Help Center/ System Permissions/ User Guide/ Identity Policy–based Authorization/ Networking/ Enterprise Router
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Enterprise Router

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see How IAM Is Different from Organizations for Access Control?.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by er, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by er, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for er.

Table 1 Actions supported by er

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

er:instances:get

Grants permission to get an enterprise router.

Read

instances *

-

er:instances:create

Grants permission to create an enterprise router.

Write

instances *

g:EnterpriseProjectId

-

-

er:instances:list

Grants permission to list enterprise routers.

List

instances *

-

-

er:instances:update

Grants permission to update an enterprise router.

Write

instances *

-

er:instances:delete

Grants permission to delete an enterprise router.

Write

instances *

-

er:instances:changeAZ

Grants permission to change the AZ of an enterprise router.

Write

instances *

-

er:instances:createVpcAttachment

Grants permission to create a VPC attachment.

Write

instances *

er:attachments:create

er:instances:showVpcAttachment

Grants permission to get a VPC attachment.

Read

instances *

er:attachments:get

er:instances:listVpcAttachments

Grants permission to list VPC attachments.

List

instances *

-

er:attachments:list

er:instances:updateVpcAttachment

Grants permission to update a VPC attachment.

Write

instances *

er:attachments:update

er:instances:deleteVpcAttachment

Grants permission to delete a VPC attachment.

Write

instances *

er:attachments:delete

er:commonAttachments:get

Grants permission to get an attachment.

Read

attachments *

er:attachments:get

er:commonAttachments:list

Grants permission to list attachments.

List

attachments *

-

er:attachments:list

er:commonAttachments:update

Grants permission to update an attachment.

Write

attachments *

er:attachments:update

er:attachments:accept

Grants permission to accept an attachment.

Write

attachments *

g:EnterpriseProjectId

-

er:attachments:reject

Grants permission to reject an attachment.

Write

attachments *

g:EnterpriseProjectId

-

er:routeTables:get

Grants permission to get a routeTable.

Read

routeTables *

-

er:routeTables:create

Grants permission to create a route table.

Write

routeTables *

-

-

instances *

-

er:routeTables:list

Grants permission to list route tables.

List

routeTables *

-

-

er:routeTables:update

Grants permission to update a route table.

Write

routeTables *

-

er:routeTables:delete

Grants permission to delete a route table.

Write

routeTables *

-

er:routeTables:associate

Grants permission to associate an attachment with a route table.

Write

routeTables *

er:associations:associate

attachments *

er:routeTables:disassociate

Grants permission to disassociate an attachment with a route table.

Write

routeTables *

er:associations:disassociate

attachments *

er:routeTables:listAssociations

Grants permission to list associations.

List

routeTables *

er:associations:list

er:routeTables:enablePropagation

Grants permission to enable an attachment to propagate routes to a propagation route table.

Write

routeTables *

er:propagations:enable

attachments *

er:routeTables:disablePropagation

Grants permission to disable a resource attachment from propagating routes to the specified propagation route table.

Write

routeTables *

er:propagations:disable

attachments *

er:routeTables:listPropagations

Grants permission to list propagations.

List

routeTables *

er:propagations:list

er:staticRoutes:list

Grants permission to list static routes.

List

routeTables *

er:routes:list

er:staticRoutes:create

Grants permission to create a static route.

Write

routeTables *

er:routes:create

attachments

er:effectiveRoutes:list

Grants permission to list effective routes.

List

routeTables *

er:routes:list

er:staticRoutes:delete

Grants permission to delete a static route.

Write

routeTables *

er:routes:delete

er:staticRoutes:update

Grants permission to update a static route.

Write

routeTables *

er:routes:update

attachments

er:staticRoutes:get

Grants permission to get a static route.

Read

routeTables *

er:routes:get

er:tags:singleCreate

Grants permission to create a resource tag.

Write

routeTables

er:tags:create

instances

attachments

er:tags:delete

Grants permission to delete a resource tag.

Write

routeTables

-

instances

attachments

er:tags:batchOperation

Grants permission to batch create or delete resource tags.

Write

routeTables

er:tags:create

instances

attachments

er:tags:get

Grants permission to get the tags of a resource.

Read

routeTables

-

instances

attachments

er:tags:list

Grants permission to list resource tags.

List

-

-

-

er:quotas:list

Grants permission to list quotas.

List

-

-

-

er:flowLogs:create

Grants permission to create flow log.

Write

instances *

-

attachments *

flowLogs *

-

er:flowLogs:list

Grants permission to list flow log.

List

flowLogs *

-

-

er:flowLogs:get

Grants permission to show flow log.

Read

flowLogs *

-

-

er:flowLogs:update

Grants permission to update flow log.

Write

flowLogs *

-

-

er:flowLogs:delete

Grants permission to delete flow log.

Write

flowLogs *

-

-

er:flowLogs:enable

Grants permission to enable flow log.

Write

flowLogs *

-

-

er:flowLogs:disable

Grants permission to disable flow log.

Write

flowLogs *

-

-

Each API of er usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by er APIs

API

Action

Dependencies

POST /v3/{project_id}/enterprise-router/instances

er:instances:create

-

PUT /v3/{project_id}/enterprise-router/instances/{er_id}

er:instances:update

-

GET /v3/{project_id}/enterprise-router/instances/{er_id}

er:instances:get

-

GET /v3/{project_id}/enterprise-router/instances

er:instances:list

-

POST /v3/{project_id}/enterprise-router/instances/{er_id}/change-availability-zone-ids

er:instances:changeAZ

-

DELETE /v3/{project_id}/enterprise-router/instances/{er_id}

er:instances:delete

-

POST /v3/{project_id}/enterprise-router/{er_id}/vpc-attachments

er:instances:createVpcAttachment

-

PUT /v3/{project_id}/enterprise-router/{er_id}/vpc-attachments/{vpc_attachment_id}

er:instances:updateVpcAttachment

-

GET /v3/{project_id}/enterprise-router/{er_id}/vpc-attachments/{vpc_attachment_id}

er:instances:showVpcAttachment

-

GET /v3/{project_id}/enterprise-router/{er_id}/vpc-attachments

er:instances:listVpcAttachments

-

DELETE /v3/{project_id}/enterprise-router/{er_id}/vpc-attachments/{vpc_attachment_id}

er:instances:deleteVpcAttachment

-

PUT /v3/{project_id}/enterprise-router/{er_id}/attachments/{attachment_id}

er:commonAttachments:update

-

GET /v3/{project_id}/enterprise-router/{er_id}/attachments/{attachment_id}

er:commonAttachments:get

-

GET /v3/{project_id}/enterprise-router/{er_id}/attachments

er:commonAttachments:list

-

POST /v3/{project_id}/enterprise-router/{er_id}/attachments/{attachment_id}/accept

er:attachments:accept

-

POST /v3/{project_id}/enterprise-router/{er_id}/attachments/{attachment_id}/reject

er:attachments:reject

-

POST /v3/{project_id}/enterprise-router/{er_id}/route-tables

er:routeTables:create

-

PUT /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}

er:routeTables:update

-

GET /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}

er:routeTables:get

-

GET /v3/{project_id}/enterprise-router/{er_id}/route-tables

er:routeTables:list

-

DELETE /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}

er:routeTables:delete

-

POST /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/associate

er:routeTables:associate

-

GET /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/associations

er:routeTables:listAssociations

-

POST /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/disassociate

er:routeTables:disassociate

-

POST /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/enable-propagations

er:routeTables:enablePropagation

-

GET /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/propagations

er:routeTables:listPropagations

-

POST /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/disable-propagations

er:routeTables:disablePropagation

-

POST /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/static-routes

er:staticRoutes:create

-

PUT /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/static-routes/{route_id}

er:staticRoutes:update

-

GET /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/static-routes/{route_id}

er:staticRoutes:get

-

GET /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/static-routes

er:staticRoutes:list

-

GET /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/routes

er:effectiveRoutes:list

-

DELETE /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/static-routes/{route_id}

er:staticRoutes:delete

-

GET /v3/{project_id}/{resource_type}/tags

er:tags:list

-

GET /v3/{project_id}/{resource_type}/{resource_id}/tags

er:tags:get

-

POST /v3/{project_id}/{resource_type}/{resource_id}/tags

er:tags:singleCreate

-

POST /v3/{project_id}/{resource_type}/{resource_id}/tags/action

er:tags:batchOperation

-

DELETE /v3/{project_id}/{resource_type}/{resource_id}/tags/{key}

er:tags:delete

-

GET /v3/{project_id}/enterprise-router/quotas

er:quotas:list

-

POST /v3/{project_id}/enterprise-router/{er_id}/flow-logs

er:flowLogs:create

-

GET /v3/{project_id}/enterprise-router/{er_id}/flow-logs

er:flowLogs:list

-

GET /v3/{project_id}/enterprise-router/{er_id}/flow-logs/{flow_log_id}

er:flowLogs:get

-

PUT /v3/{project_id}/enterprise-router/{er_id}/flow-logs/{flow_log_id}

er:flowLogs:update

-

DELETE /v3/{project_id}/enterprise-router/{er_id}/flow-logs/{flow_log_id}

er:flowLogs:delete

-

POST /v3/{project_id}/enterprise-router/{er_id}/flow-logs/{flow_log_id}/enable

er:flowLogs:enable

-

POST /v3/{project_id}/enterprise-router/{er_id}/flow-logs/{flow_log_id}/disable

er:flowLogs:disable

-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for er.

Table 3 Resource types supported by er

Resource Type

URN

instances

er:<region>:<account-id>:instances:<instance-id>

routeTables

er:<region>:<account-id>:routeTables:<route-table-id>

flowLogs

er:<region>:<account-id>:flowLogs:<flow-log-id>

attachments

er:<region>:<account-id>:attachments:<attachment-id>

Conditions

er does not support service-specific condition keys in identity policies.It can only use global condition keys applicable to all services. For details, see Global Condition Keys.

Parent topic: Networking