本文介绍了通过RAM的权限管理功能,创建相应的权限策略,从而对私网连接(PrivateLink)进行权限管理,以满足RAM用户操作PrivateLink的多种需求。

前提条件

请确保您已经注册了阿里云账号。如还未注册,请先完成账号注册。详细信息,请参见账号注册

基本信息

使用RAM对PrivateLink进行权限管理前,请先了解几个常用的权限策略。
权限策略 描述
AliyunPrivateLinkFullAccess 为RAM用户授予私网连接完全管理权限。
AliyunPrivateLinkReadOnlyAccess 为RAM用户授予私网连接只读访问权限。
AliyunPrivatelinkEndpointServiceFullAccess 为RAM用户授予终端节点服务完全管理权限。
AliyunPrivatelinkEndpointServiceReadOnlyAccess 为RAM用户授予终端节点服务只读访问权限。
AliyunPrivatelinkEndpointFullAccess 为RAM用户授予终端节点完全管理权限。
AliyunPrivatelinkEndpointReadOnlyAccesss 为RAM用户授予终端节点只读访问权限。
说明 私网连接的权限定义,请参见RAM鉴权

将自定义权限策略授权给RAM用户

  1. 创建自定义权限策略。
    详细信息,请参见创建自定义策略私网连接授权样例
  2. 权限策略管理页面,找到目标权限策略,单击其权限策略名称。
  3. 单击引用记录页签,然后单击新增授权
  4. 添加权限页面,授权主体处输入需要授权的用户名称或ID,然后单击确定
    说明 您也可以直接对用户或用户组授予创建好的权限策略,具体操作,请参见为RAM用户授权为用户组授权

私网连接授权样例

  • 授权RAM用户具有操作所有私网连接的权限。
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "privatelink:CreateVpcEndpointService",
                    "privatelink:ListVpcEndpointServices",
                    "privatelink:UpdateVpcEndpointServiceAttribute",
                    "privatelink:GetVpcEndpointServiceAttribute",
                    "privatelink:AttachResourceToVpcEndpointService",
                    "privatelink:ListVpcEndpointServiceResources",
                    "privatelink:DetachResourceFromVpcEndpointService",
                    "privatelink:DeleteVpcEndpointService",
                    "privatelink:ListVpcEndpointConnections",
                    "privatelink:UpdateVpcEndpointConnectionAttribute",
                    "privatelink:EnableVpcEndpointConnection",
                    "privatelink:DisableVpcEndpointConnection",
                    "privatelink:AddUserToVpcEndpointService",
                    "privatelink:RemoveUserFromVpcEndpointService",
                    "privatelink:ListVpcEndpointServiceUsers",
                    "privatelink:CreateVpcEndpoint",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:UpdateVpcEndpointAttribute",
                    "privatelink:GetVpcEndpointAttribute",
                    "privatelink:AddZoneToVpcEndpoint",
                    "privatelink:RemoveZoneFromVpcEndpoint",
                    "privatelink:ListVpcEndpointSecurityGroups",
                    "privatelink:AttachSecurityGroupToVpcEndpoint", 
                    "privatelink:DetachSecurityGroupFromVpcEndpoint",
                    "privatelink:ListVpcEndpointZones",
                    "privatelink:DeleteVpcEndpoint",
                    "vpc:DescribeVpcs",
                    "ecs:DescribeSecurityGroups",
                    "vpc:DescribeVSwitches",
                    "slb:DescribeLoadBalancers"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:*:role/*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                },
                "Effect": "Allow"
            }
        ]
    }
  • 授权RAM用户具有只读所有私网连接的权限。
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:ListVpcEndpointServiceUsers",
            "privatelink:ListVpcEndpoints",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointZones",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • 授权RAM用户具有操作所有终端节点服务的权限。
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:CreateVpcEndpointService",
            "privatelink:ListVpcEndpointServices",
            "privatelink:UpdateVpcEndpointServiceAttribute",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:AttachResourceToVpcEndpointService",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:DetachResourceFromVpcEndpointService",
            "privatelink:DeleteVpcEndpointService",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:UpdateVpcEndpointConnectionAttribute",
            "privatelink:EnableVpcEndpointConnection",
            "privatelink:DisableVpcEndpointConnection",
            "privatelink:AddUserToVpcEndpointService",
            "privatelink:RemoveUserFromVpcEndpointService",
            "privatelink:ListVpcEndpointServiceUsers",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • 授权RAM用户具有只读所有终端节点服务的权限。
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServices",
            "privatelink:GetVpcEndpointServiceAttribute",
            "privatelink:ListVpcEndpointServiceResources",
            "privatelink:ListVpcEndpointConnections",
            "privatelink:ListVpcEndpointServiceUsers",
            "slb:DescribeLoadBalancers"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • 授权RAM用户具有操作所有终端节点的权限。
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServicesByEndUser",
            "privatelink:CreateVpcEndpoint",
            "privatelink:ListVpcEndpoints",
            "privatelink:UpdateVpcEndpointAttribute",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:AttachSecurityGroupToVpcEndpoint", 
            "privatelink:DetachSecurityGroupFromVpcEndpoint",
            "privatelink:AddZoneToVpcEndpoint",
            "privatelink:RemoveZoneFromVpcEndpoint",
            "privatelink:ListVpcEndpointZones",
            "privatelink:DeleteVpcEndpoint",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:*:role/*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                },
                "Effect": "Allow"
            }
      ]
    }
  • 授权RAM用户具有只读所有终端节点的权限。
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "privatelink:ListVpcEndpointServicesByEndUser",
            "privatelink:ListVpcEndpoints",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:ListVpcEndpointZones",
            "privatelink:ListVpcEndpointSecurityGroups",
            "vpc:DescribeVpcs",
            "ecs:DescribeSecurityGroups",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }