本文介绍了通过RAM的权限管理功能,创建相应的权限策略,从而对私网连接(PrivateLink)进行权限管理,以满足RAM用户操作PrivateLink的多种需求。
前提条件
基本信息
使用RAM对PrivateLink进行权限管理前,请先了解几个常用的权限策略。
权限策略 | 描述 |
---|---|
AliyunPrivateLinkFullAccess | 为RAM用户授予私网连接完全管理权限。 |
AliyunPrivateLinkReadOnlyAccess | 为RAM用户授予私网连接只读访问权限。 |
AliyunPrivatelinkEndpointServiceFullAccess | 为RAM用户授予终端节点服务完全管理权限。 |
AliyunPrivatelinkEndpointServiceReadOnlyAccess | 为RAM用户授予终端节点服务只读访问权限。 |
AliyunPrivatelinkEndpointFullAccess | 为RAM用户授予终端节点完全管理权限。 |
AliyunPrivatelinkEndpointReadOnlyAccesss | 为RAM用户授予终端节点只读访问权限。 |
说明 私网连接的权限定义,请参见RAM鉴权。
将自定义权限策略授权给RAM用户
私网连接授权样例
- 授权RAM用户具有操作所有私网连接的权限。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:CreateVpcEndpointService", "privatelink:ListVpcEndpointServices", "privatelink:UpdateVpcEndpointServiceAttribute", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:AttachResourceToVpcEndpointService", "privatelink:ListVpcEndpointServiceResources", "privatelink:DetachResourceFromVpcEndpointService", "privatelink:DeleteVpcEndpointService", "privatelink:ListVpcEndpointConnections", "privatelink:UpdateVpcEndpointConnectionAttribute", "privatelink:EnableVpcEndpointConnection", "privatelink:DisableVpcEndpointConnection", "privatelink:AddUserToVpcEndpointService", "privatelink:RemoveUserFromVpcEndpointService", "privatelink:ListVpcEndpointServiceUsers", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:AddZoneToVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:DeleteVpcEndpoint", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:*:role/*", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } }, "Effect": "Allow" } ] }
- 授权RAM用户具有只读所有私网连接的权限。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServices", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServiceResources", "privatelink:ListVpcEndpointConnections", "privatelink:ListVpcEndpointServiceUsers", "privatelink:ListVpcEndpoints", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointZones", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } ] }
- 授权RAM用户具有操作所有终端节点服务的权限。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:CreateVpcEndpointService", "privatelink:ListVpcEndpointServices", "privatelink:UpdateVpcEndpointServiceAttribute", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:AttachResourceToVpcEndpointService", "privatelink:ListVpcEndpointServiceResources", "privatelink:DetachResourceFromVpcEndpointService", "privatelink:DeleteVpcEndpointService", "privatelink:ListVpcEndpointConnections", "privatelink:UpdateVpcEndpointConnectionAttribute", "privatelink:EnableVpcEndpointConnection", "privatelink:DisableVpcEndpointConnection", "privatelink:AddUserToVpcEndpointService", "privatelink:RemoveUserFromVpcEndpointService", "privatelink:ListVpcEndpointServiceUsers", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } ] }
- 授权RAM用户具有只读所有终端节点服务的权限。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServices", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServiceResources", "privatelink:ListVpcEndpointConnections", "privatelink:ListVpcEndpointServiceUsers", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } ] }
- 授权RAM用户具有操作所有终端节点的权限。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:AddZoneToVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:DeleteVpcEndpoint", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:*:role/*", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } }, "Effect": "Allow" } ] }
- 授权RAM用户具有只读所有终端节点的权限。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:ListVpcEndpoints", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointZones", "privatelink:ListVpcEndpointSecurityGroups", "vpc:DescribeVpcs", "ecs:DescribeSecurityGroups", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" } ] }