To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on ApsaraDB for Redis instances to RAM users. The authorized RAM users can then access ApsaraDB for Redis instances.

Background information

RAM is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users to control their access to Alibaba Cloud resources.

If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks. For more information, see What is RAM?

Scenarios

  • Authorize a RAM user to manage ApsaraDB for Redis instances in the specified Resource Group.
  • Authorize a RAM user to manage all ApsaraDB for Redis instances within your Alibaba Cloud account.

You can create a custom policy to provide finer-grained access control if the default system policies provided by RAM cannot meet your requirements. For more information, see Authorize RAM users to manage ApsaraDB for Redis instances by using custom policies.

Procedure

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. Create a RAM user.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  5. In the Add Permissions panel, grant permissions to the RAM user.
    Add a system permission policy
    1. Select the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions.
    3. Click System Policy.
    4. Enter kvstore in the search box. The system automatically displays the system permission policies related to ApsaraDB for Redis.
    5. Click the policy name to add the policy to the Selected section.
      • AliyunKvstoreFullAccess

        This policy has full control permissions on ApsaraDB for Redis instances. The RAM users that are granted this policy can perform purchase, configuration, and management operations on ApsaraDB for Redis instances.

      • AliyunKvstoreReadOnlyAccess

        This policy has read permissions on ApsaraDB for Redis instances. RAM users that are granted this policy can view information about an ApsaraDB for Redis instance, such as basic information and performance monitoring metrics. However, they cannot modify the instance configuration. For example, they cannot purchase an instance or configure a whitelist.

  6. Click OK.
  7. Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user