Use RAM roles to manage VPC permissions - Virtual Private Cloud

This topic describes how to manage Virtual Private Cloud (VPC) permissions granted to a Resource Access Management (RAM) user. In the RAM console, you can create custom policies and attach them to a RAM user.

Prerequisites

An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one. For more information, see Create an Alibaba Cloud account.

Basic information

Before you manage VPC permissions, we recommend that you learn some common policies.


Policy	Description
AliyunVPCFullAccess	Grants a RAM user the permissions to manage VPCs.
AliyunVPCReadOnlyAccess	Grants a RAM user the read-only permissions on VPCs.

Note For more information about VPC permissions, see RAM user authorization.

Attach a custom policy to a RAM user

Create a custom policy.
For more information, see Create a custom policy and Examples.
In the left-side navigation pane, choose Permissions>Policies.
On the Policies page, find the policy that you want to manage and click its name.
Click the References tab and click Grant Permission.
In the Principal section, enter the username or ID of the RAM user.
Click OK.
Click Complete.

Note You can also attach existing policies to a RAM user or a RAM user group. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

Examples

Example 1: Authorize a RAM user to manage all VPCs.

Assume that the ID of your Alibaba Cloud account is 253460731706911258 and you want to authorize a RAM user to manage all VPCs that belong to the Alibaba Cloud account. In this case, attach the following policy to the RAM user:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*"
            ],
            "Resource": [
                "acs:vpc:*:253460731706911258:*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 2: Authorize a RAM user to manage the vSwitches in a VPC.

Assume that you want to authorize a RAM user to manage vSwitches in the China (Qingdao) region. More specifically, the RAM user can create and delete vSwitches, and associate and disassociate subnet routes. However, the RAM user can only view vSwitches in other regions. In this case, attach the following policy to the RAM user:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*",
                "vpc:*VSwitch*",
                "vpc:*RouteTable*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 3: Authorize a RAM user to manage the route tables and routes in a specific region.

Assume that the ID of your Alibaba Cloud account is 283117732402483989 and you have created VPCs in multiple regions. You want to authorize a RAM user to manage VPCs in the China (Hangzhou) region. More specifically, the RAM user can add and delete routes, create subnet routes, and associate subnet routes with vSwitches in the China (Hangzhou) region. However, the RAM user can only view cloud resources in other regions. In this case, attach the following policy to the RAM user:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*Describe*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": [
                "slb:*Describe*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:*Describe*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*",
                "vpc:*RouteEntry*",
                "vpc:*RouteTable*"
            ],
            "Resource": [                
"acs:vpc:cn-hangzhou:283117732402483989:*/*"
            ],
            "Condition": {}
        }
    ]
}

Example 4: Authorize a RAM user to add routes to or delete routes from a specified route table

To authorize a RAM user to add routes to or delete routes from a specified route table, attach the following policy to the RAM user:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*RouteEntry*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}