All instances created by an Alibaba Cloud account are resources owned by that account. By default, an account has the full operation permissions on resources under the account. Resource Access Management (RAM) allows you to grant RAM users permissions to access and management resources owned by an Alibaba Cloud account. If you do not need to use RAM, ignore this topic.

Resource types that can be authorized

Only ApsaraDB for Redis instances can be authorized in RAM.

The following table lists the descriptions of resources when you use RAM to grant permissions.

Resource type Resource description in authorization policy
Instance acs:kvstore:$regionid:$accountid:instance/$instanceid acs:kvstore:$regionid:$accountid:instance/ acs:kvstore:::instance/

The $regionid must be a region ID or an asterisk (*). The $instanceid must be an instance ID or an asterisk (*). Similarly, the $account-id is the numerical ID of your account, which can be replaced by an asterisk (*).

Actions that can be authorized in RAM

The following actions can be authorized in RAM:
  • CreateInstance
  • DeleteInstance
  • ModifyInstanceSpec
  • RenewInstance
  • RenewMultiInstance
  • ModifyInstanceAttribute
  • FlushInstance
  • DescribeInstances
  • DescribeInstanceAttribute
  • ModifyInstanceMaintainTime
  • ModifySecurityIps
  • SwitchNetwork
  • ModifyInstanceNetExpireTime
  • CreateBackup
  • ModifyBackupPolicy
  • DescribeBackupPolicy
  • DescribeBackups
  • RestoreInstance
  • DescribeHistoryMonitorValues
  • DescribeInstanceConfig
  • ModifyInstanceConfig

Authentication rules of API operations

When you call API operations to access resources as a RAM user, ApsaraDB for Redis checks whether the account is granted required permissions by querying RAM.

Each API determines which permission to check based on different resources and the API syntax. The following table lists the authentication rules for each API operation.

Table 1. Authentication rules
Action Authentication rule
CreateDBInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
DeleteInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceSpec acs:kvstore:$regionid:$accountid:instance/$instanceid
RenewInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
RenewMultiInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceAttribute acs:kvstore:$regionid:$accountid:instance/$instanceid
FlushInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeInstances acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeInstanceAttribute acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceMaintainTime acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifySecurityIps acs:kvstore:$regionid:$accountid:instance/$instanceid
SwitchNetwork acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceNetExpireTime acs:kvstore:$regionid:$accountid:instance/$instanceid
CreateBackup acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyBackupPolicy acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeBackupPolicy acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeBackups acs:kvstore:$regionid:$accountid:instance/$instanceid
RestoreInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeHistoryMonitorValues acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeInstanceConfig acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceConfig acs:kvstore:$regionid:$accountid:instance/$instanceid