Use the Identity and Access Management (IAM) service to implement fine-grained permissions control over your VPN resources. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing VPN resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Grant the permission to perform professional and efficient O&M on your VPN resources to other accounts or cloud services.
If your account meets your permissions requirements, you can skip this section.
This section describes the procedure for granting permissions (see Figure 1).
Prerequisites
You have learned about the permissions supported by VPN, and determined the permissions to be granted to a user group. Before granting permissions of other services, learn about all permissions supported by IAM.
Process Flow
- Create a user group and assign permissions to it.
Create a user group on the IAM console and attach the VPN Administrator policy to the group.
- Create a user and add it to the user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the management console as the created user. Switch to the authorized region and verify the permissions.
- Click Service List and choose Networking > Virtual Private Network. On the Enterprise – VPN Gateways page, click Create VPN Gateway in the upper right corner. If the VPN gateway is successfully created, the VPN Administrator policy has already taken effect.
- Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service, the VPN Administrator policy has already taken effect.
Classic VPN: For details about how to create a user and grant VPC permissions to the user, see Creating a User and Granting VPC Permissions.