To implement fine-grained access control and improve account security, you can use Resource Access Management (RAM) to grant the management permissions on ApsaraDB for MongoDB to RAM users. In this way, RAM users can manage ApsaraDB for MongoDB instances.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Grant permissions to a RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK.
- Click Complete.
System policies
You can use system policies to grant RAM users permissions on all ApsaraDB for MongoDB resources. ApsaraDB MongoDB provides the following system policies:
- AliyunMongoDBFullAccess: grants a RAM user full management permissions on ApsaraDB for MongoDB.
- AliyunMongoDBReadOnlyAccess: grants a RAM user the read-only permissions on ApsaraDB for MongoDB.
Custom policies
You can also use custom policies to grant RAM users specific operation permissions on specific instances. For information about the syntax of custom policies, see Policy structure and syntax.
Use RAM to grant permissions on ApsaraDB for MongoDB resources
You can use RAM to grant permissions only on ApsaraDB for MongoDB instances. When you use RAM to grant permissions, you can describe resources in the
Resource field of the policy. | Resource type | Resource description in the policy |
|---|---|
| dbinstance | acs:dds:$regionid:$accountid:dbinstance/$dbinstanceid |
The following table describes the parameters used in the preceding resource description.
| Parameter | Description |
|---|---|
$regionid | The region ID. This value can be set to a wildcard asterisk (*). |
$dbinstanceid | The instance ID. This value can be set to a wildcard asterisk (*). |
$accountid | The ID of your Alibaba Cloud account. This value can be set to a wildcard asterisk (*). |
Operations that you can authorize RAM users to call
In the RAM console, you can authorize RAM users to call the following operations on an ApsaraDB for MongoDB resource.
| Operation | Description |
|---|---|
| CreateDBInstance | Creates an ApsaraDB for MongoDB instance. |
| ModifyDBInstanceSpec | Modifies the configurations of an ApsaraDB for MongoDB instance. |
| DeleteDBInstance | Deletes an ApsaraDB for MongoDB instance. |
| DescribeDBInstances | Queries an ApsaraDB for MongoDB instance. |
| RestartDBInstance | Restarts an ApsaraDB for MongoDB instance. |
| DescribeSecurityIps | Queries the whitelists of an ApsaraDB for MongoDB instance. |
| ModifySecurityIps | Modifies the whitelists of an ApsaraDB for MongoDB instance. |
| ResetAccountPassword | Resets the account password for an ApsaraDB for MongoDB instance. |
| DescribeBackupPolicy | Queries the backup policy of an ApsaraDB for MongoDB instance. |
| ModifyBackupPolicy | Modifies the backup policy of an ApsaraDB for MongoDB instance. |
| CreateBackup | Creates a backup for an ApsaraDB for MongoDB instance. |
| RestoreDBInstance | Restores the data in an ApsaraDB for MongoDB instance. |
| DescribeAccounts | Queries the database accounts of an ApsaraDB for MongoDB instance. |
| DescribeDBInstancePerformance | Queries the state of an ApsaraDB for MongoDB instance. |
| DescribeReplicaSetRole | Queries the primary/secondary attribute of an ApsaraDB for MongoDB instance. |
| ModifyDBInstanceDescription | Modifies the description of an ApsaraDB for MongoDB instance. |
| ModifyAccountDescription | Modifies the database accounts of an ApsaraDB for MongoDB instance. |
| DescribeDBInstanceAttribute | Queries the attributes of an ApsaraDB for MongoDB instance. |
| RenewDBInstance | Renews an ApsaraDB for MongoDB instance. |
| ModifyDBInstanceNetworkType | Modifies the network type of an ApsaraDB for MongoDB instance. |