This topic describes how to manage ApsaraDB for RDS permissions of a RAM user by using RAM. In the RAM console, you can create custom policies and attach them to a RAM user.

Prerequisites

  • An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.
  • You have a basic understanding of the following common system policies:
    • AliyunRDSFullAccess: grants a RAM user the permissions to manage RDS instances.
    • AliyunRDSReadOnlyAccess: grants a RAM user the read-only permission on RDS instances.
  • You have a basic understanding of RDS permissions. For more information, see RAM authorization.

Attach a custom policy to a RAM user

  1. Create a custom policy based on RDS authorization examples.
  2. On the Policies page, click the name of the policy.
  3. On the References tab, click Grant Permission.
  4. In the dialog box that appears, enter the name or ID of the RAM user in the Principal field. Then, select the RAM user from the auto-complete results.
  5. Click OK. Click Finished.

RDS authorization examples

  • Example 1: Authorize a RAM user to manage two specified RDS instances.

    To authorize a RAM user to manage the RDS instances i-001 and i-002 in your Alibaba Cloud account, use the following sample script:

    {
      "Statement": [
        {
          "Action": "rds:*",
          "Effect": "Allow",
          "Resource": [
                      "acs:rds:*:*:dbinstance/i-001",
                      "acs:rds:*:*:dbinstance/i-002"
                      ]
        },
        {
          "Action": "rds:Describe*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
    Note
    • The authorized RAM user can view all RDS instances but can manage only the specified two RDS instances.
    • The Describe* element is required in the policy. Otherwise, the authorized RAM user cannot view instances in the console. However, the RAM user can manage the two specified RDS instances by calling API operations or using the CLI or SDK.
  • Example 2: Authorize a RAM user to access Data Management (DMS).
    • To authorize a RAM user to log on to a specified RDS instance, use the following sample script:
      {
        "Statement": [
          {
            "Action": "dms:LoginDatabase",
            "Effect": "Allow",
            "Resource": "acs:rds:*:*:dbinstance/rds783a0639ks5k7****"
          }
        ],
        "Version": "1"
      }
      Note You must replace rds783a0639ks5k7**** with the ID of the RDS instance.
    • To authorize a RAM user to log on to all RDS instances, use the following sample script:
      {
        "Statement": [
          {
            "Action": "dms:LoginDatabase",
            "Effect": "Allow",
            "Resource": "acs:rds:*:*:*"
          }
        ],
        "Version": "1"
      }