Updated on 2024-04-15 GMT+08:00

Permissions

If you need to assign different permissions to personnel in your enterprise to access your VPCs, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to securely access your cloud resources.

With IAM, you can create IAM users, and assign permissions to control their access to specific resources. For example, if you want some software developers in your enterprise to use VPCs but do not want them to delete VPCs or perform any other high-risk operations, you can grant permissions to use VPCs but not permissions to delete them.

If your cloud account does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account. For more information, see section "IAM Service Overview" in the Identity and Access Management Service User Guide.

VPC Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

VPC is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects in the specified regions, the users only have permissions for VPCs in the selected projects. If you set Scope to All resources, users have permissions for VPCs in all region-specific projects. When accessing VPCs, the users need to switch to the authorized region.

You can grant permissions by using roles and policies.

  • Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. When you grant permissions using roles, you also need to attach dependent roles. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant VPC users only the permissions for managing a certain type of resources. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by VPC, see "Permissions Policies and Supported Actions" > "Introduction" in the Virtual Private Cloud API Reference.

Table 1 lists all the system-defined permissions for VPC.

Table 1 System-defined permissions for VPC

Policy Name

Description

Policy Type

Dependencies

VPC FullAccess

Full permissions for VPC

System-defined policy

To use the VPC flow log function, users must also have the LTS ReadOnlyAccess permission.

VPC ReadOnlyAccess

Read-only permissions on VPC.

System-defined policy

None

VPC Administrator

Most permissions on VPC, excluding creating, modifying, deleting, and viewing security groups and security group rules.

To be granted this permission, users must also have the Tenant Guest and Server Administrator permission.

System-defined role

Tenant Guest and Server Administrator policies, which must be attached in the same project as VPC Administrator.

Table 2 lists the common operations supported by system-defined permissions for VPC.

Table 2 Common operations supported by system-defined permissions

Operation

VPCReadOnlyAccess

VPC Administrator

VPC FullAccess

Creating a VPC

Not supported

Supported

Supported

Modifying a VPC

Not supported

Supported

Supported

Deleting a VPC

Not supported

Supported

Supported

Viewing VPC information

Supported

Supported

Supported

Creating a subnet

Not supported

Supported

Supported

Viewing subnet information

Supported

Supported

Supported

Modifying a subnet

Not supported

Supported

Supported

Deleting a subnet

Not supported

Supported

Supported

Creating a security group

Not supported

Not supported

Supported

Viewing security group information

Supported

Not supported

Supported

Modifying a security group

Not supported

Not supported

Supported

Deleting a security group

Not supported

Not supported

Supported

Adding a security group rule

Not supported

Not supported

Supported

Viewing a security group rule

Supported

Not supported

Supported

Modifying a security group rule

Not supported

Not supported

Supported

Deleting a security group rule

Not supported

Not supported

Supported

Creating a network ACL

Not supported

Supported

Supported

Viewing a network ACL

Supported

Supported

Supported

Modifying a network ACL

Not supported

Supported

Supported

Deleting a network ACL

Not supported

Supported

Supported

Adding a network ACL rule

Not supported

Supported

Supported

Modifying a network ACL rule

Not supported

Supported

Supported

Deleting a network ACL rule

Not supported

Supported

Supported

Creating a VPC peering connection

Not supported

Supported

Supported

Modifying a VPC peering connection

Not supported

Supported

Supported

Deleting a VPC peering connection

Not supported

Supported

Supported

Querying a VPC peering connection

Supported

Supported

Supported

Accepting a VPC peering connection request

Not supported

Supported

Supported

Rejecting a VPC peering connection request

Not supported

Supported

Supported

Creating a route table

Not supported

Supported

Supported

Deleting a route table

Not supported

Supported

Supported

Modifying a route table

Not supported

Supported

Supported

Associating a route table with a subnet

Not supported

Supported

Supported

Adding a route

Not supported

Supported

Supported

Modifying a route

Not supported

Supported

Supported

Deleting a route

Not supported

Supported

Supported