This topic describes how to manage Virtual Private Cloud (VPC) permissions granted to a Resource Access Management (RAM) user. In the RAM console, you can create custom policies and attach them to a RAM user.
Prerequisites
Basic information
Policy | Description |
---|---|
AliyunVPCFullAccess | Grants a RAM user the permissions to manage VPCs. |
AliyunVPCReadOnlyAccess | Grants a RAM user the read-only permissions on VPCs. |
Attach a custom policy to a RAM user
Examples
- Example 1: Authorize a RAM user to manage all VPCs.
Assume that the ID of your Alibaba Cloud account is 253460731706911258 and you want to authorize a RAM user to manage all VPCs that belong to the Alibaba Cloud account. In this case, attach the following policy to the RAM user:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:253460731706911258:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
- Example 2: Authorize a RAM user to manage the vSwitches in a VPC.
Assume that you want to authorize a RAM user to manage vSwitches in the China (Qingdao) region. More specifically, the RAM user can create and delete vSwitches, and associate and disassociate subnet routes. However, the RAM user can only view vSwitches in other regions. In this case, attach the following policy to the RAM user:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*VSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }
- Example 3: Authorize a RAM user to manage the route tables and routes in a specific
region.
Assume that the ID of your Alibaba Cloud account is 283117732402483989 and you have created VPCs in multiple regions. You want to authorize a RAM user to manage VPCs in the China (Hangzhou) region. More specifically, the RAM user can add and delete routes, create subnet routes, and associate subnet routes with vSwitches in the China (Hangzhou) region. However, the RAM user can only view cloud resources in other regions. In this case, attach the following policy to the RAM user:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:283117732402483989:*/*" ], "Condition": {} } ] }
- Example 4: Authorize a RAM user to add routes to or delete routes from a specified
route table
To authorize a RAM user to add routes to or delete routes from a specified route table, attach the following policy to the RAM user:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }