This topic describes how to manage permissions on PrivateLink by using Resource Access Management (RAM). In the RAM console, you can create and attach custom policies to a RAM user.
Prerequisites
Basic information
Before you manage permission on PrivateLink, we recommend that you learn about the
following commonly used policies.
| Policy | Description |
|---|---|
| AliyunPrivateLinkFullAccess | Grants a RAM user the permissions to manage PrivateLink. |
| AliyunPrivateLinkReadOnlyAccess | Grants a RAM user the read-only permissions on PrivateLink. |
| AliyunPrivatelinkEndpointServiceFullAccess | Grants a RAM user the permissions to manage endpoint services. |
| AliyunPrivatelinkEndpointServiceReadOnlyAccess | Grants a RAM user the read-only permissions on endpoint services. |
| AliyunPrivatelinkEndpointFullAccess | Grants a RAM user the permissions to manage endpoints. |
| AliyunPrivatelinkEndpointReadOnlyAccesss | Grants a RAM user the read-only permissions on endpoints. |
Note For more information about permissions on PrivateLink, see RAM user authorization.
Attach a custom policy to a RAM user
Examples
- Grant a RAM user the permissions to manage PrivateLink.
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:CreateVpcEndpointService", "privatelink:ListVpcEndpointServices", "privatelink:UpdateVpcEndpointServiceAttribute", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:AttachResourceToVpcEndpointService", "privatelink:ListVpcEndpointServiceResources", "privatelink:DetachResourceFromVpcEndpointService", "privatelink:DeleteVpcEndpointService", "privatelink:ListVpcEndpointConnections", "privatelink:UpdateVpcEndpointConnectionAttribute", "privatelink:EnableVpcEndpointConnection", "privatelink:DisableVpcEndpointConnection", "privatelink:AddUserToVpcEndpointService", "privatelink:RemoveUserFromVpcEndpointService", "privatelink:ListVpcEndpointServiceUsers", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:AddZoneToVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:DeleteVpcEndpoint", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:*:role/*", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } }, "Effect": "Allow" } ] } - Grant a RAM user the read-only permissions on PrivateLink.
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServices", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServiceResources", "privatelink:ListVpcEndpointConnections", "privatelink:ListVpcEndpointServiceUsers", "privatelink:ListVpcEndpoints", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointZones", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } ] } - Grant a RAM user the permissions to manage all endpoint services.
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:CreateVpcEndpointService", "privatelink:ListVpcEndpointServices", "privatelink:UpdateVpcEndpointServiceAttribute", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:AttachResourceToVpcEndpointService", "privatelink:ListVpcEndpointServiceResources", "privatelink:DetachResourceFromVpcEndpointService", "privatelink:DeleteVpcEndpointService", "privatelink:ListVpcEndpointConnections", "privatelink:UpdateVpcEndpointConnectionAttribute", "privatelink:EnableVpcEndpointConnection", "privatelink:DisableVpcEndpointConnection", "privatelink:AddUserToVpcEndpointService", "privatelink:RemoveUserFromVpcEndpointService", "privatelink:ListVpcEndpointServiceUsers", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } ] } - Grant a RAM user the read-only permissions on all endpoint services.
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServices", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServiceResources", "privatelink:ListVpcEndpointConnections", "privatelink:ListVpcEndpointServiceUsers", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } ] } - Grant a RAM user the permissions to manage all endpoints.
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:AddZoneToVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:DeleteVpcEndpoint", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:*:role/*", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } }, "Effect": "Allow" } ] } - Grant a RAM user the read-only permissions on all endpoints.
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:ListVpcEndpoints", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointZones", "privatelink:ListVpcEndpointSecurityGroups", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" } ] }