- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Public NAT Gateway Operation Guide
- Private NAT Gateway Operation Guide
- Practical Tutorial
- Enabling Cross-VPC Access to Public Network via Standard NAT Gateway
- Enabling Mutual Access between a Specified VPC Subnet and Public Network Resources via Private NAT Gateway
- Enabling Secure Mutual Access with Public Network via Public CLB and NAT Gateway
- Adjusting the Priorities of NAT Gateways and EIPs
- API Documentation
- FAQ
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Public NAT Gateway Operation Guide
- Private NAT Gateway Operation Guide
- Practical Tutorial
- Enabling Cross-VPC Access to Public Network via Standard NAT Gateway
- Enabling Mutual Access between a Specified VPC Subnet and Public Network Resources via Private NAT Gateway
- Enabling Secure Mutual Access with Public Network via Public CLB and NAT Gateway
- Adjusting the Priorities of NAT Gateways and EIPs
- API Documentation
- FAQ
- Service Level Agreement
- Contact Us
- Glossary
Overview
Through the Cloud Access Management (CAM) policies, users can be granted with the permissions to view and use specific resources in the console. This document provides examples of the permissions to view and use specific resources of a private NAT gateway, for guiding the users on how to use the policies for specific parts of the console.
Authorization Definition
Resources Supporting Private NAT Gateway Authorization in CAM
Resource Type | Resource Description Method in Authorization Policies |
NAT gateway instances | qcs::vpc:{region_short_name}:uin/{Uin}:nat/{NatGatewayId} |
NAT gateway APIs | qcs::vpc:{region_short_name}:uin/{Uin}:nat/* |
Where:
All
{region_short_name} should be the ID of a certain region or empty.All
{Uin} should be the AccountId of the resource owner or empty.All
{NatGatewayId} should be the ID of a NAT instance or empty.Others can be deduced similarly.
APIs Supporting Private NAT Gateway Authorization in CAM
In CAM, you can authorize the following actions for a NAT resource.
API Action | Resource Description | API Description |
CreatePrivateNatGateway | Creates private NAT gateways. | qcs::vpc:$region:$account:intranat/* qcs::vpc:$region:$account:vpc/* |
DeletePrivateNatGateway | Deletes private NAT gateways. | qcs::vpc:$region:$account:intranat/$intranatid |
ModifyPrivateNatGatewayAttribute | Modifies private NAT gateway attributes. | qcs::vpc:$region:$account:intranat/$intranatid |
DescribePrivateNatGateways | Queries private NAT gateways. | qcs::vpc:$region:$account:intranat/* |
DescribePrivateNatGatewayLimits | Queries the number limit for creating private NAT gateways. | qcs::vpc:$region:$account:intranat/* qcs::vpc:$region:$account:vpc/$vpcid |
CreatePrivateNatGatewayTranslationNatRule | Creates the private NAT gateway's source port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DeletePrivateNatGatewayTranslationNatRule | Deletes the private NAT gateway's source port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
ModifyPrivateNatGatewayTranslationNatRule | Modifies the private NAT gateway's source port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DescribePrivateNatGatewayTranslationNatRules | Queries the private NAT gateway's source port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
CreatePrivateNatGatewayTranslationAclRule | Creates the private NAT gateway's source port access control rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DeletePrivateNatGatewayTranslationAclRule | Deletes the private NAT gateway's source port access control rules. | qcs::vpc:$region:$account:intranat/$intranatid |
ModifyPrivateNatGatewayTranslationAclRule | Modifies the private NAT gateway's source port access control rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DescribePrivateNatGatewayTranslationAclRules | Queries the private NAT gateway's source port access control rules. | qcs::vpc:$region:$account:intranat/$intranatid |
CreatePrivateNatGatewayDestinationIpPortTranslationNatRule | Creates the private NAT gateway's destination port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DeletePrivateNatGatewayDestinationIpPortTranslationNatRule | Deletes the private NAT gateway's destination port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
ModifyPrivateNatGatewayDestinationIpPortTranslationNatRule | Modifies the private NAT gateway's destination port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DescribePrivateNatGatewayDestinationIpPortTranslationNatRules | Queries the private NAT gateway's destination port translation rules. | qcs::vpc:$region:$account:intranat/$intranatid |
DescribePrivateNatGatewayRegions | Queries the supported regions for the private NAT gateway. | qcs::vpc:$region:$account:intranat/* |
Sample Policies
Full Read-Write Policy for All NAT Gateways
Grant a sub-account with full administrative permissions for the NAT service, including creation, management, and all other operations.
{"version": "2.0","statement": [{"action": ["vpc:*"],"resource": "qcs::vpc::$uin:nat/*","effect": "allow"}]}{"version": "2.0","statement": [{"action": ["vpc:*"],"resource": "qcs::vpc::$uin:intranat/*","effect": "allow"}]}
Read-Only Policy
Grant a sub-account with the read-only access permission for NAT gateways.
{"version": "2.0","statement": [{"action": ["vpc:Describe*"],"resource": "qcs::vpc::$uin:nat/*","effect": "allow" }]}{"version": "2.0","statement": [{"action": ["vpc:Describe*"],"resource": "qcs::vpc::$uin:intranat/*","effect": "allow"}]}
Full Read-Write Policy for a NAT Gateway Under a Specific Tag
{"version":"2.0","statement":[{"effect":"allow","action":"*","resource":"*","condition":{"for_any_value:string_equal":{"qcs:tag":["tagkey&tagvalue"]}}}]}
Yes
No
Was this page helpful?