This topic describes how to manage Virtual Private Cloud (VPC) permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to the RAM user.
Prerequisites
- An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
- You have a basic knowledge of the following system policies that are used in the RAM
console to manage VPC permissions:
- AliyunVPCFullAccess: grants all permissions on VPCs to a RAM user.
- AliyunVPCReadOnlyAccess: grants the read-only permissions on VPCs to a RAM user.
- You have a basic knowledge of VPC permissions. For more information, see RAM authentication.
Attach a custom policy to a RAM user
Examples of VPC permission policies
- Example 1: Authorize a RAM user to manage all VPCs.
To authorize a RAM user to manage all of the VPCs that belong to the Alibaba Cloud account 1234567, use the following policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
- Example 2: Authorize a RAM user to manage VSwitches.
To authorize a RAM user to manage the VSwitches of the VPCs in the China (Qingdao) region, use the following policy. After the policy is attached to the RAM user, the RAM user can create, delete, associate, or disassociate subnet routes for the VSwitches of the VPCs in the China (Qingdao) region. The RAM user can also view the VSwitches in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*VSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
- Example 3: Authorize a RAM user to manage the route tables and route entries in a
specified region.
To authorize a RAM user to manage only the VPCs in the China (Hangzhou) region, use the following policy. After the policy is attached to the RAM user, the RAM user can add or delete route entries, create subnet routes, and associate subnet routes with VSwitches in the China (Hangzhou) region. The RAM user can also view the cloud products in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:11111111:*/*" ], "Condition": {} } ] }
- Example 4: Authorize a RAM user to add or delete route entries in a specified route
table.
To authorize a RAM user to add or delete route entries in a specified route table, use the following policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }