This topic describes how to grant specific permissions for Virtual Private Cloud (VPC) to a Resource Access Management (RAM) user. By creating and attaching custom policies in the RAM console, you can implement the principle of least privilege and control user access to your VPC resources.
Background information
You can grant VPC permissions to RAM users by using system policies or by creating your own custom policies.
System policies: RAM provides system-wide policies for common use cases. For VPC, these include:
AliyunVPCFullAccess: Grants full administrative permissions for all VPC resources.
AliyunECSReadOnlyAccess: Grants read-only permissions for all VPC resources.
Custom policies: If the system policies are too broad, you can create custom policies to grant granular permissions. This allows you to restrict access to specific resources or actions based on your security requirements.
Procedure
To grant VPC permissions to a RAM user, follow these general steps:
Create a RAM user to whom you will grant permissions.
Create a custom policy that defines the specific VPC permissions. For more information, see the following section.
Policy examples
Example 1: Grant permission to manage all VPCs
The following policy grants a RAM user permission to manage all VPC resources within the Alibaba Cloud account
123456789012. It also includes read-only access to Elastic Compute Service (ECS) resources, which can provide necessary context when working with VPCs in the console.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*" ], "Resource": [ "acs:vpc:*:1234567:*/*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }Example 2: Grant permission to manage vSwitches in a specific region
The following policy grants a RAM user permission to manage vSwitches and route tables in the China (Qingdao) region. The RAM user is also granted read-only permissions for VPC resources in all other regions, allowing them to view but not modify those resources.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*VSwitch*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-qingdao:*:*/*" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] } ] }Example 3: Grant permission to manage route tables in a specific region
The following policy grants a RAM user permission to manage route entries and route tables in the China (Hangzhou) region. The policy also includes read-only permissions for ECS, Server Load Balancer (SLB), and ApsaraDB RDS (RDS) resources. These permissions are often necessary for a RAM user to perform network management tasks effectively, as they provide context about the services connected to the VPC.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "slb:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "rds:*Describe*" ], "Resource": [ "*" ], "Condition": {} }, { "Effect": "Allow", "Action": [ "vpc:*Describe*", "vpc:*RouteEntry*", "vpc:*RouteTable*" ], "Resource": [ "acs:vpc:cn-hangzhou:1234567:*/*" ], "Condition": {} } ] }Example 4: Grant permission to manage routes in a specific route table
The following policy grants a RAM user permission to manage route entries within a specific route table (
vtb-m5e64ujkb7xn5zlq0xxxx). This is an example of resource-level permissions. The RAM user is also granted read-only access to all VPC and ECS resources for context.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:*RouteEntry*" ], "Resource": [ "acs:vpc:cn-qingdao:*:routetable/vtb-m5e64ujkb7xn5zlq0xxxx" ] }, { "Effect": "Allow", "Action": [ "vpc:*Describe*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ecs:*Describe*" ], "Resource": [ "*" ] } ] }