This topic describes how to manage Virtual Private Cloud (VPC) permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to the RAM user.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
  • You have a basic knowledge of the following system policies that are used in the RAM console to manage VPC permissions:
    • AliyunVPCFullAccess: grants all permissions on VPCs to a RAM user.
    • AliyunVPCReadOnlyAccess: grants the read-only permissions on VPCs to a RAM user.
  • You have a basic knowledge of VPC permissions. For more information, see RAM authentication.

Attach a custom policy to a RAM user

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a custom policy.
  3. On the Policies page, click the name of the policy.
  4. On the page that appears, click the References tab. On this tab, click Grant Permission.
  5. In the Add Permissions pane, enter the logon name or display name of the RAM user in the Principal field, and select the RAM user from the auto-complete results.
  6. Click OK.
  7. Click Complete.
    Note You can also attach existing policies to a RAM user or RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

Examples of VPC permission policies

  • Example 1: Authorize a RAM user to manage all VPCs.

    To authorize a RAM user to manage all of the VPCs that belong to the Alibaba Cloud account 1234567, use the following policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*"
                ],
                "Resource": [
                    "acs:vpc:*:1234567:*/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • Example 2: Authorize a RAM user to manage VSwitches.

    To authorize a RAM user to manage the VSwitches of the VPCs in the China (Qingdao) region, use the following policy. After the policy is attached to the RAM user, the RAM user can create, delete, associate, or disassociate subnet routes for the VSwitches of the VPCs in the China (Qingdao) region. The RAM user can also view the VSwitches in other regions.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*",
                    "vpc:*VSwitch*",
                    "vpc:*RouteTable*"
                ],
                "Resource": [
                    "acs:vpc:cn-qingdao:*:*/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • Example 3: Authorize a RAM user to manage the route tables and route entries in a specified region.

    To authorize a RAM user to manage only the VPCs in the China (Hangzhou) region, use the following policy. After the policy is attached to the RAM user, the RAM user can add or delete route entries, create subnet routes, and associate subnet routes with VSwitches in the China (Hangzhou) region. The RAM user can also view the cloud products in other regions.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "slb:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "rds:*Describe*"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*",
                    "vpc:*RouteEntry*",
                    "vpc:*RouteTable*"
                ],
                "Resource": [                
    "acs:vpc:cn-hangzhou:11111111:*/*"
                ],
                "Condition": {}
            }
        ]
    }
  • Example 4: Authorize a RAM user to add or delete route entries in a specified route table.

    To authorize a RAM user to add or delete route entries in a specified route table, use the following policy:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*RouteEntry*"
                ],
                "Resource": [
                    "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:*Describe*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }