All Products
Search

This Product

    Cloud Control API:Custom policies for Cloud Control API

    Document Center

    Cloud Control API:Custom policies for Cloud Control API

    Last Updated:Mar 13, 2025

    If system policies cannot meet your business requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission control and improve the security of your resources. This topic describes the scenarios in which custom policies for Cloud Control API are used. This topic also provides sample custom policies.

    What is a custom policy?

    Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the version updates of custom policies.

    • After you create a custom policy, you must attach the custom policy to the following RAM principal: RAM user, user group, or role. This way, the permissions specified in the policy can be granted to the principal.

    • You can delete a custom policy that is not attached to a principal. If a custom policy is attached to a principal, you must detach the custom policy from the principal before you delete the custom policy.

    • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

    References

    Common scenarios and examples of custom policies

    • Sample code 1: List created VPCs by using Cloud Control API.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "cloudcontrol:List*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "vpc:DescribeVpcs",
      "Resource": "*"
    }
  ]
}

    • Sample code 2: Create a VPC by using Cloud Control API.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "vpc:CreateVpc",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudcontrol:*",
      "Resource": "*"
    }
  ]
}

    • Sample code 3: Manage VPC lifecycle by using Cloud Control API.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "vpc:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudcontrol:*",
      "Resource": "*"
    }
  ]
}

    RAM authorization

    To use a custom policy, you must understand the permission control requirements of your business and understand the authorization information of Cloud Control API. For more information, see RAM user management.