This topic describes how to manage permissions on PrivateLink by using Resource Access Management (RAM). In the RAM console, you can create and attach custom policies to a RAM user.

Prerequisites

An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one. For more information, see Create an Alibaba Cloud account.

Basic information

Before you manage permission on PrivateLink, we recommend that you learn about the following commonly used policies.
Policy Description
AliyunPrivateLinkFullAccess Grants a RAM user the permissions to manage PrivateLink.
AliyunPrivateLinkReadOnlyAccess Grants a RAM user the read-only permissions on PrivateLink.
AliyunPrivatelinkEndpointServiceFullAccess Grants a RAM user the permissions to manage endpoint services.
AliyunPrivatelinkEndpointServiceReadOnlyAccess Grants a RAM user the read-only permissions on endpoint services.
AliyunPrivatelinkEndpointFullAccess Grants a RAM user the permissions to manage endpoints.
AliyunPrivatelinkEndpointReadOnlyAccesss Grants a RAM user the read-only permissions on endpoints.
Note For more information about permissions on PrivateLink, see RAM user authorization.

Attach a custom policy to a RAM user

  1. Create a custom policy.
    For more information, see Create a custom policy and Examples.
  2. On the Policies page of the RAM console, click the name of the policy that you want to manage.
  3. Click the References tab and click Grant Permission.
  4. In the Add Permissions panel, enter the name or ID of the user in the Principal field, and then click OK.
    Note You can also attach existing policies to a RAM user or a RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

Examples

  • Grant a RAM user the permissions to manage PrivateLink.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "privatelink:CreateVpcEndpointService",
                    "privatelink:ListVpcEndpointServices",
                    "privatelink:UpdateVpcEndpointServiceAttribute",
                    "privatelink:GetVpcEndpointServiceAttribute",
                    "privatelink:AttachResourceToVpcEndpointService",
                    "privatelink:ListVpcEndpointServiceResources",
                    "privatelink:DetachResourceFromVpcEndpointService",
                    "privatelink:DeleteVpcEndpointService",
                    "privatelink:ListVpcEndpointConnections",
                    "privatelink:UpdateVpcEndpointConnectionAttribute",
                    "privatelink:EnableVpcEndpointConnection",
                    "privatelink:DisableVpcEndpointConnection",
                    "privatelink:AddUserToVpcEndpointService",
                    "privatelink:RemoveUserFromVpcEndpointService",
                    "privatelink:ListVpcEndpointServiceUsers",
                    "privatelink:CreateVpcEndpoint",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:UpdateVpcEndpointAttribute",
                    "privatelink:GetVpcEndpointAttribute",
                    "privatelink:AddZoneToVpcEndpoint",
                    "privatelink:RemoveZoneFromVpcEndpoint",
                    "privatelink:ListVpcEndpointSecurityGroups",
                    "privatelink:AttachSecurityGroupToVpcEndpoint", 
                    "privatelink:DetachSecurityGroupFromVpcEndpoint",
                    "privatelink:ListVpcEndpointZones",
                    "privatelink:DeleteVpcEndpoint",
                    "vpc:DescribeVpcs",
                    "ecs:DescribeSecurityGroups",
                    "vpc:DescribeVSwitches",
                    "slb:DescribeLoadBalancers"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:*:role/*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                },
                "Effect": "Allow"
            }
        ]
    }
  • Grant a RAM user the read-only permissions on PrivateLink.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:ListVpcEndpointServiceUsers",
            "privatelink:ListVpcEndpoints",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointZones",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Grant a RAM user the permissions to manage all endpoint services.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:CreateVpcEndpointService",
            "privatelink:ListVpcEndpointServices",
            "privatelink:UpdateVpcEndpointServiceAttribute",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:AttachResourceToVpcEndpointService",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:DetachResourceFromVpcEndpointService",
            "privatelink:DeleteVpcEndpointService",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:UpdateVpcEndpointConnectionAttribute",
            "privatelink:EnableVpcEndpointConnection",
            "privatelink:DisableVpcEndpointConnection",
            "privatelink:AddUserToVpcEndpointService",
            "privatelink:RemoveUserFromVpcEndpointService",
            "privatelink:ListVpcEndpointServiceUsers",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Grant a RAM user the read-only permissions on all endpoint services.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:ListVpcEndpointServiceUsers",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Grant a RAM user the permissions to manage all endpoints.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServicesByEndUser",
            "privatelink:CreateVpcEndpoint",
            "privatelink:ListVpcEndpoints",
            "privatelink:UpdateVpcEndpointAttribute",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:AttachSecurityGroupToVpcEndpoint", 
            "privatelink:DetachSecurityGroupFromVpcEndpoint",
            "privatelink:AddZoneToVpcEndpoint",
            "privatelink:RemoveZoneFromVpcEndpoint",
            "privatelink:ListVpcEndpointZones",
            "privatelink:DeleteVpcEndpoint",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:*:role/*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                },
                "Effect": "Allow"
            }
      ]
    }
  • Grant a RAM user the read-only permissions on all endpoints.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServicesByEndUser",
            "privatelink:ListVpcEndpoints",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointZones",
            "privatelink:ListVpcEndpointSecurityGroups",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }