If system policies do not meet your requirements, you can create custom policies to implement fine-grained access control based on the principle of least privilege. This topic describes common scenarios and provides policy examples for Cloud Control API.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. Unlike system policies, custom policies are created and maintained by you.
-
After you create a custom policy, you must attach it to a RAM principal (RAM user, user group, or role) to grant the specified permissions.
-
You can delete a custom policy only after you detach it from all principals.
-
Custom policies support version control. You can manage policy versions by using the versioning mechanism provided by RAM.
Related operations
Common scenarios and examples of custom policies
To manage resources using Cloud Control API, a RAM user or RAM role must have permissions to call operations in both Cloud Control API and the target resource's service API.
-
Example 1: Policy to list VPC resources using Cloud Control API
This policy grants permission to call the
ListResourcesoperation in Cloud Control API and theDescribeVpcsoperation in VPC, allowing a RAM user or RAM role to list VPC resources in the current account.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "cloudcontrol:ListResources", "Resource": "*" }, { "Effect": "Allow", "Action": "vpc:DescribeVpcs", "Resource": "*" } ] } -
Example 2: Policy to create a VPC instance using Cloud Control API
This policy grants permission to call the
CreateResourceoperation in Cloud Control API and theCreateVpcoperation in VPC, allowing a RAM user or RAM role to create a VPC instance.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "cloudcontrol:CreateResource", "Resource": "*" }, { "Effect": "Allow", "Action": "vpc:CreateVpc", "Resource": "*" } ] } -
Example 3: Policy to manage the full lifecycle of VPC resources using Cloud Control API
This policy grants a RAM user or RAM role permission to call resource management operations in Cloud Control API and lifecycle-related operations in VPC, enabling full lifecycle management of VPC resources.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cloudcontrol:CreateResource", "cloudcontrol:DeleteResource", "cloudcontrol:UpdateResource", "cloudcontrol:GetResources", "cloudcontrol:ListResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "vpc:CreateVpc", "vpc:CreateDefaultVpc", "vpc:DeleteVpc", "vpc:ModifyVpcAttribute", "vpc:AssociateVpcCidrBlock", "vpc:UnassociateVpcCidrBlock", "vpc:DescribeVpcs", "vpc:DescribeVpcAttribute" ], "Resource": "*" } ] }
RAM authorization
Before you create a custom policy, make sure that you understand the permission requirements of your business and the authorization information of Cloud Control API. For more information, see RAM user management.