You can use Alibaba Cloud Resource Access Management (RAM) to grant RAM users the permissions to manage ApsaraDB RDS instances.

Description

All RDS instances that are created within your Alibaba Cloud account are resources owned by that account. By default, you have the permissions to perform all operations on the resources that are owned by your Alibaba Cloud account.

RAM allows you to grant RAM users the permissions to access and manage the resources that are owned by your Alibaba Cloud account. For more information, see What is RAM?

You can grant RAM users only the permissions on the resources of the dbinstance type. This means that the resource authorization is at the instance level. The following sections describe how to specify the resources whose permissions you want to grant.

Request parameters

Resource type Resource description in the permission policy
dbinstance acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid

acs:rds:$regionid:$accountid:dbinstance/

acs:rds:::dbinstance/

The following table describes the parameters that are used in the resource description.

Parameter Description
$regionid
The ID of the region to which the instance belongs. You can set this parameter to a wildcard (*).
$dbinstanceid
The name of the instance. You can set this parameter to a wildcard (*).
$accountid
The ID of your Alibaba Cloud account. You can set this parameter to a wildcard (*).

Examples

Note
  • In the following examples, the Action parameter specifies the permissions that you want to grant to a RAM user. These permissions are represented by API operations. For example, the CreateBackup operation indicates the permission that is used to create a backup, and the ModifyBackupPolicy operation indicates the permission that is used to modify the backup settings. You must understand the operations that are provided by the ApsaraDB RDS API. This allows you to grant appropriate permissions to RAM users based on your business requirements. For more information, see API overview.
  • For more information about the permission settings, see Policy structure and syntax.
  • Grant a RAM user the permissions to view all RDS instances and the permissions to create and manage only the backups of a single RDS instance. In addition, configure these permissions to expire on August 17, 2020.
    {
        "Statement": [
            {
                "Action": [
                    "rds:CreateBackup",
                    "rds:ModifyBackupPolicy"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:rds:*:*:*/rm-bpxxxxxxx"
                ],
                "Condition": {
                    "DateLessThan": {
                        "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                    }
                }
            },
            {
                "Action": [
                    "rds:Describe*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:rds:*:*:*/*"
                ],
                "Condition": {
                    "DateLessThan": {
                        "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                    }
                }
            }
        ],
        "Version": "1"
    }

Authentication rules for the ApsaraDB RDS API

When a RAM user requests access to an instance by using an API operation, ApsaraDB RDS communicates with RAM to check that the RAM user has the required permissions. The permissions that need to be checked vary based on the requested resources and the syntax that is used by the called API operation.