If the system authorization policies provided by Resource Access Management (RAM) cannot meet your business requirements, you can create custom authorization policies to perform fine-grained access control on your PolarDB-X 1.0 instances.
Prerequisites
PolarDB-X 1.0 is authorized to access your ApsaraDB RDS resources. For more information, see Activate authorization for PolarDB-X 1.0 to access ApsaraDB RDS.
The multi-factor authentication (MFA) feature is enabled. Before you use the certificate of a RAM user to delete a database or a read-only account of a database, you must enable the MFA feature. For more information, see Bind an MFA device to an Alibaba Cloud account.
Background information
An authorization policy defines a set of permissions that are specified based on the policy syntax and structure. An authorization policy describes the resources that are authorized, the operations that are authorized, and the authorization conditions. For more information, see Policy structure and syntax.
Before you use custom authorization policies for fine-grained management on PolarDB-X 1.0 resources, you need to understand the resource authorization rules that are supported by PolarDB-X 1.0. For more information, see Use RAM for resource authorization.
Limits
RAM users are not authorized to change the password of a PolarDB-X 1.0 database.
Step 1: Create a custom authorization policy
Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
On the page that appears, configure the parameters.
Item
Description
Name
The name of the policy. We recommend that you specify a name that can help you identify the business of the policy.
Note
Optional. The description of the policy.
Configuration mode
You must select JSON. PolarDB-X 1.0 supports only the script configuration mode.
Policy content
You can import an existing system policy.
NoteThis example is used to show how to create a custom policy. Therefore, you do not need to import an existing system policy.
Script
The script that specifies the content of the policy. In the following part of this section, sample scripts of custom policies are provided for your reference.
NoteYou need to specify the authorization policy based on the policy syntax and structure. In the authorization policy, you need to specify the resources that are authorized, the operations that are authorized, and the authorization conditions. For more information, see Policy structure and syntax.
You can grant permissions on specific resources and actions.
Sample custom policies:
NoteYou must replace
1234
in the following sample scripts with the UID of your Alibaba Cloud account.You must replace
Instance ID
in the following sample scripts with the ID of your PolarDB-X 1.0 instance.
The following sample script specifies the permissions that allow RAM users to perform operations in the PolarDB-X 1.0 console.
{ "Version": "1", "Statement": [ { "Action": "drds:*", "Resource": "acs:drds:*:1234:instance/*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow" } ] }
The following sample script specifies the permissions that allow RAM users to access all PolarDB-X 1.0 instances of the Alibaba Cloud account in the China (HangZhou) region.
{ "Version": "1", "Statement": [ { "Action": "drds:*", "Resource": "acs:drds:cn-hangzhou:1234:instance/*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow" } ] }
The following sample script specifies the instances that RAM users cannot access.
{ "Version": "1", "Statement": [ { "Action": "drds:*", "Resource": "acs:drds:*:1234:instance/*", "Effect": "Allow" }, { "Action": "drds:*", "Resource": [ "acs:drds:*:1234:instance /Instance ID", ], "Effect": "Deny" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow" } ] }
NoteRAM users that are granted permissions by using this policy can access all PolarDB-X 1.0 instances of the Alibaba Cloud account other than the specified instance.
Click Next to edit policy information.
Click OK.
Step 2: Use the custom policy to grant permissions to a RAM user
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Policies page, find the custom policy that you want to use and click the name of the custom policy.
On the details page of the custom policy, click the References tab.
Click Grant Permission. In the Add Permissions panel, configure the parameters.
Parameter
Description
Authorized Scope
You can specify Alibaba Cloud Account or Specific Resource Group as the value of Authorized Scope.
Principal
You can enter a keyword of the username of a RAM user, RAM user group, or RAM role to search for the RAM user to whom you want to grant the permissions. Then, select the RAM user from the search results.
Select Policy
By default, the current custom policy is displayed in the Selected section on the right side of the panel. If you want to grant other permissions to the RAM user, click the names of the policies in the Authorization Policy Name column on the left side of the panel. Then, the selected policies are displayed in the Selected section.
NoteYou can attach up to five policies at a time. To attach more policies, perform the preceding operations again.
Click OK.
NoteFor more information about how to grant permissions to RAM users and RAM user groups, see Grant permissions to a RAM user and Grant permissions to a RAM user group.