All Products
Search
Document Center

Use RAM in the DRDS console

Last Updated: Jun 28, 2020

This topic describes how to use the Resource Access Management (RAM) account system and permission policies to control resources and permissions in Distributed Relational Database Service (DRDS).

Limits

  • Multi-factor authentication (MFA) must be enabled for RAM users to delete databases and read-only accounts. For more information, see Enable an MFA device for an Alibaba Cloud account.
  • RAM users do not have the permission to change passwords of DRDS databases.

Use RAM in the DRDS console

To use RAM in the DRDS console, you must complete the following operations in the RAM console:

  1. Create a RAM user, see Create a RAM user.
  2. Create an authorization policy, see Create a custom policy.
  3. Grant permissions to the RAM user, see Grant permissions to a RAM user.

    Before you use RAM in DRDS, make sure you have authorized DRDS to access ApsaraDB for RDS (RDS) and created a RAM role for DRDS. For more information, see Preparations for using RAM.

Samples of creating a custom policy

  • Grant a RAM user all the DRDS console operation permissions of the corresponding Alibaba Cloud account.p

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "//": "1234 indicates the UID of the Alibaba Cloud account of the RAM user."
    6. "Action": "drds:*",
    7. "Resource": "acs:drds:*:1234:instance/*",
    8. "Effect": "Allow"
    9. },
    10. {
    11. "//": "Note: To guarantee normal usage of RAM, ensure that the policy includes the following information:"
    12. "Action": "ram:PassRole",
    13. "Resource": "*",
    14. "Effect": "Allow"
    15. }
    16. ]
    17. }
  • Grant users the permission to access all DRDS instances only in the zones of China (Hong Kong).

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "//": "1234 indicates the UID of the Alibaba Cloud account of the RAM user."
    6. "Action": "drds:*",
    7. "Resource": "acs:drds:cn-hongkong:1234:instance/*",
    8. "Effect": "Allow"
    9. },
    10. {
    11. "//": "Note: To guarantee normal usage of RAM, ensure that the policy includes the following information:"
    12. "Action": "ram:PassRole",
    13. "Resource": "*",
    14. "Effect": "Allow"
    15. }
    16. ]
    17. }
  • Forbid users to access a specific instance. The RAM user with this policy can access all DRDS instances excluding drds******hb4.

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "//": "1234 indicates the UID of the Alibaba Cloud account of the RAM user."
    6. "Action": "drds:*",
    7. "Resource": "acs:drds:*:1234:instance/*",
    8. "Effect": "Allow"
    9. },
    10. {
    11. "Action": "drds:*",
    12. "Resource": [
    13. "acs:drds:*:1234:instance/drds******hb4",
    14. "acs:drds:*:1234:instance/drds******hb4/*"
    15. ],
    16. "Effect": "Deny"
    17. },
    18. {
    19. "//": "Note: To guarantee normal usage of RAM, ensure that the policy includes the following information:"
    20. "Action": "ram:PassRole",
    21. "Resource": "*",
    22. "Effect": "Allow"
    23. }
    24. ]
    25. }