访问控制(RAM)是阿里云提供的管理用户身份与资源访问权限的服务。使用RAM可以让您避免与其他用户共享阿里云账号密钥,并可按需为用户授予最小权限。RAM中使用权限策略描述授权的具体内容。
本文为您介绍专有网络VPC为RAM权限策略定义的操作(Action)、资源(Resource)和条件(Condition)。专有网络VPC的RAM代码(RamCode)为 vpc,支持的授权粒度为资源级。
权限策略通用结构
权限策略支持JSON格式,其通用结构如下:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
}- Effect:权限策略效果。取值:Allow(允许)、Deny(拒绝)。
- Action:授予允许或拒绝权限的具体操作。具体信息,请参见操作(Action)。
- Resource:受操作影响的具体对象,您可以使用资源ARN来描述指定资源。具体信息,请参见资源(Resource)。
- Condition:指授权生效的条件。可选字段。具体信息,请参见条件(Condition)。
- Condition_operator:条件运算符,不同类型的条件对应不同的条件运算符。具体信息,请参见权限策略基本元素。
- Condition_key:条件关键字。
- Condition_value:条件关键字对应的值。
操作(Action)
下表是专有网络VPC定义的操作,这些操作可以在RAM权限策略语句的Action元素中使用,用来授予执行该操作的权限。下面对表中的具体项提供说明:- 操作:是指具体的权限点。
- API:是指操作对应的API接口。
- 访问级别:是指每个操作的访问级别,取值为写入(Write)、读取(Read)或列出(List)。
- 资源类型:是指操作中支持授权的资源类型。具体说明如下:
- 对于必选的资源类型,用前面加 * 表示。
- 对于不支持资源级授权的操作,用
全部资源表示。
- 条件关键字:是指云产品自身定义的条件关键字。该列不体现适用于任何操作的通用条件关键字。
- 关联操作:是指成功执行操作所需要的其他权限。操作者必须同时具备关联操作的权限,操作才能成功。
| 操作 | API | 访问级别 | 资源类型 | 条件关键字 | 关联操作 |
|---|
| 操作 | API | 访问级别 | 资源类型 | 条件关键字 | 关联操作 |
|---|---|---|---|---|---|
| vpc:ActivateRouterInterface | ActivateRouterInterface | update | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:ActiveFlowLog | ActiveFlowLog | update | *FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/{#FlowLogId} | 无 | 无 |
| vpc:AddSourcesToTrafficMirrorSession | AddSourcesToTrafficMirrorSession | update | *TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/{#TrafficMirrorSessionId} | 无 | 无 |
| vpc:AllocateIpv6Address | AllocateIpv6Address | create | *Ipv6Address acs:vpc:{#regionId}:{#accountId}:ipv6address/* | 无 | 无 |
| vpc:AllocateIpv6InternetBandwidth | AllocateIpv6InternetBandwidth | create | *Ipv6InternetBandwidth acs:vpc:{#regionId}:{#accountId}:ipv6bandwidth/* | 无 | 无 |
| vpc:AllocateVpcIpv6Cidr | AllocateVpcIpv6Cidr | none | *全部资源 * | 无 | 无 |
| vpc:AssociateHaVip | AssociateHaVip | create | *Instance acs:vpc:{#regionId}:{#accountId}:instance/{#InstanceId}*HaVip acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} | 无 | 无 |
| vpc:AssociateNetworkAcl | AssociateNetworkAcl | update | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId}*VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:AssociateRouteTable | AssociateRouteTable | update | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId} | 无 | 无 |
| vpc:AssociateRouteTableWithGateway | AssociateRouteTableWithGateway | create | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#ipv4gatewayId}*RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#routetableId} | 无 | 无 |
| vpc:AssociateRouteTablesWithVpcGatewayEndpoint | AssociateRouteTablesWithVpcGatewayEndpoint | create | *GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId} | 无 | 无 |
| vpc:AssociateVpcCidrBlock | AssociateVpcCidrBlock | create | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:AttachDhcpOptionsSetToVpc | AttachDhcpOptionsSetToVpc | update | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId}*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:ChangeResourceGroup | ChangeResourceGroup | update | *全部资源 * | 无 | 无 |
| vpc:CheckCanAllocateVpcPrivateIpAddress | CheckCanAllocateVpcPrivateIpAddress | none | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:ConnectRouterInterface | ConnectRouterInterface | update | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:CopyNetworkAclEntries | CopyNetworkAclEntries | update | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId} | 无 | 无 |
| vpc:CreateDefaultVSwitch | CreateDefaultVSwitch | Write | *VSwitch acs:vpc:{#regionid}:{#accountId}:vswitch/* | 无 | 无 |
| vpc:CreateDefaultVpc | CreateDefaultVpc | Write | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/* | 无 | 无 |
| vpc:CreateDhcpOptionsSet | CreateDhcpOptionsSet | create | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/* | 无 | 无 |
| vpc:CreateFlowLog | CreateFlowLog | create | VSwitch acs:vpc:{#regionid}:{#accountId}:vswitch/{#VSwitchId}*FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:CreateHaVip | CreateHaVip | create | *HaVip acs:vpc:{#regionId}:{#accountId}:havip/**VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:CreateIpv4Gateway | CreateIpv4Gateway | create | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/* | 无 | 无 |
| vpc:CreateIpv6EgressOnlyRule | CreateIpv6EgressOnlyRule | create | *Ipv6EgressRule acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:CreateIpv6Gateway | CreateIpv6Gateway | create | *Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/* | 无 | 无 |
| vpc:CreateNetworkAcl | CreateNetworkAcl | create | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/**VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:CreateRouteEntries | CreateRouteEntries | create | *RouteEntry acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:CreateRouteEntry | CreateRouteEntry | create | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:CreateRouteTable | CreateRouteTable | create | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/* | 无 | 无 |
| vpc:CreateRouterInterface | CreateRouterInterface | create | *VirtualBorderRouter acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VbrId}*RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/* | vpc:TargetAccountRDId | 无 |
| vpc:CreateTrafficMirrorFilter | CreateTrafficMirrorFilter | create | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/* | 无 | 无 |
| vpc:CreateTrafficMirrorFilterRules | CreateTrafficMirrorFilterRules | create | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:CreateTrafficMirrorSession | CreateTrafficMirrorSession | create | *TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/**TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:CreateVSwitch | CreateVSwitch | create | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}*VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/* | vpc:tag | 无 |
| vpc:CreateVSwitchCidrReservation | CreateVSwitchCidrReservation | create | *VSwitchCidrReservation acs:vpc:{#regionId}:{#accountId}:vswitchcidrreservation/* | 无 | 无 |
| vpc:CreateVpc | CreateVpc | create | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/* | 无 | 无 |
| vpc:CreateVpcGatewayEndpoint | CreateVpcGatewayEndpoint | create | *GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/* | 无 | 无 |
| vpc:CreateVpcPrefixList | CreateVpcPrefixList | create | *PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/* | 无 | 无 |
| vpc:DeactivateRouterInterface | DeactivateRouterInterface | update | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:DeactiveFlowLog | DeactiveFlowLog | update | *FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/{#FlowLogId} | 无 | 无 |
| vpc:DeleteDhcpOptionsSet | DeleteDhcpOptionsSet | delete | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId} | 无 | 无 |
| vpc:DeleteFlowLog | DeleteFlowLog | delete | *FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/{#FlowLogId} | 无 | 无 |
| vpc:DeleteHaVip | DeleteHaVip | delete | *HaVip acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} | 无 | 无 |
| vpc:DeleteIpv4Gateway | DeleteIpv4Gateway | delete | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#ipv4gatewayId} | 无 | 无 |
| vpc:DeleteIpv6EgressOnlyRule | DeleteIpv6EgressOnlyRule | delete | *Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:DeleteIpv6Gateway | DeleteIpv6Gateway | delete | *Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:DeleteIpv6InternetBandwidth | DeleteIpv6InternetBandwidth | delete | *Ipv6InternetBandwidth acs:vpc:{#regionId}:{#accountId}:ipv6bandwidth/{#Ipv6InternetBandwidthId} | 无 | 无 |
| vpc:DeleteNetworkAcl | DeleteNetworkAcl | delete | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId} | 无 | 无 |
| vpc:DeleteRouteEntries | DeleteRouteEntries | delete | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#routetableId} | 无 | 无 |
| vpc:DeleteRouteEntry | DeleteRouteEntry | delete | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:DeleteRouteTable | DeleteRouteTable | delete | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:DeleteRouterInterface | DeleteRouterInterface | delete | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:DeleteTrafficMirrorFilter | DeleteTrafficMirrorFilter | delete | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:DeleteTrafficMirrorFilterRules | DeleteTrafficMirrorFilterRules | delete | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:DeleteTrafficMirrorSession | DeleteTrafficMirrorSession | delete | *TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/{#TrafficMirrorSessionId} | 无 | 无 |
| vpc:DeleteVSwitch | DeleteVSwitch | delete | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:DeleteVSwitchCidrReservation | DeleteVSwitchCidrReservation | delete | *VSwitchCidrReservation acs:vpc:{#regionId}:{#accountId}:vswitchcidrreservation/{#VSwitchCidrReservationId} | 无 | 无 |
| vpc:DeleteVpc | DeleteVpc | delete | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | vpc:tag | 无 |
| vpc:DeleteVpcGatewayEndpoint | DeleteVpcGatewayEndpoint | delete | *GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId} | 无 | 无 |
| vpc:DeleteVpcPrefixList | DeleteVpcPrefixList | delete | *PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | 无 | 无 |
| vpc:DeletionProtection | DeletionProtection | delete | *Address acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId} | 无 | 无 |
| vpc:DescribeEcGrantRelation | DescribeEcGrantRelation | list | *VirtualBorderRouter acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VbrId} | 无 | 无 |
| vpc:DescribeFlowLogs | DescribeFlowLogs | get | *FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/* | 无 | 无 |
| vpc:DescribeGrantRulesToCen | DescribeGrantRulesToCen | get | VirtualBorderRouter acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#InstanceId}GrantRuleToCen acs:vpc:{#regionId}:{#accountId}:vpc/{#InstanceId} | 无 | 无 |
| vpc:DescribeHaVips | DescribeHaVips | get | *HaVip acs:vpc:{#regionId}:{#accountId}:havip/* | 无 | 无 |
| vpc:DescribeIpv6Addresses | DescribeIpv6Addresses | list | *Ipv6InternetBandwidth acs:vpc:{#regionId}:{#accountId}:vpc/* | 无 | 无 |
| vpc:DescribeIpv6EgressOnlyRules | DescribeIpv6EgressOnlyRules | get | *Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:DescribeIpv6GatewayAttribute | DescribeIpv6GatewayAttribute | get | *Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:DescribeIpv6Gateways | DescribeIpv6Gateways | get | Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/*Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:DescribeNetworkAclAttributes | DescribeNetworkAclAttributes | get | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId} | 无 | 无 |
| vpc:DescribeNetworkAcls | DescribeNetworkAcls | list | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/* | 无 | 无 |
| vpc:DescribeRouteEntryList | DescribeRouteEntryList | get | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:DescribeRouteTableList | DescribeRouteTableList | list | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/* | vpc:VRouter vpc:VBR | 无 |
| vpc:DescribeRouteTables | DescribeRouteTables | list | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | vpc:VBR vpc:VRouter | 无 |
| vpc:DescribeRouterInterfaceAttribute | DescribeRouterInterfaceAttribute | get | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:DescribeRouterInterfaces | DescribeRouterInterfaces | list | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:DescribeSslVpnServers | DescribeSslVpnServers | list | SslVpnServer acs:vpc:{#regionId}:{#accountId}:sslvpnserver/*SslVpnServer acs:vpc:{#regionId}:{#accountId}:sslvpnserver/{#SslVpnServerId} | 无 | 无 |
| vpc:DescribeTagKeys | DescribeTagKeys | get | *全部资源 * | 无 | 无 |
| vpc:DescribeTagKeysForExpressConnect | DescribeTagKeysForExpressConnect | list | *全部资源 * | 无 | 无 |
| vpc:DescribeTags | DescribeTags | get | *全部资源 * | vpc:tag | 无 |
| vpc:DescribeVRouters | DescribeVRouters | list | *VRouter acs:vpc:{#regionId}:{#accountId}:vrouter/* | vpc:VPC | 无 |
| vpc:DescribeVSwitchAttributes | DescribeVSwitchAttributes | get | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:DescribeVSwitches | DescribeVSwitches | list | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/* | vpc:VPC | 无 |
| vpc:DescribeVpcAttribute | DescribeVpcAttribute | get | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | vpc:tag | 无 |
| vpc:DescribeVpcs | DescribeVpcs | list | VPC acs:vpc:{#regionId}:{#accountId}:vpc/*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VPCId} | vpc:tag | 无 |
| vpc:DetachDhcpOptionsSetFromVpc | DetachDhcpOptionsSetFromVpc | update | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId}*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:DisableVpcClassicLink | DisableVpcClassicLink | update | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:DissociateRouteTableFromGateway | DissociateRouteTableFromGateway | get | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#ipv4gatewayId}*RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#routetableId} | 无 | 无 |
| vpc:DissociateRouteTablesFromVpcGatewayEndpoint | DissociateRouteTablesFromVpcGatewayEndpoint | delete | *GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId} | 无 | 无 |
| vpc:EnableVpcClassicLink | EnableVpcClassicLink | update | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:EnableVpcIpv4Gateway | EnableVpcIpv4Gateway | update | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#ipv4gatewayId} | 无 | 无 |
| vpc:GetDhcpOptionsSet | GetDhcpOptionsSet | get | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId} | 无 | 无 |
| vpc:GetFlowLogServiceStatus | GetFlowLogServiceStatus | get | *FlowLogService acs:vpc:{#regionId}:{#accountId}:flowlog/* | 无 | 无 |
| vpc:GetIpv4GatewayAttribute | GetIpv4GatewayAttribute | get | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#Ipv4GatewayId} | 无 | 无 |
| vpc:GetTrafficMirrorServiceStatus | GetTrafficMirrorServiceStatus | get | *全部资源 * | 无 | 无 |
| vpc:GetVSwitchCidrReservationUsage | GetVSwitchCidrReservationUsage | get | *VSwitchCidrReservation acs:vpc:{#regionId}:{#accountId}:vswitchcidrreservation/{#VSwitchCidrReservationId} | 无 | 无 |
| vpc:GetVpcGatewayEndpointAttribute | GetVpcGatewayEndpointAttribute | get | *GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId} | 无 | 无 |
| vpc:GetVpcPrefixListAssociations | GetVpcPrefixListAssociations | get | *PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | 无 | 无 |
| vpc:GetVpcPrefixListEntries | GetVpcPrefixListEntries | get | *PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | 无 | 无 |
| vpc:GetVpcRouteEntrySummary | GetVpcRouteEntrySummary | list | RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#routetableId}*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId} | 无 | 无 |
| vpc:GrantInstanceToCen | GrantInstanceToCen | update | *VirtualBorderRouter acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VirtualBorderRouterId}*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:GrantInstanceToVbr | GrantInstanceToVbr | update | *VPC acs:vpc:{#regionId}:{#AccountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:ListDhcpOptionsSets | ListDhcpOptionsSets | get | DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/*DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId} | 无 | 无 |
| vpc:ListGatewayRouteTableEntries | ListGatewayRouteTableEntries | list | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#routetableId} | 无 | 无 |
| vpc:ListIpv4Gateways | ListIpv4Gateways | list | Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/* | 无 | 无 |
| vpc:ListPrefixLists | ListPrefixLists | list | PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/* | 无 | 无 |
| vpc:ListTagResources | ListTagResources | get | BandwidthPackage acs:vpc:{#regionId}:{#accountId}:combandwidthpackage/{#BandwidthPackageId}Address acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId}NatGateway acs:vpc:{#regionId}:{#accountId}:natgateway/{#NatGatewayId}RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTable}VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}VpnGateway acs:vpc:{#regionId}:{#accountId}:vpngateway/{#VpnGatewayId}VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | vpc:tag | 无 |
| vpc:ListTagResourcesForExpressConnect | ListTagResourcesForExpressConnect | list | *全部资源 * | 无 | 无 |
| vpc:ListTrafficMirrorFilters | ListTrafficMirrorFilters | list | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/* | 无 | 无 |
| vpc:ListTrafficMirrorSessions | ListTrafficMirrorSessions | list | *TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/* | 无 | 无 |
| vpc:ListVSwitchCidrReservations | ListVSwitchCidrReservations | list | *VSwitchCidrReservation acs:vpc:{#regionId}:{#accountId}:vswitchcidrreservation/* | 无 | 无 |
| vpc:ListVpcEndpointServicesByEndUser | ListVpcEndpointServicesByEndUser | list | *全部资源 * | 无 | 无 |
| vpc:ListVpcGatewayEndpoints | ListVpcGatewayEndpoints | list | GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/*GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId} | 无 | 无 |
| vpc:ListVpcPublishedRouteEntries | ListVpcPublishedRouteEntries | list | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:ModifyEipForwardMode | ModifyEipForwardMode | update | *Address acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId} | 无 | 无 |
| vpc:ModifyFlowLogAttribute | ModifyFlowLogAttribute | update | *FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/{#FlowLogId} | 无 | 无 |
| vpc:ModifyHaVipAttribute | ModifyHaVipAttribute | update | *HaVip acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} | 无 | 无 |
| vpc:ModifyIpv6AddressAttribute | ModifyIpv6AddressAttribute | update | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:ModifyIpv6GatewayAttribute | ModifyIpv6GatewayAttribute | update | *Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId} | 无 | 无 |
| vpc:ModifyIpv6InternetBandwidth | ModifyIpv6InternetBandwidth | update | *Ipv6InternetBandwidth acs:vpc:{#regionId}:{#accountId}:ipv6bandwidth/{#Ipv6InternetBandwidthId} | 无 | 无 |
| vpc:ModifyNetworkAclAttributes | ModifyNetworkAclAttributes | update | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId} | 无 | 无 |
| vpc:ModifyRouteEntry | ModifyRouteEntry | update | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:ModifyRouteTableAttributes | ModifyRouteTableAttributes | update | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | vpc:VRouter | 无 |
| vpc:ModifyRouterInterfaceAttribute | ModifyRouterInterfaceAttribute | update | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | vpc:TargetAccountRDId | 无 |
| vpc:ModifyRouterInterfaceSpec | ModifyRouterInterfaceSpec | update | *RouterInterface acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} | 无 | 无 |
| vpc:ModifyVRouterAttribute | ModifyVRouterAttribute | update | *VRouter acs:vpc:{#regionId}:{#accountId}:vrouter/{#VRouterId} | 无 | 无 |
| vpc:ModifyVSwitchAttribute | ModifyVSwitchAttribute | update | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:ModifyVSwitchCidrReservationAttribute | ModifyVSwitchCidrReservationAttribute | update | *VSwitchCidrReservation acs:vpc:{#regionId}:{#accountId}:vswitchcidrreservation/{#VSwitchCidrReservationId} | 无 | 无 |
| vpc:ModifyVpcAttribute | ModifyVpcAttribute | update | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | vpc:tag | 无 |
| vpc:ModifyVpcPrefixList | ModifyVpcPrefixList | update | *PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | 无 | 无 |
| vpc:MoveResourceGroup | MoveResourceGroup | update | BandwidthPackage acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/{#BandwidthPackageId}Eip acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId}VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/{#PrefixListId}GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId}DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId}FlowLog acs:vpc:{#regionId}:{#accountId}:flowlog/{#FlowLogId}HaVip acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId}Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#Ipv4GatewayId}Ipv6Gateway acs:vpc:{#regionId}:{#accountId}:ipv6gateway/{#Ipv6GatewayId}PublicIpAddressPool acs:vpc:{#regionId}:{#accountId}:publicipaddresspool/{#PublicIpAddressPoolId}TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId}TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/{#TrafficMirrorSessionId} | 无 | 无 |
| vpc:OpenFlowLogService | OpenFlowLogService | create | *FlowLogService acs:vpc:{#regionId}:{#accountId}:flowlog/* | 无 | 无 |
| vpc:OpenTrafficMirrorService | OpenTrafficMirrorService | create | *全部资源 * | 无 | 无 |
| vpc:PublishVpcRouteEntries | PublishVpcRouteEntries | update | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:ReleaseIpv6Address | ReleaseIpv6Address | delete | *Ipv6Address acs:vpc:{#regionId}:{#accountId}:ipv6address/{#Ipv6AddressId} | 无 | 无 |
| vpc:RemoveSourcesFromTrafficMirrorSession | RemoveSourcesFromTrafficMirrorSession | update | *TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/{#TrafficMirrorSessionId} | 无 | 无 |
| vpc:ReplaceVpcDhcpOptionsSet | ReplaceVpcDhcpOptionsSet | update | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId}*VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:RetryVpcPrefixListAssociation | RetryVpcPrefixListAssociation | update | *PrefixList acs:vpc:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} | 无 | 无 |
| vpc:RevokeInstanceFromCen | RevokeInstanceFromCen | update | *VirtualBorderRouter acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VirtualBorderRouterId} | 无 | 无 |
| vpc:RevokeInstanceFromVbr | RevokeInstanceFromVbr | update | *VPC acs:vpc:{#regionId}:{#AccountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:TagResources | TagResources | update | BandwidthPackage acs:vpc:{#regionId}:{#accountId}:combandwidthpackage/{#BandwidthPackageId}Address acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId}NatGateway acs:vpc:{#regionId}:{#accountId}:natgateway/{#NatGatewayId}RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId}VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}VpnGateway acs:vpc:{#regionId}:{#accountId}:vpngateway/{#VpnGatewayId}VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | vpc:tag | 无 |
| vpc:TagResourcesForExpressConnect | TagResourcesForExpressConnect | update | *全部资源 * | 无 | 无 |
| vpc:TransformEipSegmentToPublicIpAddressPool | TransformEipSegmentToPublicIpAddressPool | create | *全部资源 * | 无 | 无 |
| vpc:UnTagResources | UnTagResources | update | Address acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId}NatGateway acs:vpc:{#regionId}:{#accountId}:natgateway/{#NatGatewayId}RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId}VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId}VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | vpc:tag | 无 |
| vpc:UnassociateHaVip | UnassociateHaVip | delete | *Instance acs:vpc:{#regionId}:{#accountId}:instance/{#InstanceId}*HaVip acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} | 无 | 无 |
| vpc:UnassociateNetworkAcl | UnassociateNetworkAcl | update | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId}*VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:UnassociateRouteTable | UnassociateRouteTable | update | *VSwitch acs:vpc:{#regionId}:{#accountId}:vswitch/{#VSwitchId} | 无 | 无 |
| vpc:UnassociateVpcCidrBlock | UnassociateVpcCidrBlock | delete | *VPC acs:vpc:{#regionId}:{#accountId}:vpc/{#VpcId} | 无 | 无 |
| vpc:UntagResourcesForExpressConnect | UntagResourcesForExpressConnect | update | *全部资源 * | 无 | 无 |
| vpc:UpdateDhcpOptionsSetAttribute | UpdateDhcpOptionsSetAttribute | update | *DhcpOptionsSet acs:vpc:{#regionId}:{#accountId}:dhcpoptionsset/{#DhcpOptionsSetId} | 无 | 无 |
| vpc:UpdateGatewayRouteTableEntryAttribute | UpdateGatewayRouteTableEntryAttribute | update | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
| vpc:UpdateIpv4GatewayAttribute | UpdateIpv4GatewayAttribute | update | *Ipv4Gateway acs:vpc:{#regionId}:{#accountId}:ipv4gateway/{#ipv4gatewayId} | 无 | 无 |
| vpc:UpdateNetworkAclEntries | UpdateNetworkAclEntries | update | *NetworkAcl acs:vpc:{#regionId}:{#accountId}:networkacl/{#NetworkAclId} | 无 | 无 |
| vpc:UpdateTrafficMirrorFilterAttribute | UpdateTrafficMirrorFilterAttribute | update | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:UpdateTrafficMirrorFilterRuleAttribute | UpdateTrafficMirrorFilterRuleAttribute | update | *TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:UpdateTrafficMirrorSessionAttribute | UpdateTrafficMirrorSessionAttribute | update | *TrafficMirrorSession acs:vpc:{#regionId}:{#accountId}:trafficmirrorsession/{#TrafficMirrorSessionId}TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId} | 无 | 无 |
| vpc:UpdateVpcGatewayEndpointAttribute | UpdateVpcGatewayEndpointAttribute | update | *GatewayEndpoint acs:vpc:{#regionId}:{#accountId}:gatewayendpoint/{#GatewayEndpointId} | 无 | 无 |
| vpc:WithdrawVpcPublishedRouteEntries | WithdrawVpcPublishedRouteEntries | update | *RouteTable acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} | 无 | 无 |
资源(Resource)
下表是专有网络VPC定义的资源,这些资源可以在RAM权限策略语句的Resource元素中使用,用来授予对该资源执行具体操作的权限。 其中,资源ARN是资源在阿里云上的唯一标识。具体说明如下:{#}为变量标识,需要您替换为实际值。例如:{#ramcode}需要您替换为实际的云服务RAM代码。-
*表示全部。例如:{#resourceType}为*时:表示全部资源。{#regionId}为*时:表示全部地域。{#accountId}为*时:表示全部阿里云账号。
| 资源类型 | 资源ARN |
|---|
| 资源类型 | 资源ARN |
|---|---|
| Address |
|
| Association |
|
| BandwidthPackage |
|
| CommonBandwidthPackage |
|
| CustomerGateway |
|
| DhcpOptionsSet |
|
| Eip |
|
| FlowLog |
|
| FlowLogService |
|
| ForwardTable |
|
| FullNat |
|
| GatewayEndpoint |
|
| GatewayInfo |
|
| GlobalAccelerationInstance |
|
| GrantRuleToCen |
|
| HaVip |
|
| IPv6Translator |
|
| Instance |
|
| IpsecServer |
|
| Ipv4Gateway |
|
| Ipv6Address |
|
| Ipv6EgressRule |
|
| Ipv6Gateway |
|
| Ipv6InternetBandwidth |
|
| Ipv6Translator |
|
| NatGateway |
|
| NatIp |
|
| NatIpCidr |
|
| NetworkAcl |
|
| PhysicalConnection |
|
| PrefixList |
|
| PublicIpAddressPool |
|
| PublicIpAddressPoolService |
|
| RouteEntry |
|
| RouteTable |
|
| RouterInterface |
|
| SegmentAddress |
|
| SnatEntry |
|
| SnatTable |
|
| SslVpnClientCert |
|
| SslVpnServer |
|
| TrafficMirrorFilter |
|
| TrafficMirrorService |
|
| TrafficMirrorSession |
|
| TrafficQos |
|
| VPC |
|
| VRouter |
|
| VSwitch |
|
| VSwitchCidrReservation |
|
| VirtualBorderRouter |
|
| VpnAttachment |
|
| VpnConnection |
|
| VpnConnections |
|
| VpnGateway |
|
| physicalconnection |
|
条件(Condition)
下表是专有网络VPC定义的产品级条件关键字,这些条件关键字可以在RAM权限策略语句的
Condition元素中使用,用来描述授予权限的条件。以下仅列举产品级的条件关键字,阿里云定义的通用条件关键字也同样适用专有网络VPC。其中,数据类型决定了您可以使用哪些条件运算符将请求中的值与权限策略语句中的值进行比较。您必须使用与数据类型匹配的条件运算符,否则无法匹配策略语句,授权行为无效。数据类型与条件运算符的对应关系,请参见条件操作类型。
| 条件关键字 | 描述 | 类型 |
|---|
| 条件关键字 | 描述 | 类型 |
|---|---|---|
| vpc:PhysicalConnection | 物理专线信息 | String |
| vpc:TargetAccountRDId | 对端用户资源目录ID信息 | String |
| vpc:VBR | 边界路由器信息 | String |
| vpc:VPC | VPC信息 | String |
| vpc:VRouter | 路由器信息 | String |
| vpc:tag | VPC的标签 | String |
