This topic describes how to manage Classic Load Balancer (CLB) permissions of Resource Access Management (RAM) users. In the RAM console, you can create custom policies and attach the policies to the RAM users.
Background information
Before you manage the CLB permissions of RAM users, take note of the following system policies:
AliyunSLBFullAccess: grants a RAM user the permissions to manage CLB instances.
AliyunSLBReadOnlyAccess: grants read-only permissions on CLB instances.
If the provided system policies cannot meet your business requirements, you can create custom policies.
Before you manage the CLB permissions of RAM users, take note of the CLB permissions. For more information, see Authorize a RAM user.
Procedure
Create a RAM user.
For more information, see Create a RAM user.
Create a custom policy.
For more information, see Create custom policies and Policy examples.
Attach the policy to the RAM user.
For more information, see Grant permissions to RAM users.
Policy examples
Example 1: Authorize a RAM user to manage two specific CLB instances.
To authorize a RAM user to manage the CLB instances
lb-abcdxxxx001andlb-abcdxxxx002in your Alibaba Cloud account, use the following sample script:{ "Statement": [ { "Effect": "Allow", "Action": "slb:*", "Resource": [ "acs:slb:*:*:loadbalancer/lb-abcdxxxx001", "acs:slb:*:*:loadbalancer/lb-abcdxxxx002" ] }, { "Effect": "Allow", "Action": "slb:Describe*", "Resource": "*" } ], "Version": "1" }NoteThe authorized RAM user can view all CLB instances, but can manage only the two specified CLB instances.
The
Describe*element is required in the policy. Otherwise, the authorized RAM user cannot view instances in the Server Load Balancer (SLB) console. However, the RAM user can call API operations or use a CLI or SDK to manage the two specified CLB instances.
Example 2: Authorize a RAM user to add an Elastic Compute Service (ECS) instance as a backend server of the SLB instance
slb-001. The ID of the ECS instance islb-abcdxxxx001.{ "Statement": [ { "Effect": "Allow", "Action": "slb:AddBackendServers", "Resource": ["acs:slb:*:*:loadbalancer/slb-001"] }, { "Effect": "Allow", "Action": "slb:AddBackendServers", "Resource": ["acs:ecs:*:*:instance/lb-abcdxxxx001"] }, { "Effect": "Allow", "Action": "slb:DescribeLoadBalancers", "Resource": "acs:slb:*:*:loadbalancer/*" } ], "Version": "1" }NoteAfter you grant a RAM user permissions to manage a CLB instance based on the policy described in Example 1, you must also grant the following two permissions to the RAM user. Otherwise, the RAM user cannot add or remove ECS instances or configure the weights of ECS instances.
Permissions on CLB instances
Permissions on ECS instances
Example 3: Authorize a RAM user to perform ECS-related operations on a specific CLB instance.
{ "Statement": [{ "Effect": "Allow", "Action": "slb:*", "Resource": [ "acs:slb:*:*:loadbalancer/lb-abcdxxxx001", "acs:slb:*:*:loadbalancer/lb-abcdxxxx002" ] }, { "Effect": "Allow", "Action": "slb:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": "slb:*", "Resource": [ "acs:ecs:*:*:instance/i-instance001", "acs:ecs:*:*:instance/i-instance002" ] } ], "Version": "1" }NoteThe preceding policy allows the RAM user to manage CLB instances
lb-abcdxxxx001andabcdxxxx002. Then, the RAM user can perform all ECS-related operations on the CLB instances. For example, the RAM user can add the ECS instancesi-instance001andi-instance002as backend servers of the two specified CLB instances and configure the weights of the ECS instances. After this policy is attached to the RAM user, the RAM user can view the ECS instance list when the user selects ECS instances.