This topic describes how to manage Virtual Private Cloud (VPC) permissions of a Resource Access Management (RAM) user. In the RAM console, you can create custom policies and attach them to the RAM user.
Background information
- Before you manage the VPC permissions of RAM users, take note of the following system
policies:
- AliyunVPCFullAccess: grants a RAM user the permissions to manage VPCs.
- AliyunECSReadOnlyAccess: grants read-only permissions on VPCs.
If the system policies cannot meet your business requirements, you can create custom policies.
- Before you manage the VPC permissions of RAM users, take note of the VPC permissions. For more information, see RAM user authorization.
Procedure
Policy examples
- Example 1: Authorize a RAM user to manage all VPCs.
To authorize a RAM user to manage all VPCs in your Alibaba Cloud account 1234567, use the following sample script:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] } - Example 2: Authorize a RAM user to manage the vSwitches in a VPC.
To authorize a RAM user to manage the vSwitches of the VPCs in the China (Qingdao) region, use the following policy. After the policy is attached to the RAM user, the RAM user can create, delete, associate, or disassociate subnet routes for the vSwitches of the VPCs in the China (Qingdao) region. The RAM user can only view the vSwitches in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*VSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] } - Example 3: Authorize a RAM user to manage the route tables and routes in a specific
region.
To authorize a RAM user to manage all VPCs in the China (Hangzhou) region, use the following sample script. The RAM user belongs to your Alibaba Cloud account 1234567. After the RAM user is authorized, the RAM user can add or delete routes, create subnet routes, and associate vSwitches in this region. The RAM user can only view the cloud services in other regions.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:1234567:*/*" ], "Condition": {} } ] } - Example 4: Authorize a RAM user to add or delete the routes in a specified route table.
To authorize a RAM user to add or delete routes in a specific route table, use the following policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }