancerZones	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:CreateAScripts	CreateAScripts	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:RemoveServersFromServerGroup	RemoveServersFromServerGroup	update	ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId} Instance acs:alb:{#regionId}:{#accountId}:ecs/{#InstanceId} NetworkInterface acs:alb:{#regionId}:{#accountId}:eni/{#NetworkInterfaceId} ContainerGroup acs:alb:{#regionId}:{#accountId}:eci/{#ContainerGroupId}	None	None
alb:CreateRules	CreateRules	create	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId} ServerGroup acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}	None	None
alb:UpdateAScripts	UpdateAScripts	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None
alb:ListAsynJobs	ListAsynJobs	get	All Resources *	None	None
alb:UpdateAclAttribute	UpdateAclAttribute	update	Acl acs:alb:{#regionId}:{#accountId}:acl/{#aclId}	None	None
alb:GetHealthCheckTemplateAttribute	GetHealthCheckTemplateAttribute	get	HealthCheckTemplate acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}	None	None
alb:ListAclRelations	ListAclRelations	get	Acl acs:alb:{#regionId}:{#accountId}:acl/{#AclId}	None	None
alb:ListTagKeys	ListTagKeys	get	All Resources *	None	None
alb:ListListeners	ListListeners	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:DeleteLoadBalancer	DeleteLoadBalancer	delete	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:CreateAcl	CreateAcl	create	Acl acs:alb:{#regionId}:{#accountId}:acl/*	None	None
alb:EnableLoadBalancerAccessLog	EnableLoadBalancerAccessLog	update	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:ApplyHealthCheckTemplateToServerGroup	ApplyHealthCheckTemplateToServerGroup	update	All Resources *	None	None
alb:GetLoadBalancerAttribute	GetLoadBalancerAttribute	get	LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}	None	None
alb:StartShiftLoadBalancerZones	StartShiftLoadBalancerZones		LoadBalancer acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}	None	None

Resource

ALB defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
LoadBalancer	acs:slb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}
ServerGroup	acs:alb:{#regionId}:{#accountId}:servergroup/{#servergroupId}
Acl	acs:alb:{#regionId}:{#accountId}:acl/{#AclId}
LoadBalancer	acs:alb:{#regionId}:{#accountId}:loadbalancer/*
Acl	acs:alb:{#regionId}:{#accountId}:acl/{#aclId}
LoadBalancer	acs:alb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}
ServerGroup	acs:alb:{#regionId}:{#accountId}:servergroup/{#ServerGroupId}
NetworkInterface	acs:alb:{#regionId}:{#accountId}:eni/{#NetworkInterfaceId}
Instance	acs:alb:{#regionId}:{#accountId}:ecs/{#InstanceId}
ContainerGroup	acs:alb:{#regionId}:{#accountId}:eci/{#ContainerGroupId}
LoadBalancer	acs:alb:{#regionId}:{#accountId}:loadbalancer/{#LoadBalancerId}
ServerGroup	acs:alb:{#regionId}:{#accountId}:servergroup/*
HealthCheckTemplate	acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplatesId}
SecurityPolicy	acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicyId}
SecurityPolicy	acs:alb:{#regionId}:{#accountId}:securitypolicy/*
Acl	acs:alb:{#regionId}:{#accountId}:acl/*
HealthCheckTemplate	acs:alb:{#regionId}:{#accountId}:healthchecktemplate/*
SecurityPolicy	acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securitypolicy}
HealthCheckTemplate	acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthchecktemplateId}
Instance	acs:ecs:{#regionId}:{#accountId}:ecs/{#ecsId}
SecurityPolicy	acs:alb:{#regionId}:{#accountId}:securitypolicy/{#SecurityPolicyId}
SecurityPolicy	acs:alb:{#regionId}:{#accountId}:securitypolicy/{#securityPolicyId}
HealthCheckTemplate	acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#HealthCheckTemplateId}
Listener	acs:alb:{#regionId}:{#accountId}:listener/{#ListenerId}
Rule	acs:alb:{#regionId}:{#accountId}:rule/{#RuleId}
HealthCheckTemplate	acs:alb:{#regionId}:{#accountId}:healthchecktemplate/{#healthCheckTemplateId}
ServerGroup	acs:alb:{#regionId}:{#accountId}:servergroup/{#serverGroupId}

Condition

ALB defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to ALB. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type
alb:AddressType	The address type of Application Load Balancer	String
alb:ListenerProtocol	The listening protocol type of Application Load Balancer	String
alb:ServerGroupProtocol	The server group protocol type of Application Load Balancer	String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: