This topic describes how to create custom policies. Custom policies provide more fine-grained permission control than system policies. You can create custom policies to control the permissions on specific instances or operations.

Background information

Resource Access Management (RAM) is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users to control their access to Alibaba Cloud resources.

Scenarios

  • Authorize a RAM user to manage specified or all ApsaraDB for Redis instances
  • Authorize a RAM user to manage specified ApsaraDB for Redis instances and perform specific operations only. For example, a RAM user is authorized only to configure whitelists.
Note In addition to the preceding scenarios, RAM also supports conditions for authorization to take effect. For example, Access Alibaba Cloud through a specified CIDR block.

If fine-grained permission management is not required, you can grant system policies to RAM users. For more information, see Authorize RAM users to manage ApsaraDB for Redis instances by using system policies.

Step 1: Create a custom policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Set parameters for a custom policy.
    Figure 1. Create a custom policy
    Create a custom policy
    Parameter Description
    Policy Name Enter a name related to your business for identification convenience. In this example, enter redis-custom-policy.
    Note(optional) Enter the description of the policy.
    Configuration Mode We recommend that you use Script, which provides more flexible configuration. Script is used in this example to introduce the configuration method.
    Note If you select Visualized, you must follow the instructions that appear to specify permissions, actions, and resources.
    Policy Document This topic describes how to create a custom policy. You do not need to import existing system policies. You must specify detailed permission policies. The following sample custom policies are provided for your reference.

    The following code provides common custom permission policies. You must replace the Redis instance ID in the following code with the instance ID of your ApsaraDB for Redis instance.

    Note
    • The policy content must be expressed in a specific syntax structure to describe the authorized resource sets, operation sets, and authorization conditions. For more information, see Policy elements and Policy structure and syntax.
    • You can grant permissions on specific resources and actions. For more information about the actions that you can grant RAM users to perform, see Actions that can be authorized in RAM.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:*",
                "Resource": "acs:kvstore:*:*:instance/the ID of your ApsaraDB for Redis instance",
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:*",
                "Resource": [
                    "acs:kvstore:*:*:instance/the ID of your ApsaraDB for Redis instance",
                    "acs:kvstore:*:*:instance/the ID of your ApsaraDB for Redis instance"
                ],
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:ModifySecurityIps",
                "Resource": "acs:kvstore:*:*:instance/the ID of your ApsaraDB for Redis instance",
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "kvstore:ModifySecurityIps",
                "Resource": [
                    "acs:kvstore:*:*:instance/the ID of your ApsaraDB for Redis instance",
                    "acs:kvstore:*:*:instance/the ID of your ApsaraDB for Redis instance"
                ],
                "Condition": {}
            },
            {
                "Action": "kvstore:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    • Example 1: Grant all permissions on an ApsaraDB for Redis instance
    • Example 2: Grant all permissions on multiple ApsaraDB for Redis instances
    • Example 3: Grant permissions to modify whitelists of an ApsaraDB for Redis instance
    • Example 4: Grant permissions to modify whitelists of multiple ApsaraDB for Redis instances

  5. Click OK.

Step 2: Grant custom permission policies to RAM users

  1. Log on to the RAM console.
  2. Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the specific RAM user, and click Add Permissions in the Actions column.
    Figure 2. Add Permissions
    Click Add Permissions in the Actions column.
  5. In the Create User dialog box, set the parameters.
    Figure 3. Add custom policies
    Add custom policies
    1. Select a type of authorization.
      Note If you select Specified Resource Group, you must select the specified resource group from the drop-down list. For more information about resource groups, see Resource Group.
    2. Select Custom Policy.
    3. Enter the name of the permission policy created in Step 1. In this example, enter redis-custom-policy.
    4. Click the name of a custom policy to add the policy to the Selected section.
  6. Click OK.
  7. Click Complete.

What to do next

Log on to the console as a RAM user