RAM users and permissions - User's Guide| Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the permissions of an Alibaba Cloud account. You can also grant different permissions to different RAM users to allow or reject their access to cloud resources.

Background information

Note

RAM users are secondary accounts that are created for a specific purpose. These accounts cannot retain or own resources. All resources belong only to Alibaba Cloud accounts.
If you use a RAM user to create an AnalyticDB for MySQL cluster, you can use only the RAM user and the corresponding Alibaba Cloud account to access the cluster. If you want other RAM users to access this cluster, you must grant them the required permissions.

Scenarios

If you use an Alibaba Cloud account to create an AnalyticDB for MySQL cluster, the AccessKey pair of your Alibaba Cloud account can only be shared by users in your organization. This may cause the following issues:

If your AccessKey pair is shared by multiple users, the risk of leaks is high.
You cannot control the operations that specific users can perform on the cluster. For example, a user may scale out or restart the cluster.

To avoid the preceding issues, you can create RAM users and grant only required permissions to each RAM user. Users can use the RAM users instead of your Alibaba Cloud account to access or manage your AnalyticDB for MySQL clusters.

Implementation

To allow RAM users to access or manage your AnalyticDB for MySQL cluster, you must perform the following operations:

Create a RAM user.
Grant permissions to a RAM user.

Create a RAM user

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User. On the Create User page, specify Logon Name and Display Name.

Note You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select Console Access or Programmatic Access.
- Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
- Programmatic Access: If you select this access mode, an AccessKey pair is generated for the RAM user. RAM users can use other development tools to access AnalyticDB for MySQL clusters.
- To ensure account security, we recommend that you select only one access mode for RAM users. This prevents RAM users from using their AccessKey pairs to access AnalyticDB for MySQL clusters after the users leave your organization.
Click OK.

Grant permissions to a RAM user

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, select System Policy and enter the policy name to search for the policy. Click the policy to add it to the Selected section on the right.
You can add the following policies for the RAM user:
- AliyunADBReadOnlyAccess: After you grant the AliyunADBReadOnlyAccess permission to a RAM user, the RAM user can access your AnalyticDB for MySQL V3.0 cluster in read-only mode.
- AliyunADBFullAccess: After you grant the AliyunADBFullAccess permission to a RAM user, the RAM user can manage all permissions on your AnalyticDB for MySQL V3.0 cluster.
Click OK.

After you grant permissions to a RAM user, you can use the RAM user to view or manage an AnalyticDB for MySQL cluster.

Create a policy

If you need to authorize RAM users to perform operations on a specific AnalyticDB for MySQL cluster, you must create custom policies in the RAM console

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy. In this example, a policy that is used to manage clusters is created.
On the Create Custom Policy page, specify Policy Name. Example: AliyunADBFullAccess-am-xxx.
In the Configuration Mode section, select Script.

The following examples show the content of the scripts.

In the following example, the AliyunADBFullAccess permission is granted to the RAM user to manage the am-xxx cluster:

{
    "Version": "1",
    "Statement": [
        {
            "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
            "Resource": "acs:adb:*:*:dbcluster/*",
            "Effect": "Allow"
        },
        {
            "Action": "adb:*",
            "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
            "Effect": "Allow"
        }
    ]
}

In the following example, the AliyunADBReadOnlyAccess permission is granted to the RAM user to access the am-xxx cluster in read-only mode:

{
    "Version": "1",
    "Statement": [
        {
            "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
            "Resource": "acs:adb:*:*:dbcluster/*",
            "Effect": "Allow"
        },
        {
            "Action": "adb:Describe*",
            "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
            "Effect": "Allow"
        }
    ]
}

If the RAM user needs to manage multiple clusters or access multiple clusters in read-only mode, add the corresponding clusters to the "Resource": ["acs:adb:*:*:dbcluster/am-xxx"] section of the script. Example: "Resource": ["acs:adb:*:*:dbcluster/am-xxx", "acs:adb:*:*:dbcluster/am-yyy"].

After the policy is created, grant the policy to the specific RAM user.

What to do next

You can revoke permissions from a RAM user when the RAM user no longer requires these permissions or when the user leaves your organization. For more information, see Remove permissions from a RAM user and Delete a RAM user.