VPN Custom Policies¶
Custom policies can be created to supplement the system-defined policies of VPN.
You can create custom policies in either of the following ways:
Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Policy. The following section contains examples of common VPN custom policies.
Example VPN custom policy¶
Example 1: Grant permission to delete VPN gateways.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "vpn:vpnGateways:delete" ] } ] }
Example 2: Deny VPN connection deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
The following method can be used if you need to assign permissions of the VPN FullAccess policy to a user but also forbid the user from deleting VPN connections. Create a custom policy for denying VPN connection deletion, and assign both policies to the group the user belongs to. Then the user can perform all operations on VPN except deleting VPN connections. The following is an example of a deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "vpn:vpnGateways:delete" ] } ] }
Example 3: defining multiple actions in a policy
A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). The following is an example policy containing multiple actions.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "vpn:vpnGateways:create", "vpn:vpnConnections:create", "vpn:customerGateways:create" ] }, { "Effect": "Deny", "Action": [ "vpn:vpnGateways:delete", "vpn:vpnConnections:delete", "vpn:customerGateways:create" ] }, { "Effect": "Allow", "Action": [ "vpc:vpcs:list", "vpc:subnets:get" ] } ] }