Combining resource groups with RAM allows you to isolate resources and manage fine-grained permissions within a single Alibaba Cloud account. This topic summarizes how VPC supports resource groups and explains how to grant permissions at the resource group level.
-
Resource group-level authorization applies only to resource types that support resource groups and to operations that support resource group-level authorization.
-
For resource types that do not support resource groups, permissions in the resource group scope have no effect. In this case, you must grant permissions at the account level. For more information, see Operations that do not support resource group-level authorization.
Resource group authorization
You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create a dedicated resource group for each project and add the project's resources to it to manage them centrally. For more information, see What is a resource group?.
After grouping your resources, you can grant permissions scoped to a specific resource group to different RAM principals, such as RAM users, RAM user groups, or RAM roles. This limits a principal to managing only the resources within that group. For more information, see Resource grouping and authorization.
This approach offers the following benefits:
-
Fine-grained permissions: Ensure that each identity has only the specific resource permissions it needs, which prevents resources from different projects from being managed together within the same account.
-
Scalability: When you add new resources, you only need to add them to the resource group. The RAM principal automatically gains permissions for the new resources without requiring further authorization.
Grant resource group permissions to a RAM user
This topic describes how to grant a RAM user permission to manage VPC resources in a specific resource group.
Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and transfer existing resources to it. For more information, see Create a resource group, Automatically transfer resources, and Manually transfer resources.
Procedure
Grant permissions by using one of the following methods.
Method 1: Resource Group console
You can grant permissions to a specified RAM user by using the permission management feature of a resource group. For more information, see Grant permissions to a RAM identity within the scope of a resource group.
-
Log in to the Resource Group console.
-
On the Resource Groups page, find the target resource group and click Permissions in the Actions column.
-
On the Permissions tab, click Add Permissions.
-
In the Add Permissions panel, configure the principal and permission policy.
-
Principal: Select an existing RAM user.
-
Policy: Select a system policy or a custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Method 2: RAM console
You can grant resource group-level authorization to a specified RAM user in the RAM console. For more information, see Manage RAM user permissions.
-
Log in to the RAM console with your Alibaba Cloud account or as a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Add Permissions panel, add permissions to the RAM user.
-
Resource Scope: Select Resource Group.
-
Principal: Select the target RAM user.
-
Policy: Select a system policy or a custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Resource types that support resource groups
The following table lists the VPC resource types that support resource groups.
|
Cloud service |
Cloud service code |
Resource type |
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
|
VPC |
vpc |
|
To request support for a resource type that does not currently support resource groups, submit feedback in the Resource Manager console.
Operations without resource group authorization
Resource group-level authorization is not supported for the following Virtual Private Cloud (VPC) actions:
|
Actions |
Description |
|
vpc:AddBandwidthPackageIPs |
- |
|
vpc:AddGlobalAccelerationInstanceIp |
Adds an EIP to a specified bandwidth sharing instance. |
|
vpc:AddIPv6TranslatorAclListEntry |
Adds an IP entry to an access control policy group. |
|
vpc:AllocateVpcIPv6Cidr |
Allocates the specified IPv6 CIDR block. |
|
vpc:CancelExpressCloudConnection |
- |
|
vpc:CheckVpnBgpEnabled |
Checks whether the region of an IPsec connection supports BGP. |
|
vpc:ConvertBandwidthPackage |
Converts a NAT bandwidth package. |
|
vpc:CreateNatGateway |
- |
|
vpc:CreateBandwidthPackage |
- |
|
vpc:CreateBondRouterInterfaceConnection |
- |
|
vpc:CreateExpressCloudConnection |
Creates an Express Connect physical connection. |
|
vpc:CreateGlobalAccelerationInstance |
Creates a Global Acceleration instance. |
|
vpc:CreateIPv6Translator |
Creates an IPv6 Translation Service instance. |
|
vpc:CreateIPv6TranslatorAclList |
Creates an access control policy group. |
|
vpc:CreateIPv6TranslatorEntry |
Adds an IPv6 translation entry to the specified IPv6 Translation Service instance. |
|
vpc:CreateNqa |
- |
|
vpc:DeleteBandwidthPackage |
- |
|
vpc:DeleteGlobalAccelerationInstance |
Deletes a Global Acceleration instance. |
|
vpc:DeleteIPv6Translator |
Deletes an IPv6 Translation Service instance. |
|
vpc:DeleteIPv6TranslatorAclList |
Deletes an access control policy group. You can delete an access control policy group only if it is not associated with any IPv6 translation entries. |
|
vpc:DeleteIPv6TranslatorEntry |
Deletes an IPv6 translation entry. |
|
vpc:DeleteIPv6EgressOnlyRule |
Deletes an egress-only rule. |
|
vpc:DescribeAccessPoints |
- |
|
vpc:DescribeBandwidthPackageMonitorData |
- |
|
vpc:DescribeBandwidthPackagePublicIpMonitorData |
- |
|
vpc:DescribeGlobalAccelerationInstances |
Queries Global Acceleration instances. |
|
vpc:DescribeGrantRulesToCbn |
- |
|
vpc:DescribeIPv6TranslatorAclListAttributes |
Queries the attributes of an access control policy group, including its IP addresses and associated IPv6 translation entries. |
|
vpc:DescribeIPv6TranslatorAclLists |
Queries access control policy groups. |
|
vpc:DescribeIPv6TranslatorEntries |
Queries IPv6 translation entries. |
|
vpc:DescribeInstances |
- |
|
vpc:DescribeNetworkQuotas |
- |
|
vpc:DescribePublicIPAddress |
Queries the public IP address ranges in a specified region. |
|
vpc:DescribeRouterInterfacesForGlobal |
- |
|
vpc:DescribeServerRelatedGlobalAccelerationInstances |
Queries Global Acceleration instances associated with a specified backend server. |
|
vpc:DescribeVPCs |
- |
|
vpc:DescribeVPNGatewayAvailableZones |
Queries the availability zones that support IPsec connections in a specified region. |
|
vpc:DescribeVrouters |
- |
|
vpc:DescribeZones |
- |
|
vpc:DiagnoseVPNConnections |
Diagnoses IPsec connections. |
|
vpc:DiagnoseVPNConnectionsHistory |
- |
|
vpc:DiagnoseVPNGateway |
Diagnoses the specified VPN Gateway instance. |
|
vpc:DisableNatGatewayEcsMetric |
Disables ECS traffic monitoring. |
|
vpc:EnableNatGatewayEcsMetric |
Enables ECS traffic monitoring. |
|
vpc:GetBusinessAccessPointDetail |
- |
|
vpc:GetFlowLogServiceStatus |
Gets the status of the flow log feature. |
|
vpc:GetNatIPCidrAttribute |
- |
|
vpc:GetObject |
- |
|
vpc:GetPhysicalConnectionServiceStatus |
Gets the status of the physical connection service. |
|
vpc:GetPublicIPAddressPoolServiceStatus |
Gets the status of the IP address pool feature. |
|
vpc:GetTrafficMirrorServiceStatus |
Gets the status of the traffic mirroring feature. |
|
vpc:GetVpcIPAMServiceStatus |
Gets the status of the IPAM feature. |
|
vpc:GetVPNGatewayDiagnoseResult |
Gets the diagnosis result of a VPN Gateway instance. |
|
vpc:GrantInstanceToCbn |
- |
|
vpc:InnerVpcCreateDscp |
- |
|
vpc:InnerVpcDeleteDscp |
- |
|
vpc:InnerVpcDescribeCrossBorderRouterInterface |
- |
|
vpc:InnerVpcDescribeDscp |
- |
|
vpc:InnerVpcModifyDscp |
- |
|
vpc:InnerVpcRefreshDscp |
- |
|
vpc:ListBusinessAccessPointPortUsage |
- |
|
vpc:ListBusinessAccessPoints |
Lists the access points for physical connections. |
|
vpc:ListBusinessRegions |
Lists the regions where physical connections are available for purchase. |
|
vpc:ListGeographicSubRegions |
Lists geographic sub-regions. |
|
vpc:ListNatGatewayEcsMetric |
- |
|
vpc:ListVpcCloudInstance |
- |
|
vpc:ListVpcEndpointServicesByEndUser |
Lists VPC Endpoint Services. |
|
vpc:ModifyBandwidthPackageAttribute |
- |
|
vpc:ModifyBandwidthPackageSpec |
- |
|
vpc:ModifyBypassToaAttribute |
- |
|
vpc:ModifyExpressCloudConnectionAttribute |
Modifies the attributes of an Express Connect connection. |
|
vpc:ModifyGlobalAccelerationInstanceAttributes |
Modifies the name and description of a Global Acceleration instance. |
|
vpc:ModifyGlobalAccelerationInstanceSpec |
Modifies the bandwidth of a Global Acceleration instance. |
|
vpc:ModifyIPv6TranslatorAclAttribute |
Modifies the name of an access control policy group. |
|
vpc:ModifyIPv6TranslatorAclListEntry |
Modifies an IP entry in an access control policy group. |
|
vpc:ModifyIPv6TranslatorAttribute |
Modifies the name and description of an IPv6 Translation Service instance. |
|
vpc:ModifyIPv6TranslatorBandwidth |
Modifies the bandwidth of an IPv6 Translation Service instance. |
|
vpc:ModifyIPv6TranslatorEntry |
Modifies an IPv6 translation entry. |
|
vpc:ModifyIPv6GatewaySpec |
- |
|
vpc:OpenFlowLogService |
Enables the flow log feature. |
|
vpc:OpenPhysicalConnectionService |
Enables the outbound traffic service. |
|
vpc:OpenPublicIPAddressPoolService |
Enables the IP address pool feature. |
|
vpc:OpenTrafficMirrorService |
Enables the traffic mirroring feature. |
|
vpc:OpenVpcIPAMService |
Enables the IPAM feature. |
|
vpc:QueryPconnTrafficPrice |
- |
|
vpc:QueryPhysicalConnectionPrice |
- |
|
vpc:RejectVpcPeerConnection |
Rejects a VPC Peering Connection request. |
|
vpc:RemoveBandwidthPackageIPs |
- |
|
vpc:RemoveGlobalAccelerationInstanceIP |
Removes an EIP from a bandwidth sharing instance. |
|
vpc:RemoveIPv6TranslatorAclListEntry |
Removes an IP entry from an access control policy group. |
|
vpc:RevokeInstanceFromCbn |
- |
|
vpc:SetHaVIPMasterInstance |
- |
|
vpc:TransformEIPSegmentToPublicIPAddressPool |
Migrates a contiguous group of EIPs to an IP address pool. |
|
vpc:UnassociateEIPAddress |
- |
|
vpc:UnassociateGlobalAccelerationInstance |
Unassociates a backend server from a Global Acceleration instance. |
|
vpc:UpdateCrossBorderStatus |
- |
|
vpc:AssociateVpcCidrBlock |
- |
|
vpc:CreateVpc |
- |
|
vpc:DeleteBgpNetwork |
- |
|
vpc:DescribeVpcs |
- |
|
vpc:ReleaseIPv6Address |
- |
For operations that do not support resource group-level authorization, selecting resource group level as the resource scope will have no effect. To grant a RAM User permissions for these operations, create a custom policy and set the resource scope to account level.
Here are two examples of custom policies. You can modify these policies to meet your requirements.
-
Allows all read-only operations that do not support resource group-level permission. These are listed in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:CheckVpnBgpEnabled", "vpc:DescribeAccessPoints", "vpc:DescribeBandwidthPackageMonitorData", "vpc:DescribeBandwidthPackagePublicIpMonitorData", "vpc:DescribeGlobalAccelerationInstances", "vpc:DescribeGrantRulesToCbn", "vpc:DescribeIPv6TranslatorAclListAttributes", "vpc:DescribeIPv6TranslatorAclLists", "vpc:DescribeIPv6TranslatorEntries", "vpc:DescribeInstances", "vpc:DescribeNetworkQuotas", "vpc:DescribePublicIpAddress", "vpc:DescribeRouterInterfacesForGlobal", "vpc:DescribeServerRelatedGlobalAccelerationInstances", "vpc:DescribeVPCs", "vpc:DescribeVpnGatewayAvailableZones", "vpc:DescribeVrouters", "vpc:DescribeZones", "vpc:GetBusinessAccessPointDetail", "vpc:GetFlowLogServiceStatus", "vpc:GetNatIpCidrAttribute", "vpc:GetObject", "vpc:GetPhysicalConnectionServiceStatus", "vpc:GetPublicIpAddressPoolServiceStatus", "vpc:GetTrafficMirrorServiceStatus", "vpc:GetVpcIpamServiceStatus", "vpc:GetVpnGatewayDiagnoseResult", "vpc:ListBusinessAccessPointPortUsage", "vpc:ListBusinessAccessPoints", "vpc:ListBusinessRegions", "vpc:ListGeographicSubRegions", "vpc:ListNatGatewayEcsMetric", "vpc:ListVpcCloudInstance", "vpc:ListVpcEndpointServicesByEndUser" ], "Resource": "*" } ] } -
Allows all actions that do not support resource group-level permission. These are listed in the
Actionelement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:AddBandwidthPackageIps", "vpc:AddGlobalAccelerationInstanceIp", "vpc:AddIPv6TranslatorAclListEntry", "vpc:AllocateVpcIpv6Cidr", "vpc:CancelExpressCloudConnection", "vpc:CheckVpnBgpEnabled", "vpc:ConvertBandwidthPackage", "vpc:CreateNatGateway", "vpc:CreateBandwidthPackage", "vpc:CreateBondRouterInterfaceConnection", "vpc:CreateExpressCloudConnection", "vpc:CreateGlobalAccelerationInstance", "vpc:CreateIPv6Translator", "vpc:CreateIPv6TranslatorAclList", "vpc:CreateIPv6TranslatorEntry", "vpc:CreateNqa", "vpc:DeleteBandwidthPackage", "vpc:DeleteGlobalAccelerationInstance", "vpc:DeleteIPv6Translator", "vpc:DeleteIPv6TranslatorAclList", "vpc:DeleteIPv6TranslatorEntry", "vpc:DeleteIpv6EgressOnlyRule", "vpc:DescribeAccessPoints", "vpc:DescribeBandwidthPackageMonitorData", "vpc:DescribeBandwidthPackagePublicIpMonitorData", "vpc:DescribeGlobalAccelerationInstances", "vpc:DescribeGrantRulesToCbn", "vpc:DescribeIPv6TranslatorAclListAttributes", "vpc:DescribeIPv6TranslatorAclLists", "vpc:DescribeIPv6TranslatorEntries", "vpc:DescribeInstances", "vpc:DescribeNetworkQuotas", "vpc:DescribePublicIpAddress", "vpc:DescribeRouterInterfacesForGlobal", "vpc:DescribeServerRelatedGlobalAccelerationInstances", "vpc:DescribeVPCs", "vpc:DescribeVpnGatewayAvailableZones", "vpc:DescribeVrouters", "vpc:DescribeZones", "vpc:DiagnoseVpnConnections", "vpc:DiagnoseVpnConnectionsHistory", "vpc:DiagnoseVpnGateway", "vpc:DisableNatGatewayEcsMetric", "vpc:EnableNatGatewayEcsMetric", "vpc:GetBusinessAccessPointDetail", "vpc:GetFlowLogServiceStatus", "vpc:GetNatIpCidrAttribute", "vpc:GetObject", "vpc:GetPhysicalConnectionServiceStatus", "vpc:GetPublicIpAddressPoolServiceStatus", "vpc:GetTrafficMirrorServiceStatus", "vpc:GetVpcIpamServiceStatus", "vpc:GetVpnGatewayDiagnoseResult", "vpc:GrantInstanceToCbn", "vpc:InnerVpcCreateDscp", "vpc:InnerVpcDeleteDscp", "vpc:InnerVpcDescribeCrossBorderRouterInterface", "vpc:InnerVpcDescribeDscp", "vpc:InnerVpcModifyDscp", "vpc:InnerVpcRefreshDscp", "vpc:ListBusinessAccessPointPortUsage", "vpc:ListBusinessAccessPoints", "vpc:ListBusinessRegions", "vpc:ListGeographicSubRegions", "vpc:ListNatGatewayEcsMetric", "vpc:ListVpcCloudInstance", "vpc:ListVpcEndpointServicesByEndUser", "vpc:ModifyBandwidthPackageAttribute", "vpc:ModifyBandwidthPackageSpec", "vpc:ModifyBypassToaAttribute", "vpc:ModifyExpressCloudConnectionAttribute", "vpc:ModifyGlobalAccelerationInstanceAttributes", "vpc:ModifyGlobalAccelerationInstanceSpec", "vpc:ModifyIPv6TranslatorAclAttribute", "vpc:ModifyIPv6TranslatorAclListEntry", "vpc:ModifyIPv6TranslatorAttribute", "vpc:ModifyIPv6TranslatorBandwidth", "vpc:ModifyIPv6TranslatorEntry", "vpc:ModifyIpv6GatewaySpec", "vpc:OpenFlowLogService", "vpc:OpenPhysicalConnectionService", "vpc:OpenPublicIpAddressPoolService", "vpc:OpenTrafficMirrorService", "vpc:OpenVpcIpamService", "vpc:QueryPconnTrafficPrice", "vpc:QueryPhysicalConnectionPrice", "vpc:RejectVpcPeerConnection", "vpc:RemoveBandwidthPackageIps", "vpc:RemoveGlobalAccelerationInstanceIp", "vpc:RemoveIPv6TranslatorAclListEntry", "vpc:RevokeInstanceFromCbn", "vpc:SetHaVipMasterInstance", "vpc:TransformEipSegmentToPublicIpAddressPool", "vpc:UnAssociateEipAddress", "vpc:UnassociateGlobalAccelerationInstance", "vpc:UpdateCrossBoarderStatus", "vpc:associatevpccidrblock", "vpc:createvpc", "vpc:deleteBgpNetwork", "vpc:DescribeVPCs", "vpc:releaseIpv6Address" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage all resources in the account. Always grant permissions deliberately and strictly adhere to the principle of least privilege.
FAQ
Check the resource group of a resource
-
Method 1: Click the resource name to open its details page. The page displays the resource group.
-
Method 2: Log on to the Resource Management console and go to . In the left pane, select the account that owns the resource (the default is the current account). Use the filters to locate the target resource and view its resource group.
View product resources in a resource group
-
Method 1: Log on to the Resource Management console and go to . In the left pane, under the account that owns the resources (which defaults to the current account), click the target resource group. In the right pane, select the product from the Select resource type section to view all of its resources.
-
Method 2: Log on to the Resource Management console and go to . Find the target resource group and click Resource Management in the Actions column for that row. On the Resource Management page, select the product from the product drop-down list to view all of its resources.
Bulk-move resources to a different resource group
Log on to the Resource Management console and go to . Find the target resource group and click Resource Management in the Actions column for that row. On the Resource Management page, use the filters to find your target resources. Select the checkboxes for the resources in the first column, click Transfer Resource Group below the list, and then follow the on-screen instructions to complete the change.