Custom policies for IPv6 gateways
When system policies in Resource Access Management (RAM) don't meet your requirements, create custom policies to enforce the principle of least privilege and achieve fine-grained permission control over IPv6 gateway resources.
What is a custom policy?
RAM policies are classified into system policies and custom policies. You own and maintain custom policies.
After creating a custom policy, attach it to a RAM user, a user group, or a RAM role to grant the specified permissions to that principal.
Delete a RAM policy only when it is not attached to any principal. If it is attached, detach it first, then delete it.
Custom policies support version control through RAM's version management mechanism.
Policy structure
Each custom policy is a JSON document with one or more statements. Each statement contains:
| Field | Description |
|---|---|
Effect | Whether to allow or deny the action. Set to Allow or Deny. |
Action | The API operations to allow or deny. Use wildcards (*) to match multiple operations. |
Resource | The Alibaba Cloud resources the statement applies to, specified as an ARN. |
ARN format for IPv6 resources:
acs:<service>:<region>:<account-id>:<resource-type>/<resource-id>| Placeholder | Description | Example |
|---|---|---|
<service> | The Alibaba Cloud service | vpc |
<region> | The region ID, or * for all regions | cn-qingdao, * |
<account-id> | Your Alibaba Cloud account ID, or * | 1234567 |
<resource-type>/<resource-id> | The resource type and ID, or */* for all | ipv6address/* |
Best practices
Start with the minimum permissions required and expand only as needed.
Use wildcards carefully —
vpc:*Ipv6*grants all IPv6-related operations. Scope actions to only what the RAM user needs.Review the full list of IPv6 gateway actions before writing a policy. See RAM authorization.
Examples
Example 1: Grant management permissions on all IPv6 gateways
Grant a RAM user full management permissions on all IPv6 gateways under account 1234567.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc:*Ipv6*"
],
"Resource": [
"acs:vpc:*:1234567:*/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:*Describe*"
],
"Resource": [
"*"
]
}
]
}The ecs:*Describe* statement grants read-only access to ECS resources, which the IPv6 gateway console requires to display instance information.
Example 2: Grant management permissions on IPv6 resources in a VPC
Grant a RAM user permission to assign or delete IPv6 addresses and enable or disable IPv6 Internet bandwidth for a virtual private cloud (VPC) in the China (Qingdao) region.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc:*"
],
"Resource": [
"acs:vpc:cn-qingdao:*:ipv6address/*"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:*"
],
"Resource": [
"acs:vpc:cn-qingdao:*:ipv6bandwidth/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:*Describe*"
],
"Resource": [
"acs:ecs:cn-qingdao:*:*/*"
]
}
]
}This policy restricts all permissions to the cn-qingdao region. To apply it to a different region, replace cn-qingdao with the target region ID.