Help Center> VPC Endpoint> API Reference> API> VPC Endpoints> Modifying the Policy of a Gateway VPC Endpoint

Updated on 2024-04-19 GMT+08:00

Online Debugging

CLI Examples

View PDF

Modifying the Policy of a Gateway VPC Endpoint

Function

This API is used to modify the policy of a VPC endpoint for accessing gateway VPC endpoint services.

Calling Method

For details, see Calling APIs.

URI

PUT /v1/{project_id}/vpc-endpoints/{vpc_endpoint_id}/policy

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Specifies the project ID. Minimum: 1 Maximum: 64
vpc_endpoint_id	Yes	String	Specifies the ID of the VPC endpoint. Minimum: 1 Maximum: 64

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Specifies the user token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token.
Content-Type	No	String	Specifies the MIME type of the request body. Default value application/json is recommended. For APIs used to upload objects or images, the MIME type varies depending on the flow type. Default: application/json

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
policy_statement	Yes	Array of PolicyStatement objects	Only gateway VPC endpoints with both ends fixed are involved.

**Table 4** PolicyStatement
Parameter	Mandatory	Type	Description
Effect	Yes	String	Specifies whether to accept or reject the OBS permissions or object.
Action	Yes	Array of strings	Specifies OBS access permissions.
Resource	Yes	Array of strings	Specifies the OBS object.

Response Parameters

Status code: 200

**Table 5** Response body parameters
Parameter	Type	Description
id	String	Specifies the unique ID of the VPC endpoint. Minimum: 1 Maximum: 64
service_type	String	Specifies the type of the VPC endpoint service that the VPC endpoint is used to connect to. gateway: indicates VPC endpoint services that are configured by the O&M personnel. You can directly use them. interface: indicates cloud services configured by the O&M personnel and private services created by yourselves. You cannot configure these cloud services, but can use them. You can query the public VPC endpoint services to view the VPC endpoint services that are visible and accessible to all users and are configured by the O&M personnel. You can create interface VPC endpoint services.
status	String	Specifies the VPC endpoint status. pendingAcceptance: The VPC endpoint is to be accepted. creating: The VPC endpoint is being created. accepted: The VPC endpoint has been accepted. rejected: The VPC endpoint has been rejected. failed: The VPC endpoint service failed to be created. deleting: The VPC endpoint service is being deleted.
active_status	Array of strings	Specifies the account status. frozen: The account is frozen. active: The account is unfrozen.
endpoint_service_name	String	Specifies the name of a VPC endpoint service.
marker_id	Integer	Specifies the packet ID of the VPC endpoint.
endpoint_service_id	String	Specifies the ID of the VPC endpoint service. Minimum: 1 Maximum: 64
ip	String	Specifies the IP address for accessing the associated VPC endpoint service. This parameter is returned only under the following conditions: You query a VPC endpoint for accessing an interface VPC endpoint service. Connection approval has been enabled for the VPC endpoint service, and the connection has been approved. status of the VPC endpoint can be accepted or rejected. The rejected status only appears when the VPC endpoint is accepted and then rejected. Minimum: 1 Maximum: 64
vpc_id	String	Specifies the ID of the VPC where the VPC endpoint is to be created. Minimum: 1 Maximum: 64
created_at	String	Specifies when the VPC endpoint was created. The UTC time format YYYY-MM-DDTHH:MM:SSZ is used.
updated_at	String	Specifies the update time of the VPC endpoint. The UTC time format YYYY-MM-DDTHH:MM:SSZ is used.
project_id	String	Specifies the project ID. For details about how to obtain the project ID, see Obtaining a Project ID. Minimum: 1 Maximum: 64
tags	Array of TagList objects	Specifies the list of queried tags. If no tag is matched, an empty array is returned.
error	Array of QueryError objects	Specifies the error message. This field is returned when the VPC endpoint is abnormal, that is, the value of status is failed.
whitelist	Array of strings	Specifies the whitelist for controlling access to the VPC endpoint. If you do not specify this parameter, an empty whitelist will be returned. This parameter is available only when you create a VPC endpoint for connecting to an interface VPC endpoint service. Minimum: 0 Maximum: 32
enable_whitelist	Boolean	Specifies whether access control is enabled. true: Access control is enabled. false: Access control is disabled. If you do not specify this parameter, false will be returned. This parameter is available only when you create a VPC endpoint for connecting to an interface VPC endpoint service.
routetables	Array of strings	Specifies the IDs of route tables. If this parameter is not specified, the ID of the default route table of the VPC is returned. This parameter is available only when you create a VPC endpoint for connecting to a gateway VPC endpoint service. Minimum: 0 Maximum: 64
description	String	Specifies the description field. The value can contain characters such as letters and digits, but cannot contain less than signs (<) nor great than signs (>). Minimum: 0 Maximum: 512
policy_statement	Array of PolicyStatement objects	This field is displayed in the response body only for gateway VPC endpoints that have both VPC endpoint and OBS bucket policies configured. Array Length: 0 - 10
endpoint_pool_id	String	(To be discarded) Specifies the ID of the cluster associated with the VPC endpoint. Minimum: 1 Maximum: 64
public_border_group	String	Specifies the information about the public border group associated with the VPC endpoint. This parameter is returned only when the VPC endpoint is associated with an edge pool.

**Table 6** TagList
Parameter	Type	Description
key	String	Specifies the tag key. A tag key contains a maximum of 36 Unicode characters. It cannot be left blank. It cannot contain equal signs (=), asterisks (*), less than signs (<), greater than signs (>), backslashes (), commas (,), vertical bars (\|), and slashes (/), and the first and last characters cannot be spaces. Minimum: 1 Maximum: 36
value	String	Specifies the tag key. A tag value contains a maximum of 43 Unicode characters and can be an empty string. It cannot contain equal signs (=), asterisks (*), less than signs(<), greater than signs (>), backslashes (), commas (,), vertical bars (\|), and slashes (/), and the first and last characters cannot be spaces. Minimum: 1 Maximum: 43

**Table 7** QueryError
Parameter	Type	Description
error_code	String	Error code. Minimum: 0 Maximum: 10
error_message	String	Error message. Minimum: 0 Maximum: 1024

**Table 8** PolicyStatement
Parameter	Type	Description
Effect	String	Specifies whether to accept or reject the OBS permissions or object.
Action	Array of strings	Specifies OBS access permissions.
Resource	Array of strings	Specifies the OBS object.

Example Requests

Modifying the policy of a gateway VPC endpoint (Setting Action to obs::, Resource to obs::::/* and obs::::, and Effect to** Allow**)

PUT https://{endpoint}/v1/{project_id}/vpc-endpoints/938c8167-631e-40a4-99f9-493753fbd16b/policy

{
  "policy_statement" : [ {
    "Action" : [ "obs:*:*" ],
    "Resource" : [ "obs:*:*:*:*/*", "obs:*:*:*:*" ],
    "Effect" : "Allow"
  } ]
}

Example Responses

Status code: 200

The server has successfully processed the request.

{
  "id" : "938c8167-631e-40a4-99f9-493753fbd16b",
  "status" : "accepted",
  "tags" : [ ],
  "marker_id" : 302035929,
  "active_status" : [ "active" ],
  "vpc_id" : "0da03835-1dcf-4361-9b87-34139d58dd59",
  "service_type" : "gateway",
  "project_id" : "0605767a3300d5762fb7c0186d9e1779",
  "routetables" : [ "99477d3b-87f6-49d2-8f3b-2ffc72731a38" ],
  "created_at" : "2022-08-03T03:03:54Z",
  "updated_at" : "2022-08-03T03:03:57Z",
  "endpoint_service_id" : "4651bc78-5cec-41b7-b448-f77326ebbed0",
  "endpoint_service_name" : "br-abc-aaa1.obs_test.4651bc78-5cec-41b7-b448-f77326ebbed0",
  "policy_statement" : [ {
    "Action" : [ "obs:*:*" ],
    "Resource" : [ "obs:*:*:*:*/*", "obs:*:*:*:*" ],
    "Effect" : "Allow"
  } ],
  "description" : "",
  "endpoint_pool_id" : "b0ad6a4f-55c0-43f1-a26d-278639661fc2"
}

SDK Sample Code

The SDK sample code is as follows.

Modifying the policy of a gateway VPC endpoint (Setting Action to obs::, Resource to obs::::/* and obs::::, and Effect to** Allow**)

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpcep.v1.region.VpcepRegion;
import com.huaweicloud.sdk.vpcep.v1.*;
import com.huaweicloud.sdk.vpcep.v1.model.*;

import java.util.List;
import java.util.ArrayList;

public class UpdateEndpointPolicySolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        VpcepClient client = VpcepClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcepRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateEndpointPolicyRequest request = new UpdateEndpointPolicyRequest();
        UpdateEndpointPolicyRequestBody body = new UpdateEndpointPolicyRequestBody();
        List<String> listPolicyStatementResource = new ArrayList<>();
        listPolicyStatementResource.add("obs:*:*:*:*/*");
        listPolicyStatementResource.add("obs:*:*:*:*");
        List<String> listPolicyStatementAction = new ArrayList<>();
        listPolicyStatementAction.add("obs:*:*");
        List<PolicyStatement> listbodyPolicyStatement = new ArrayList<>();
        listbodyPolicyStatement.add(
            new PolicyStatement()
                .withEffect(PolicyStatement.EffectEnum.fromValue("Allow"))
                .withAction(listPolicyStatementAction)
                .withResource(listPolicyStatementResource)
        );
        body.withPolicyStatement(listbodyPolicyStatement);
        request.withBody(body);
        try {
            UpdateEndpointPolicyResponse response = client.updateEndpointPolicy(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

Modifying the policy of a gateway VPC endpoint (Setting Action to obs::, Resource to obs::::/* and obs::::, and Effect to** Allow**)

      
       
         
         
           # coding: utf-8

from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpcep.v1.region.vpcep_region import VpcepRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpcep.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = __import__('os').getenv("CLOUD_SDK_AK")
    sk = __import__('os').getenv("CLOUD_SDK_SK")

    credentials = BasicCredentials(ak, sk) \

    client = VpcepClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcepRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateEndpointPolicyRequest()
        listResourcePolicyStatement = [
            "obs:*:*:*:*/*",
            "obs:*:*:*:*"
        ]
        listActionPolicyStatement = [
            "obs:*:*"
        ]
        listPolicyStatementbody = [
            PolicyStatement(
                effect="Allow",
                action=listActionPolicyStatement,
                resource=listResourcePolicyStatement
            )
        ]
        request.body = UpdateEndpointPolicyRequestBody(
            policy_statement=listPolicyStatementbody
        )
        response = client.update_endpoint_policy(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

Modifying the policy of a gateway VPC endpoint (Setting Action to obs::, Resource to obs::::/* and obs::::, and Effect to** Allow**)

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpcep "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpcep/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := vpcep.NewVpcepClient(
        vpcep.VpcepClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateEndpointPolicyRequest{}
	var listResourcePolicyStatement = []string{
        "obs:*:*:*:*/*",
	    "obs:*:*:*:*",
    }
	var listActionPolicyStatement = []string{
        "obs:*:*",
    }
	var listPolicyStatementbody = []model.PolicyStatement{
        {
            Effect: model.GetPolicyStatementEffectEnum().ALLOW,
            Action: listActionPolicyStatement,
            Resource: listResourcePolicyStatement,
        },
    }
	request.Body = &model.UpdateEndpointPolicyRequestBody{
		PolicyStatement: listPolicyStatementbody,
	}
	response, err := client.UpdateEndpointPolicy(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     