This topic describes how to manage Virtual Private Cloud (VPC) permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to the RAM user.

Prerequisites

An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, visit the account registration page. For more information, visit the account registration page.

Common system policies

The following table describes some common system policies that can be used in the RAM console to manage VPC permissions.
Policy Description
AliyunVPCFullAccess Grants a RAM user the permissions to manage VPCs.
AliyunVPCReadOnlyAccess Grants a RAM user the read-only permission on VPCs.
Note For more information about VPC permissions, see RAM authentication.

Attach a custom policy to a RAM user

  1. Create a custom policy based on the "VPC authorization examples" section in this topic.
    For more information, see Create a custom policy and VPC authorization examples.
  2. On the Policies page, click the name of the policy.
  3. On the References tab, click Grant Permission.
  4. In the dialog box that appears, enter the name or ID of the RAM user in the Principal field. Then, select the RAM user from the auto-complete results.
  5. Click OK. Click Finished.
  6. Click Finished.
    Note You can also attach the existing policies to a RAM user or RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

VPC authorization examples

  • Example 1: Authorize a RAM user to manage the VPCs in an Alibaba Cloud account.

    To authorize a RAM user to manage all VPCs in the Alibaba Cloud account 1234567, use the following sample script:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*"
                ],
                "Resource": [
                    "acs:vpc:*:1234567:*/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • Example 2: Authorize a RAM user to manage the VSwitches in a VPC.

    To authorize a RAM user to manage the VSwitches of the VPCs in the China (Qingdao) region, use the following sample script. After being authorized, the RAM user can create, delete, associate, or disassociate a subnet route of the VSwitches in the VPC and view the VSwitches in other regions.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*",
                    "vpc:*VSwitch*",
                    "vpc:*RouteTable*"
                ],
                "Resource": [
                    "acs:vpc:cn-qingdao:*:*/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • Example 3: Authorize a RAM user to manage the route tables and the relevant route entries in a specified region.

    To authorize the RAM user 11111111 to manage the VPCs in the China (Hangzhou) region, use the following sample script. After being authorized, the RAM user can add or delete route entries, create subnet routes, associate VSwitches in this region, and view the cloud products in other regions.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "slb:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "rds:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*",
                    "vpc:*RouteEntry*",
                    "vpc:*RouteTable*"
                ],
                "Resource": [                
    "acs:vpc:cn-hangzhou:11111111:*/*"
                ],
                "Condition": {}
            }
        ]
    }
  • Example 4: Authorize a RAM user to add or delete the route entries in a specified route table.

    To authorize a RAM user to add or delete the route entries in a specified route table, use the following sample script:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*RouteEntry*"
                ],
                "Resource": [
                    "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }