Configure an endpoint policy for an interface endpoint to control the actions that users can perform on resources in Alibaba Cloud services.
How it works
You can attach an endpoint policy to an interface endpoint to control access to an Alibaba Cloud service. An endpoint policy uses JSON format that follows the basic elements and syntax of a Resource Access Management (RAM) policy.
All Alibaba Cloud services accessible through interface endpoints support default endpoint policies, which grants full access through the interface endpoint.
Only Object Storage Service (OSS) and PAI - AI WorkSpace support custom endpoint policies.
When you create an endpoint to access a non-Alibaba Cloud service, such as a partner or a user-created service, you cannot configure a custom endpoint policy. By default, the endpoint allows all access.
Gateway endpoints are a special type of endpoint. It does not depend on PrivateLink, supports access to only a limited number of Alibaba Cloud services, and supports custom endpoint policies.
Policy types
There are two types of endpoint policies:
Default: Allows any user or service in the VPC to use their account credentials to access any resource in the associated service.
{ // Effect: Defines the policy effect. "Effect": "Allow", // Principal: Defines the principal that is granted permissions by the policy. This specifies who can use the endpoint. The wildcard character (*) represents all identities. "Principal": "*", // Action: Defines the allowed or denied operations. "Action": "*", // Resource: Defines the resources on which the operations are performed. "Resource": "*" }Custom: Allows users to configure fine-grained access control policies to restrict which actions users can perform on resources.
Policy override rules
Endpoint policies do not replace or override identity-based policies or resource-based policies, such as bucket policies for OSS. The combined result of all applicable policies determines the final access permissions. For more information, see How access policies are evaluated.
Configure an endpoint policy
Console
Go to the Endpoints - Create Endpoint page. When you create an interface endpoint, configure the Endpoint Policy.
After the endpoint is created, go to its details page. On the Endpoint Policy tab, click Edit.
API
When you call the CreateVpcEndpoint operation, specify the PolicyDocument parameter to configure the endpoint policy.
Call the UpdateVpcEndpointAttribute operation to modify the endpoint policy.
Examples
Deny an action
This endpoint policy allows all users to perform all OSS operations except oss:PutObject (upload a file).
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:PutObject"
],
"Resource": [
"acs:oss:*:*:*"
]
}
]
}Specify allowed resources and actions
This endpoint policy allows only list (List*), upload (PutObject), and download (GetObject) operations on the policy-test.txt file in the OSS bucket named pvl-policy-test.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject"
],
"Resource": [
"acs:oss:*:*:pvl-policy-test/policy-test.txt"
]
},
{
"Effect": "Allow",
"Action": [
"oss:List*"
],
"Resource": [
"acs:oss:*:*:pvl-policy-test"
],
"Condition": {
"StringLike": {
"oss:Prefix": "policy-test.txt*"
}
}
}
]
}Example 3: Allow access only to a specific RAM user
This endpoint policy allows only the RAM user pvl-policy-allow under Alibaba Cloud account with the ID 14199926XXXXXXXX to access the service through the endpoint. The policy also explicitly denies access requests from the RAM user pvl-policy-deny that belongs to the same Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
],
"Principal": {
"RAM": [
"acs:ram::14199926XXXXXXXX:user/pvl-policy-allow"
]
}
},
{
"Effect": "Deny",
"Action": [
"*"
],
"Resource": [
"*"
],
"Principal": {
"RAM": [
"acs:ram::14199926XXXXXXXX:user/pvl-policy-deny"
]
}
}
]
}