Updated on 2024-04-15 GMT+08:00

Introduction

This section describes fine-grained permissions management for your VPC Endpoint resources. If your account does not need individual IAM users, you can skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups and assign policies or roles to these groups. The users then inherit permissions from the groups can perform specified operations on cloud services based on the permissions they have been assigned.

An account has permissions to call all APIs, but IAM users must have the required permissions specifically assigned. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions allowing the actions can call the API successfully. For example, if an IAM user wants to query VPC endpoint services using an API, the user must have been granted permissions that allow the vpcep:epservices:list action.

Supported Actions

VPC Endpoint provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

  • Permissions: statements in a policy that allow or deny certain operations
  • APIs: REST APIs that can be called by a user who has been granted specific permissions
  • Actions: specific operations that are allowed or denied in a custom policy

VPC Endpoint supports the following actions that can be defined in custom policies:

  • VPC Endpoint Services: contains actions supported by all VPC endpoint service APIs, such as the API for creating a VPC endpoint service.
  • VPC Endpoints: contains actions supported by all VPC endpoint APIs, such as the API for creating a VPC endpoint.
  • Resource Quotas: contains actions for querying quotas of VPC Endpoint resources.