Using IAM Roles or Policies to Grant Access to VPC Endpoint

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in Role/Policy-based Permissions Management. To grant permissions for other services, learn about all System Permissions supported by IAM.

Process Flow

Figure 1 Process for granting VPC Endpoint permissions

1. Create a user group and assign permissions.

   On the IAM console, create a user group and attach the VPCEndpoint Administrator policy to the group.

2. Create an IAM user and add the user to the user group.

   Create a user on the IAM console and add the user to the group created in 1.

3. Log in as the IAM user and verify the permissions.

   In the authorized region, perform the following operations:

   • Click Service List and select VPC Endpoint. Then click Buy VPC Endpoint in the upper right corner. If the VPC endpoint is purchased successfully, the VPCEndpoint Administrator policy is in effect.
   • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the VPCEndpoint Administrator policy is in effect.

Example Custom Policies

You can create custom policies to supplement the system-defined policies of VPC Endpoint. For actions supported by custom policies, see "Actions Supported by Role/Policy-based Authorization" in the VPC Endpoint API Reference.

To create a custom policy, choose either visual editor or JSON.

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.
• JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common VPC Endpoint custom policies.

• Example 1: Grant permissions to create a VPC endpoint service.

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "vpcep:epservices:create"
              ]
          }
      ]
  }

• Example 2: Grant permissions to deny VPC endpoint deletion.

  A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  Assume that you want to grant the permissions of the VPCEndpoint FullAccess policy to a user but want to prevent them from deleting VPC endpoints. You can create a custom policy for denying VPC endpoint deletion, and attach this policy together with the VPCEndpoint FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on VPC endpoints excepting deleting them. Example policy denying VPC endpoint deletion:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "vpcep:endpoints:delete"
              ]
          }
      ]
  }

• Example 3: Create a custom policy containing multiple actions.

  A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). The following is an example policy containing actions of multiple services:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "vpcep:endpoints:delete"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "vpcep:epservices:create",
                  "vpcep:epservices:delete"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "vpc:peerings:accept",
                  "vpc:vpcs:create"
              ]
          }
      ]
  }