This topic describes how to manage VPC permissions of a RAM user by creating custom policies and attaching them to the RAM user in the RAM console.

Prerequisites

You have registered an Alibaba Cloud account. For more information, visit the account registration page.

Common system policies

The following table describes some common system policies that can be used in the RAM console to manage VPC permissions.
Policy Description
AliyunVPCFullAccess Grants a RAM user the permissions to manage VPCs.
AliyunVPCReadOnlyAccess Grants a RAM user the read-only permission for VPCs.
Note For more information about VPC permissions, see RAM authentication.

Attach custom policies to a RAM user

  1. Create custom policies according to the subsequent VPC authorization examples.
    For more information, see Create a custom policy and VPC authorization examples.
  2. On the Policies page, click the target policy name.
  3. Click the References tab, and then click Grant Permission.
  4. In the Add Permissions dialog box, enter the name or ID of the target RAM user in the Principal field, and then click OK.
    Note You can also attach the existing policies to a RAM user or RAM user group. For more information, see Grant permission to a RAM user and Grant permission to a RAM user group.

VPC authorization examples

  • Example 1: Authorize a RAM user to manage the VPCs under an account

    To authorize a RAM user to manage all VPCs under the account 1234567, use the following script:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*"
                ],
                "Resource": [
                    "acs:vpc:*:1234567:*/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • Example 2: Authorize a RAM user to manage the VSwitches in a VPC

    To authorize a RAM user to create, delete, associate, or disassociate a subnet route of the VSwitches in a VPC in the China (Qingdao) region and view the VSwitches in other regions, use the following script:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*",
                    "vpc:*VSwitch*",
                    "vpc:*RouteTable*"
                ],
                "Resource": [
                    "acs:vpc:cn-qingdao:*:*/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • Example 3: Authorize a RAM user to manage the route tables and the relevant route entries in a specified region

    To authorize the RAM user 11111111 to manage the VPCs in the China (Hangzhou) region, use the following script. With this authorization, the RAM user can add or delete route entries, create subnet routes, associate VSwitches in the China (Hangzhou) region and view the cloud products in other regions.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "slb:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "rds:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*",
                    "vpc:*RouteEntry*",
                    "vpc:*RouteTable*"
                ],
                "Resource": [                
    "acs:vpc:cn-hangzhou:11111111:*/*"
                ],
                "Condition": {}
            }
        ]
    }
  • Example 4: Authorize a RAM user to add or delete the route entries in a specified route table

    To authorize a RAM user to add or delete the route entries in a specific route table, use the following script:

    {
        "Version": "1",
        "Statement": [
            {
    "Effect": "Allow ",
                "Action": [
                    "vpc:*RouteEntry*"
                ],
                "Resource": [
                    "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }