Custom policies for IPv6 gateways

Updated at:
Copy as MD

When system policies in Resource Access Management (RAM) don't meet your requirements, create custom policies to enforce the principle of least privilege and achieve fine-grained permission control over IPv6 gateway resources.

What is a custom policy?

RAM policies are classified into system policies and custom policies. You own and maintain custom policies.

  • After creating a custom policy, attach it to a RAM user, a user group, or a RAM role to grant the specified permissions to that principal.

  • Delete a RAM policy only when it is not attached to any principal. If it is attached, detach it first, then delete it.

  • Custom policies support version control through RAM's version management mechanism.

Policy structure

Each custom policy is a JSON document with one or more statements. Each statement contains:

FieldDescription
EffectWhether to allow or deny the action. Set to Allow or Deny.
ActionThe API operations to allow or deny. Use wildcards (*) to match multiple operations.
ResourceThe Alibaba Cloud resources the statement applies to, specified as an ARN.

ARN format for IPv6 resources:

acs:<service>:<region>:<account-id>:<resource-type>/<resource-id>
PlaceholderDescriptionExample
<service>The Alibaba Cloud servicevpc
<region>The region ID, or * for all regionscn-qingdao, *
<account-id>Your Alibaba Cloud account ID, or *1234567
<resource-type>/<resource-id>The resource type and ID, or */* for allipv6address/*

Best practices

  • Start with the minimum permissions required and expand only as needed.

  • Use wildcards carefully — vpc:*Ipv6* grants all IPv6-related operations. Scope actions to only what the RAM user needs.

  • Review the full list of IPv6 gateway actions before writing a policy. See RAM authorization.

Examples

Example 1: Grant management permissions on all IPv6 gateways

Grant a RAM user full management permissions on all IPv6 gateways under account 1234567.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Ipv6*"
            ],
            "Resource": [
                "acs:vpc:*:1234567:*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The ecs:*Describe* statement grants read-only access to ECS resources, which the IPv6 gateway console requires to display instance information.

Example 2: Grant management permissions on IPv6 resources in a VPC

Grant a RAM user permission to assign or delete IPv6 addresses and enable or disable IPv6 Internet bandwidth for a virtual private cloud (VPC) in the China (Qingdao) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:ipv6address/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:ipv6bandwidth/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*Describe*"
            ],
            "Resource": [
                "acs:ecs:cn-qingdao:*:*/*"
            ]
        }
    ]
}

This policy restricts all permissions to the cn-qingdao region. To apply it to a different region, replace cn-qingdao with the target region ID.

What's next