This topic describes how to manage Virtual Private Cloud (VPC) permissions of a Resource Access Management (RAM) user. In the RAM console, you can create custom permission policies and attach them to the RAM user.
Prerequisites
An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Alibaba Cloud official website. For more information, see Create an Alibaba Cloud account.
Common permission policies
The following table describes some common permission policies that can be used in the RAM console to manage VPC permissions.
Permission policy | Description |
AliyunVPCFullAccess | Grants a RAM user the permissions to manage VPCs. |
AliyunVPCReadOnlyAccess | Grants a RAM user the read-only permission on VPCs. |
For more information about VPC permissions, see Grant permissions to a RAM user.
Attach a custom permission policy to a RAM user
Create a custom permission policy.
For more information, see Create a custom policy and Examples of VPC permission policies.
On the Policies page, click the name of the permission policy.
On the References tab, click Grant Permission.
In the Add Permissions panel, enter the name or ID of the user in the Principal field, and then click OK.
NoteYou can also attach existing permission policies to a RAM user or RAM user group. For more information, see Grant permissions to RAM users and Grant permissions to a RAM user group.
Examples of VPC permission policies
Example 1: Authorize a RAM user to manage all VPCs.
To authorize a RAM user to manage all VPCs within the Alibaba Cloud account 1234567, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }Example 2: Authorize a RAM user to manage the vSwitches in a VPC.
You can use the following sample script to authorize a RAM user to manage the vSwitches in the China (Qingdao) region. More specifically, the RAM user can create vSwitches, delete vSwitches, associate subnet routes, and disassociate subnet routes. The RAM user can only view the vSwitches in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*VSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "acs:ecs:cn-qingdao:*:*/*" ] } ] }Example 3: Authorize a RAM user to manage the route tables and route entries in a specified region.
To authorize a RAM user to manage the VPCs within the Alibaba Cloud account 11111111 in the China (Hangzhou) region, use the following sample script. After the RAM user is authorized, the RAM user can add and delete routes, create subnet routes, and associate vSwitches in the China (Hangzhou) region. The RAM user can only view the cloud services in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": { } }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:11111111:*/*" ], "Condition": { } } ] }Example 4: Authorize a RAM user to add or delete the route entries in a specified route table.
To authorize a RAM user to add or delete the route entries in a specified route table, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }