All Products
Search
Document Center

PolarDB:Use custom authorization policies to manage permissions on PolarDB-X 1.0 instances for RAM users

Last Updated:Nov 28, 2023

If the system authorization policies provided by Resource Access Management (RAM) cannot meet your business requirements, you can create custom authorization policies to perform fine-grained access control on your PolarDB-X 1.0 instances.

Prerequisites

Background information

  • An authorization policy defines a set of permissions that are specified based on the policy syntax and structure. An authorization policy describes the resources that are authorized, the operations that are authorized, and the authorization conditions. For more information, see Policy structure and syntax.

  • Before you use custom authorization policies for fine-grained management on PolarDB-X 1.0 resources, you need to understand the resource authorization rules that are supported by PolarDB-X 1.0. For more information, see Use RAM for resource authorization.

Limits

RAM users are not authorized to change the password of a PolarDB-X 1.0 database.

Step 1: Create a custom authorization policy

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. On the page that appears, configure the parameters.

    Create a custom policy

    Item

    Description

    Name

    The name of the policy. We recommend that you specify a name that can help you identify the business of the policy.

    Note

    Optional. The description of the policy.

    Configuration mode

    You must select JSON. PolarDB-X 1.0 supports only the script configuration mode.

    Policy content

    You can import an existing system policy.

    Note

    This example is used to show how to create a custom policy. Therefore, you do not need to import an existing system policy.

    Script

    The script that specifies the content of the policy. In the following part of this section, sample scripts of custom policies are provided for your reference.

    Note
    • You need to specify the authorization policy based on the policy syntax and structure. In the authorization policy, you need to specify the resources that are authorized, the operations that are authorized, and the authorization conditions. For more information, see Policy structure and syntax.

    • You can grant permissions on specific resources and actions.

    Sample custom policies:

    Note
    • You must replace 1234 in the following sample scripts with the UID of your Alibaba Cloud account.

    • You must replace Instance ID in the following sample scripts with the ID of your PolarDB-X 1.0 instance.

    • The following sample script specifies the permissions that allow RAM users to perform operations in the PolarDB-X 1.0 console.

      {
        "Version": "1",
        "Statement": [
            {
                 "Action": "drds:*",
                "Resource": "acs:drds:*:1234:instance/*",
                "Effect": "Allow"
            },
            {
                  "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
      }
    • The following sample script specifies the permissions that allow RAM users to access all PolarDB-X 1.0 instances of the Alibaba Cloud account in the China (HangZhou) region.

      {
        "Version": "1",
        "Statement": [
            {
                "Action": "drds:*",
                "Resource": "acs:drds:cn-hangzhou:1234:instance/*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
      }       
    • The following sample script specifies the instances that RAM users cannot access.

      {
        "Version": "1",
        "Statement": [
            {
                "Action": "drds:*",
                "Resource": "acs:drds:*:1234:instance/*",
                "Effect": "Allow"
            },
            {
                "Action": "drds:*",
                "Resource": [
                    "acs:drds:*:1234:instance /Instance ID",
                ],
                "Effect": "Deny"
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
      }            
      Note

      RAM users that are granted permissions by using this policy can access all PolarDB-X 1.0 instances of the Alibaba Cloud account other than the specified instance.

  6. Click Next to edit policy information.

  7. Click OK.

Step 2: Use the custom policy to grant permissions to a RAM user

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, find the custom policy that you want to use and click the name of the custom policy.

    Find the custom policy

  4. On the details page of the custom policy, click the References tab.

  5. Click Grant Permission. In the Add Permissions panel, configure the parameters.

    Parameter

    Description

    Authorized Scope

    You can specify Alibaba Cloud Account or Specific Resource Group as the value of Authorized Scope.

    Principal

    You can enter a keyword of the username of a RAM user, RAM user group, or RAM role to search for the RAM user to whom you want to grant the permissions. Then, select the RAM user from the search results.

    Select Policy

    By default, the current custom policy is displayed in the Selected section on the right side of the panel. If you want to grant other permissions to the RAM user, click the names of the policies in the Authorization Policy Name column on the left side of the panel. Then, the selected policies are displayed in the Selected section.

    Note

    You can attach up to five policies at a time. To attach more policies, perform the preceding operations again.

  6. Click OK.

    Note

    For more information about how to grant permissions to RAM users and RAM user groups, see Grant permissions to a RAM user and Grant permissions to a RAM user group.