Authorize a RAM user to manage ApsaraDB for RDS instances

Procedure

1. Log on to the RAM console.
2. In the left-side navigation pane, choose Permissions > Policies.
3. On the Policies page, click Create Policy.
4. On the Create Custom Policy page, specify the Policy Name and the Note.
5. Select a Configuration Mode.
   • Visualized

     If you select the Visualized configuration mode, click Add Statement and configure the following parameters.

     

     Parameter	Description
     Permission Effect	Specify whether to grant the permissions on an Alibaba Cloud service to the RAM user. Valid values: Allow and Deny. In this example, select Allow.
     Select Product/Service	Select the Alibaba Cloud service on which you want to grant permissions to the RAM user. In this example, select RDS.
     Actions	Select the API operations on which you want to grant permissions to the RAM user. Valid values: All Actions and Specified Actions. If you select Specified Actions, you must also select the required API operations from the drop-down list that appears. In this example, select all of the API operations whose names start with Describe.
     Resources	Select the resources on which you want to grant permissions to the RAM user. Valid values: All Resources and Specified Resources. If you select Specified Resources, you must also enter the names of the required resources in the following format:acs:<service-name>:<region>:<account-id>:<relative-id>. In this example, enter acs:rds:*:*:*/*. This specifies to grant the RAM user the permissions on all of the RDS instances that are created under your Alibaba Cloud account.
     Conditions	Specify the limits on the permissions that you want to grant to the RAM user. For example, you can limit the source IP addresses from which the RAM user can log on.

     Note If you select Specified Actions, we recommend that you select the DescribeDBInstances API operation. If you do not select this API operation, you cannot view the RDS instances in a specified region.
   • Script

     If you select the Script configuration mode, enter the following code snippet in the edit box that appears:

     {    "Version": "1",
          "Statement": [  
           {      "Effect": "Allow",
                 "Action": [
                     "rds:Describe*"     ],
                 "Resource": [
                     "acs:rds:*:*:*/*"    
                     ],
                 "Condition": {}    
             }    
         ]
     }

     Note The Script configuration mode is more efficient than the Visualized configuration mode. For example, in Script configuration mode, you can enter Describe* in the edit box to specify all of the API operations whose names start with Describe. However, in Visualized configuration mode, you can select only one API operation whose name starts with Describe at a time.
6. Click OK.
7. In the left-side navigation pane, choose Identities > Users.
8. Find the RAM user, and click Add Permissions in the Actions column.
9. In the Select Policy section, click Custom Policy, find the permission policy that you created, and then click OK.
   

After the preceding steps are complete, you can log on to the ApsaraDB for RDS console and view RDS instances by using the credentials of the RAM user. You can also grant other permissions to a RAM user under your Alibaba Cloud account based on your business requirements.

• For more information about the API of ApsaraDB for RDS, see API overview.
• For more information about the elements of a permission policy, see Policy elements.