This topic describes how to manage Virtual Private Cloud (VPC) permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to the RAM user.
Prerequisites
Common system policies
Policy | Description |
---|---|
AliyunVPCFullAccess | Grants a RAM user the permissions to manage VPCs. |
AliyunVPCReadOnlyAccess | Grants a RAM user the read-only permission on VPCs. |
Attach a custom policy to a RAM user
VPC authorization examples
- Example 1: Authorize a RAM user to manage the VPCs in an Alibaba Cloud account.
To authorize a RAM user to manage all VPCs in the Alibaba Cloud account 1234567, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
- Example 2: Authorize a RAM user to manage the VSwitches in a VPC.
To authorize a RAM user to manage the VSwitches of the VPCs in the China (Qingdao) region, use the following sample script. After being authorized, the RAM user can create, delete, associate, or disassociate a subnet route of the VSwitches in the VPC and view the VSwitches in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*VSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
- Example 3: Authorize a RAM user to manage the route tables and the relevant route
entries in a specified region.
To authorize the RAM user 11111111 to manage the VPCs in the China (Hangzhou) region, use the following sample script. After being authorized, the RAM user can add or delete route entries, create subnet routes, associate VSwitches in this region, and view the cloud products in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:11111111:*/*" ], "Condition": {} } ] }
- Example 4: Authorize a RAM user to add or delete the route entries in a specified
route table.
To authorize a RAM user to add or delete the route entries in a specified route table, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }