Description

ApsaraDB for ClickHouse clusters created by using an Alibaba Cloud account are resources that belong to that account. By default, an Alibaba Cloud account has full permissions on resources that belong to the account.

The Alibaba Cloud Resource Access Management (RAM) service allows you to grant access and management permissions on your ApsaraDB for ClickHouse clusters to RAM users. The essence of authorizing a RAM user is to grant the RAM user the permissions to call API operations. For example, if you grant the RAM user the permission to call the CreateDBCluster operation, the RAM user can create an ApsaraDB for ClickHouse cluster in the ApsaraDB for ClickHouse console.

You can grant RAM users the permissions only on ApsaraDB for ClickHouse clusters but not on finer-grained objects. The following procedure shows how to grant a RAM user the permission to view ApsaraDB for ClickHouse cluster configurations.

Procedure

  1. Log on to the RAM console with your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy. Then, set Policy Name and Note.
  4. Set Configuration Mode to Script. The Visualized option is unavailable for ApsaraDB for ClickHouse. Enter the following code snippet in the code editor that appears:
    {
      "Statement": [{
                "Effect": "Allow"
                "Action": "clickhouse:Describe*",
                "Resource": "acs:clickhouse:*:*:dbcluster/Cluster ID"
      }],
      "Version": "1"
    }
    The following table describes the request parameters in the script.
    Resource type ARN in the authorization policy
    dbcluster acs:clickhouse:$regionid:$accountid:dbcluster/Cluster ID
    Parameter Description
    $regionid The region ID. You can set this parameter to a wildcard (*).
    $accountid The ID of your Alibaba Cloud account. You can set this parameter to a wildcard (*).
  5. Click OK.
  6. In the left-side navigation pane, choose Identities > Users.
    Note For information about how to create a RAM user, see Create a RAM user.
  7. Find a RAM user, and click Add Permissions in the Actions column.
  8. In the Select Policy section, click Custom Policy, find the policy that you created, and then click OK. Add Permissions panel

After the preceding steps are complete, you can log on to the ApsaraDB for ClickHouse console and view ApsaraDB for ClickHouse cluster configurations by using the credentials of the RAM user. You can also grant other permissions to a RAM user within your Alibaba Cloud account based on your business requirements.