Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the scope of permissions under an Alibaba Cloud account. You can also grant different permissions to different RAM users to allow or reject their access to cloud resources.

Background information

Note
  • RAM users are secondary accounts that are created for a specific function. These accounts cannot retain or own resources. All resources belong only to Alibaba Cloud accounts.
  • If you use a RAM user to create an AnalyticDB for MySQL cluster, you can only use the RAM user and the corresponding Alibaba Cloud account to access the cluster. If you want other RAM users to access this cluster, you must grant them the required permissions.

Scenarios

If you use an Alibaba Cloud account to create an AnalyticDB for MySQL cluster, the AccessKey pair of your Alibaba Cloud account can only be shared by users in your organization. However, this may cause the following problems:

  • If your AccessKey pair is shared by multiple users, the risk of leaks is high.
  • You cannot control the operations that specific users can perform on the cluster. For example, they may scale out or restart the cluster.

To avoid the preceding problems, you can create RAM users and grant only specific permissions to each RAM user. Then, users in your organization can access or manage your AnalyticDB for MySQL cluster as RAM users.

Solution

To allow RAM users to access or manage your AnalyticDB for MySQL cluster, you must complete the following steps:

  1. Step 1. Create a RAM user
  2. Step 2. Grant permissions to the RAM user

Step 1. Create a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User. On the Create User page, set Logon Name and Display Name.
    Note You can click Add User to create multiple RAM users at a time.
  4. In the Access Mode section, select Console Password Logon or Programmatic Access.
    Create a RAM user
    • Console Password Logon: If you select this access mode, you must also complete the basic logon security settings, including whether to automatically generate or customize a logon password, whether to reset the password upon next logon, and whether to enable multi-factor authentication.
    • Programmatic Access: If you select this access mode, an AccessKey pair for the RAM user is automatically generated. RAM users can use other development tools to access AnalyticDB for MySQL clusters.
    • To ensure account security, we recommend that you select only one access mode for RAM users. This can prevent RAM users from using their AccessKey pairs to access AnalyticDB for MySQL clusters after they leave your organization.
  5. Click OK.
    Create a RAM user

Step 2. Grant permissions to the RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
    Users
  4. In the Add Permissions pane that appears, select System Policy and enter the policy name to search for the permission policy. Click the permission policy to add it to the Selected section on the right.

    You can add the following types of permission policies for AnalyticDB for MySQL:

    • AliyunADBReadOnlyAccess: After you grant the AliyunADBReadOnlyAccess permission policy to a RAM user, the RAM user can access your AnalyticDB for MySQL V3.0 cluster in read-only mode.
    • AliyunADBFullAccess: After you grant the AliyunADBFullAccess permission policy to a RAM user, the RAM user can manage all permissions on your AnalyticDB for MySQL V3.0 cluster.
  5. Click OK.

    After you grant permissions to a RAM user, you can use the RAM user to view or manage an AnalyticDB for MySQL cluster.

More actions

You can revoke permissions from a RAM user when the RAM user no longer requires these permissions or when the user leaves your organization. For more information, see Remove permissions from a RAM user and Delete a RAM user.