Cloud Control API custom policies

更新时间:
复制 MD 格式

If system policies do not meet your requirements, you can create custom policies to implement fine-grained access control based on the principle of least privilege. This topic describes common scenarios and provides policy examples for Cloud Control API.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. Unlike system policies, custom policies are created and maintained by you.

  • After you create a custom policy, you must attach it to a RAM principal (RAM user, user group, or role) to grant the specified permissions.

  • You can delete a custom policy only after you detach it from all principals.

  • Custom policies support version control. You can manage policy versions by using the versioning mechanism provided by RAM.

Related operations

Common scenarios and examples of custom policies

Note

To manage resources using Cloud Control API, a RAM user or RAM role must have permissions to call operations in both Cloud Control API and the target resource's service API.

  • Example 1: Policy to list VPC resources using Cloud Control API

    This policy grants permission to call the ListResources operation in Cloud Control API and the DescribeVpcs operation in VPC, allowing a RAM user or RAM role to list VPC resources in the current account.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "cloudcontrol:ListResources",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "vpc:DescribeVpcs",
          "Resource": "*"
        }
      ]
    }
  • Example 2: Policy to create a VPC instance using Cloud Control API

    This policy grants permission to call the CreateResource operation in Cloud Control API and the CreateVpc operation in VPC, allowing a RAM user or RAM role to create a VPC instance.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "cloudcontrol:CreateResource",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "vpc:CreateVpc",
          "Resource": "*"
        }
      ]
    }
  • Example 3: Policy to manage the full lifecycle of VPC resources using Cloud Control API

    This policy grants a RAM user or RAM role permission to call resource management operations in Cloud Control API and lifecycle-related operations in VPC, enabling full lifecycle management of VPC resources.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "cloudcontrol:CreateResource",
            "cloudcontrol:DeleteResource",
            "cloudcontrol:UpdateResource",
            "cloudcontrol:GetResources",
            "cloudcontrol:ListResources"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "vpc:CreateVpc",
            "vpc:CreateDefaultVpc",
            "vpc:DeleteVpc",
            "vpc:ModifyVpcAttribute",
            "vpc:AssociateVpcCidrBlock",
            "vpc:UnassociateVpcCidrBlock",
            "vpc:DescribeVpcs",
            "vpc:DescribeVpcAttribute"
          ],
          "Resource": "*"
        }
      ]
    }

RAM authorization

Before you create a custom policy, make sure that you understand the permission requirements of your business and the authorization information of Cloud Control API. For more information, see RAM user management.