Alibaba Cloud Resource Access Management (RAM) RAM user authorized to manage RDS instances.

Description

Your Alibaba Cloud account has full access to all resources under the account.

By using Alibaba Cloud's access control RAM(Resource Access Management) service allows you to grant Access and Management permissions on RDS resources under your Alibaba Cloud account to RAM user in RAM.

Currently, you can only grant RAM users with permissions on AnalyticDB for MySQL clusters but not on finer-grained objects. The following table lists the descriptions of resources when you use RAM to grant access permissions on these resources.

Request parameters

Resource type ARN format
dbinstance acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid

acs:rds:$regionid:$accountid:dbinstance/

acs:rds:::dbinstance/

Parameters

Parameter Description
$regionid
Region ID, which can be replaced with *
$dbinstanceid
Instance ID, which can be replaced with *
$accountid
Alibaba Cloud account ID, which can be replaced with *

Examples

Grant RDS management permissions to users.

Authorized users can view all instances, but can only create and manage the backup of an instance, which expires on August 17, 2020.

{
    "Statement": [
        {
            "Action": [
                "rds:CreateBackup",
                "rds:ModifyBackupPolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:rds:*:*:*/rm-bpxxxxxxx"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        },
        {
            "Action": [
                "rds:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:rds:*:*:*/*"
            ],
            "Condition": {
                "DateLessThan": {
                    "acs:CurrentTime": "2020-08-17T23:59:59+08:00"
                }
            }
        }
    ],
    "Version": "1"
}
Note For more permission settings, see Policy structure and syntax.

API Authentication rules

When RAM user access apsaradb for RDS through APIs, the background checks whether you are granted the required permissions by querying RAM. Each API determines the resources whose permission needs to be checked based on the involved resources and the meaning of the API.