Resource Access Management (RAM) is an Alibaba Cloud service that can manage identities and permissions. You can use RAM to manage permissions on resources and regulate access to resources. VPN Gateway allows you to use RAM to regulate access to VPN gateways.
Overview
RAM uses permission control to regulate access from RAM users, RAM user groups, and RAM roles to a resource. A policy is a set of permissions. You can attach policies to RAM users, RAM user groups, or RAM roles to grant them permissions on a resource.
Permission
Alibaba Cloud accounts, RAM users, and resource creators have different default permissions.
An Alibaba Cloud account is the resource owner and controls all permissions.
Each Alibaba Cloud resource has only one owner. The owner must be an Alibaba Cloud account and has complete control over the resource.
The resource owner is not necessarily the resource creator. For example, if a RAM user has permissions to create Alibaba Cloud resources, the resources created by this RAM user belong to the Alibaba Cloud account of the RAM user. The RAM user is the resource creator, but is not the resource owner.
A RAM user has no permissions by default.
A RAM user is an identity that is used to manage resources. Before a RAM user can perform operations, the RAM user must be granted the required permissions by the Alibaba Cloud account. The required permissions must be granted by attaching one or more explicit allow policies.
A new RAM user can manage resources only after the RAM user is granted the required permissions.
As a resource creator, a RAM user is not automatically granted the permissions on the created resources.
A RAM user can create resources after the RAM user is granted the required permissions.
To grant the RAM user the required permissions, the resource owner must attach one or more explicit allow policies to the RAM user.
Policy
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.
RAM supports the following two types of policy:
System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify system policies. For more information about the system policies of VPN Gateway, see System policies of VPN Gateway.
Custom policy: If system policies cannot meet your business requirements, you can create custom policies to implement fine-grained permission management. For more information about how to create a custom policy, see Custom policies of VPN Gateway.
Attach policies to a principal
After you create a policy, you can attach it to a RAM user, a RAM user group, or a RAM role to grant the permissions defined in the policy to the principal.
You can attach one or more policies to a RAM user, a RAM user group, or a RAM role.
The attached policies can be system policies or custom policies.
If the attached policies are modified, the modifications automatically take effect. You do not need to attach the modified policies to RAM principals again.
Normal service role
VPN Gateway supports normal service roles.
A normal service role is a RAM role whose trusted entity is an Alibaba Cloud service. A normal service role is used to grant access permissions across Alibaba Cloud services. When you use specific features of VPN Gateway, you must authorize the system to automatically create a normal service role and grant permissions on specific resources to the role. After the role is created, VPN Gateway assumes the role to access other cloud services.
You can also manually create, modify, and delete normal service roles, and modify the permissions of normal service roles in the RAM console. If you modify a role or the permissions of a role, the features provided by VPN Gateway may be affected. Proceed with caution. The following table describes the normal service role supported by VPN Gateway.
Name | Description | Policy |
AliyunVpnAccessingIdaasRole | The first time you enable SSL-VPN two-factor authentication, you must grant permissions to VPN Gateway. After you perform the authorization, the system automatically creates the AliyunVpnAccessingIdaasRole normal service role and grants the role the permissions to access Identity as a Service (IDaaS) resources. VPN Gateway assumes this role to access IDaaS resources. |
Service-linked Role
A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. A service-linked role is used to authorize access across Alibaba Cloud services. A service-linked role is a RAM role that only the linked service can assume. In most cases, a service automatically creates or deletes the service-linked role if needed. A service-linked role simplifies the process of authorizing a service to access other services and reduces the risks caused by misoperations.
The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role.
To allow VPN Gateway to access another resource, VPN Gateway must be authorized to create a service-link role. Then, VPN Gateway assumes this role to access the resource. The following table describes the service-linked role for VPN Gateway.
The number of service-linked roles that you can create is based on the maximum number of RAM roles that you can create within your Alibaba Cloud account. If the upper limit is reached, you can still create service-linked roles. However, you can no longer create other types of RAM roles. For more information, see Limits.
Name | Description | Policy |
AliyunServiceRoleForVpn | The first time you create a VPN gateway, the service-linked role AliyunServiceRoleForVpn is automatically created, and the policy AliyunServiceRolePolicyForVpn is attached to the role. This policy allows VPN gateways to access other cloud resources. |