To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant management permissions on ApsaraDB for Redis instances to RAM users. The authorized RAM users can then access ApsaraDB for Redis instances.

Background information

RAM is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users to control their access to Alibaba Cloud resources.

If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks. For more information, see What is RAM?.

Scenarios

  • Authorize a RAM user to manage ApsaraDB for Redis instances in the specified Resource Group.
  • Authorize a RAM user to manage all ApsaraDB for Redis instances within your Alibaba Cloud account.

You can create a custom policy to provide finer-grained access control if the default system policies provided by RAM cannot meet your requirements. For more information, see Authorize RAM users to manage ApsaraDB for Redis instances by using custom policies.

Procedure

  1. Log on to the RAM console.
  2. Create a RAM user.
  3. In the left-side navigation pane, click Users under Identities.
  4. On the Users page, find the specific RAM user, and click Add Permissions in the Actions column.
    Figure 1. Add Permissions
    Click Add Permissions in the Actions column.
  5. In the Add Permissions dialog box, configure the parameters.
    Figure 2. Add a system policy
    Add a system policy
    1. Select a type of authorization.
      Note If you select Specified Resource Group, you must select the specified resource group from the drop-down list. For more information about resource groups, see Resource Group.
    2. Set Select Policy to System Policy.
    3. Enter kvstore in the search box and the system automatically displays the system permission policies related to ApsaraDB for Redis.
    4. Click a policy name to add the policy to the Selected section.
      • AliyunKvstoreFullAccess

        This policy has full control permissions on ApsaraDB for Redis instances. The RAM users that are granted with this policy can perform purchase, configuration, and management operations on ApsaraDB for Redis instances.

      • AliyunKvstoreReadOnlyAccess

        This policy has read permissions on ApsaraDB for Redis instances. RAM users that are granted with this policy can view information about an ApsaraDB for Redis instance, for example, basic information and performance monitoring metrics. However, they cannot modify the instance configuration, for example, purchasing an instance or configuring a whitelist.

  6. Click OK.
  7. Click Complete.

What to do next

Log on to the console as a RAM user