Endpoint policies for interface endpoints precisely control what actions specific users can perform on resources in an Alibaba Cloud service.
How it works
When you access an Alibaba Cloud service through an interface endpoint, you can attach an endpoint policy to it. An endpoint policy is a JSON document that follows the basic elements and syntax of a Resource Access Management (RAM) policy.
-
All Alibaba Cloud services accessible through interface endpoints support a default endpoint policy, which grants full access through the interface endpoint.
-
Only Object Storage Service (OSS) and PAI - AI WorkSpace support custom endpoint policies.
-
If you create an endpoint to access a non-Alibaba Cloud service, such as a partner or user-created service, you cannot configure a custom endpoint policy. The endpoint allows all access by default.
A gateway endpoint does not rely on PrivateLink. It supports access to a limited number of Alibaba Cloud services and allows custom endpoint policies.
Policy types
There are two types of endpoint policies:
-
Default endpoint policy: Allows any user or service in the Virtual Private Cloud (VPC) to use their Alibaba Cloud account credentials to access any resource in the associated service.
{ // Effect: Defines the effect of the policy. "Effect": "Allow", // Principal: The user or service granted permission to use the endpoint. The wildcard (*) represents all identities. "Principal": "*", // Action: Defines the allowed or denied actions. "Action": "*", // Resource: The resources that the actions apply to. "Resource": "*" } -
Custom endpoint policy: Restricts the actions that specific users can perform on designated resources.
Policy evaluation logic
An endpoint policy does not override or replace identity-based or resource-based policies, such as an OSS bucket policy. Access is determined by all applicable policies combined. For more information, see How permissions are evaluated.
Configure an endpoint policy
Console
-
Go to the Endpoints - Create Endpoint page and configure the Endpoint Policy when you create an interface endpoint.
-
After you create the endpoint, go to its details page and click Edit on the Endpoint Policy tab.
API
-
When you call the CreateVpcEndpoint operation, specify the PolicyDocument parameter to configure the endpoint policy.
-
Call the UpdateVpcEndpointAttribute operation to modify the endpoint policy.
Endpoint policy examples
Example 1: Deny a specific action
Allows all users to perform all OSS operations except oss:PutObject (uploading files).
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Principal": "*",
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:PutObject"
],
"Principal": "*",
"Resource": [
"acs:oss:*:*:*"
]
}
]
}Example 2: Specify allowed resources and actions
Allows only list (List*), upload (PutObject), and download (GetObject) operations on the policy-test.txt file in the pvl-policy-test OSS bucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject"
],
"Principal": "*",
"Resource": [
"acs:oss:*:*:pvl-policy-test/policy-test.txt"
]
},
{
"Effect": "Allow",
"Action": [
"oss:List*"
],
"Principal": "*",
"Resource": [
"acs:oss:*:*:pvl-policy-test"
],
"Condition": {
"StringLike": {
"oss:Prefix": "policy-test.txt*"
}
}
}
]
}Example 3: Specify RAM user access
Allows only the RAM user pvl-policy-allow under the Alibaba Cloud account 14199926XXXXXXXX to access the service through the endpoint, and explicitly denies the RAM user pvl-policy-deny under the same account.
Use your actual RAM user names in the policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
],
"Principal": {
"RAM": [
"acs:ram::14199926XXXXXXXX:user/pvl-policy-allow"
]
}
},
{
"Effect": "Deny",
"Action": [
"*"
],
"Resource": [
"*"
],
"Principal": {
"RAM": [
"acs:ram::14199926XXXXXXXX:user/pvl-policy-deny"
]
}
}
]
}