All Products
Search
Document Center

PolarDB:Authorize RAM users to manage PolarDB by using custom policies

Last Updated:Dec 26, 2023

This topic describes how to authorize Resource Access Management (RAM) users to manage PolarDB by using custom policies. If the system policies that are provided by RAM cannot meet your business requirements, you can create custom policies to manage PolarDB permissions. For example, you can create custom policies to grant permissions on specific resources and operations.

Prerequisites

Make sure that an Alibaba Cloud account is created before you use RAM to manage permissions. If not, go to the Sign up to Alibaba Cloud page.

Background information

  • A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.
  • Before you use custom policies for fine-grained PolarDB for MySQL permission management, familiarize yourself with how to specify PolarDB for MySQL resources for RAM users in policies. For more information, see Use RAM for resource authorization.
Note To customize permissions or grant the specific permissions on tables, you can use the permission management feature of Database Management Service (DMS). For more information, see Manage user permissions on MySQL databases.

Procedure

  1. Create a custom policy. For more information, see Create custom policies.
    Sample custom policies:
    • Example 1: Authorize a RAM user to manage the two specified PolarDB for MySQL clusters.

      Assume that you have multiple PolarDB for MySQL clusters within your Alibaba Cloud account. You want to authorize a RAM user to use only two clusters whose IDs are i-001 and i-002. In this case, you can create the following policy:

      {
        "Statement": [
          {
            "Action": "polardb:*",
            "Effect": "Allow",
            "Resource": [
                        "acs:polardb:*:*:*/i-001",
                        "acs:polardb:*:*:*/i-002"
                        ]
          },
          {
            "Action": "polardb:Describe*",
            "Effect": "Allow",
            "Resource": "*"
          }
        ],
        "Version": "1"
      }
      Note
      • The authorized RAM user can view all the clusters and resources, but can manage only the two clusters whose IDs are i-001 and i-002. You can still manage the two clusters by using API operations, command-line interfaces (CLIs), or software development kits (SDKs).
      • The policy must include Describe*. Otherwise, the authorized RAM user cannot view clusters in the PolarDB console.
    • Example 2: Authorize a RAM user to use only specific features of PolarDB for MySQL.

      If you want to authorize a RAM user to use only some features of PolarDB for MySQL, you can create the following policy:

      {
          "Statement": [
              {
                  "Action": [
                    "polardb:Describe*",
                    "polardb:CreateBackup",
                    "polardb:DeleteBackup",
                    "polardb:ModifyDBClusterAccessWhitelist"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ],
          "Version": "1"
      }
      Note
      • The authorized RAM user can only query cluster information and backups, create and delete backups, and modify whitelists for all the PolarDB for MySQL clusters within your account.
      • PolarDB for MySQL allows you to specify whether RAM users can perform specific operations on PolarDB resources. You can specify API operations in policies for fine-grained PolarDB for MySQL permission management. For more information, see Services that work with RAM and API overview.
  2. Attach the custom policy to a RAM user. For more information, see Grant permissions to a RAM user.