This topic describes how to manage permissions on PrivateLink by using Resource Access Management (RAM). In the RAM console, you can create custom permission policies and attach them to RAM users to regulate access control for PrivateLink.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Alibaba Cloud official website. For more information, see Create an Alibaba Cloud account.

Basic information

The following table lists the common policies that are used to manage permissions on PrivateLink.
Policy Description
AliyunPrivateLinkFullAccess Grants a RAM user the permissions to manage PrivateLink.
AliyunPrivateLinkReadOnlyAccess Grants a RAM user the read-only permissions on PrivateLink.
AliyunEndpointServiceFullAccess Grants a RAM user the permissions to manage endpoint services.
AliyunEndpointServiceReadOnlyAccess Grants a RAM user the read-only permissions on endpoint services.
AliyunEndpointFullAccess Grants a RAM user the permissions to manage endpoints.
AliyunEndpointReadOnlyAccess Grants a RAM user the read-only permissions on endpoints.
Note For more information about permissions on PrivateLink, see RAM user authorization.

Attach a custom permission policy to a RAM user

  1. Create a custom permission policy.
    For more information, see Create a custom policy and Examples.
  2. On the Policies page, click the name of the permission policy.
  3. On the References tab, click Grant Permission.
  4. In the Add Permissions pane, enter the name or ID of the user in the Principal field, and then click OK.
    Note You can also attach existing permission policies to a RAM user or RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

Examples

  • Grant a RAM user the permissions to perform all PrivateLink-related operations.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "privatelink:CreateVpcEndpointService",
                    "privatelink:ListVpcEndpointServices",
                    "privatelink:UpdateVpcEndpointServiceAttribute",
                    "privatelink:GetVpcEndpointServiceAttribute",
                    "privatelink:AttachResourceToVpcEndpointService",
                    "privatelink:ListVpcEndpointServiceResources",
                    "privatelink:DetachResourceFromVpcEndpointService",
                    "privatelink:DeleteVpcEndpointService",
                    "privatelink:ListVpcEndpointConnections",
                    "privatelink:UpdateVpcEndpointConnectionAttribute",
                    "privatelink:EnableVpcEndpointConnection",
                    "privatelink:DisableVpcEndpointConnection",
                    "privatelink:AddUserToVpcEndpointService",
                    "privatelink:RemoveUserFromVpcEndpointService",
                    "privatelink:ListVpcEndpointServiceUsers",
                    "privatelink:CreateVpcEndpoint",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:UpdateVpcEndpointAttribute",
                    "privatelink:GetVpcEndpointAttribute",
                    "privatelink:AddZoneToVpcEndpoint",
                    "privatelink:RemoveZoneFromVpcEndpoint",
                    "privatelink:ListVpcEndpointSecurityGroups",
                    "privatelink:AttachSecurityGroupToVpcEndpoint", 
                    "privatelink:DetachSecurityGroupFromVpcEndpoint",
                    "privatelink:ListVpcEndpointZones",
                    "privatelink:DeleteVpcEndpoint",
                    "vpc:DescribeVpcs",
                    "ecs:DescribeSecurityGroups",
                    "vpc:DescribeVSwitches",
                    "slb:DescribeLoadBalancers"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:*:role/*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                },
                "Effect": "Allow"
            }
        ]
    }
  • Grant a RAM user the read-only permissions on PrivateLink.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:ListVpcEndpointServiceUsers",
            "privatelink:ListVpcEndpoints",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointZones",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Authorize a RAM user to perform all endpoint service-related operations.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:CreateVpcEndpointService",
            "privatelink:ListVpcEndpointServices",
            "privatelink:UpdateVpcEndpointServiceAttribute",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:AttachResourceToVpcEndpointService",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:DetachResourceFromVpcEndpointService",
            "privatelink:DeleteVpcEndpointService",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:UpdateVpcEndpointConnectionAttribute",
            "privatelink:EnableVpcEndpointConnection",
            "privatelink:DisableVpcEndpointConnection",
            "privatelink:AddUserToVpcEndpointService",
            "privatelink:RemoveUserFromVpcEndpointService",
            "privatelink:ListVpcEndpointServiceUsers",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Grant a RAM user the read-only permissions on all endpoint services.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:ListVpcEndpointServiceUsers",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Grant a RAM user the permissions to perform all endpoint-related operations.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:CreateVpcEndpoint",
            "privatelink:ListVpcEndpoints",
            "privatelink:UpdateVpcEndpointAttribute",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:AttachSecurityGroupToVpcEndpoint", 
            "privatelink:DetachSecurityGroupFromVpcEndpoint",
            "privatelink:AddZoneToVpcEndpoint",
            "privatelink:RemoveZoneFromVpcEndpoint",
            "privatelink:ListVpcEndpointZones",
            "privatelink:DeleteVpcEndpoint",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:*:role/*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                },
                "Effect": "Allow"
            }
      ]
    }
  • Grant a RAM user the read-only permissions on all endpoints.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:ListVpcEndpoints",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointZones",
            "privatelink:ListVpcEndpointSecurityGroups",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches",
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }