All Products
Search
Document Center

ApsaraDB for Redis:RAM authorization

Last Updated:Feb 20, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by Redis. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Redis is kvstore. You can grant permissions on Redis at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

Redis defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
kvstore:AddShardingNodeAddShardingNodeWrite
All Resources
*
NoneNone
kvstore:AllocateDirectConnectionAllocateDirectConnectionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:AllocateInstancePublicConnectionAllocateInstancePublicConnectionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:CheckCloudResourceAuthorizedCheckCloudResourceAuthorizedRead
All Resources
*
NoneNone
kvstore:CreateAccountCreateAccountWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:CreateBackupCreateBackupWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:CreateCacheAnalysisTaskCreateCacheAnalysisTaskWrite
All Resources
*
NoneNone
kvstore:CreateGlobalDistributeCacheCreateGlobalDistributeCacheWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:CreateGlobalSecurityIPGroupCreateGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:CreateInstanceCreateInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
kvstore:InstanceClass
kvstore:Appendonly
kvstore:InstanceType
None
kvstore:CreateInstancesCreateInstancesWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
kvstore:InstanceClass
kvstore:InstanceType
kvstore:Appendonly
None
kvstore:CreateTairInstanceCreateTairInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
kvstore:InstanceClass
kvstore:InstanceType
None
kvstore:DeleteAccountDeleteAccountWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DeleteGlobalSecurityIPGroupDeleteGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:DeleteInstanceDeleteInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DeleteShardingNodeDeleteShardingNodeWrite
All Resources
*
NoneNone
kvstore:DescribeAccountsDescribeAccountsRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeActiveOperationTaskDescribeActiveOperationTaskRead
All Resources
*
NoneNone
kvstore:DescribeAuditLogConfigDescribeAuditLogConfigRead
All Resources
*
NoneNone
kvstore:DescribeAuditRecordsDescribeAuditRecordsRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeAvailableResourceDescribeAvailableResourceRead
All Resources
*
NoneNone
kvstore:DescribeBackupPolicyDescribeBackupPolicyRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeBackupTasksDescribeBackupTasksRead
All Resources
*
NoneNone
kvstore:DescribeBackupsDescribeBackupsRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeCacheAnalysisReportDescribeCacheAnalysisReportRead
dbinstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:DescribeCacheAnalysisReportListDescribeCacheAnalysisReportListRead
All Resources
*
NoneNone
kvstore:DescribeClusterMemberInfoDescribeClusterMemberInfoRead
All Resources
*
NoneNone
kvstore:DescribeDBInstanceNetInfoDescribeDBInstanceNetInfoRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeDedicatedClusterInstanceListDescribeDedicatedClusterInstanceListRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeEncryptionKeyDescribeEncryptionKeyRead
All Resources
*
NoneNone
kvstore:DescribeEncryptionKeyListDescribeEncryptionKeyListRead
All Resources
*
NoneNone
kvstore:DescribeEngineVersionDescribeEngineVersionRead
All Resources
*
NoneNone
kvstore:DescribeGlobalDistributeCacheDescribeGlobalDistributeCacheRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeGlobalSecurityIPGroupDescribeGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:DescribeGlobalSecurityIPGroupRelationDescribeGlobalSecurityIPGroupRelation
All Resources
*
NoneNone
kvstore:DescribeHistoryMonitorValuesDescribeHistoryMonitorValuesRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:ResourceTag
None
kvstore:DescribeHistoryTasksDescribeHistoryTasksRead
All Resources
*
NoneNone
kvstore:DescribeInstanceAttributeDescribeDBNodeDirectVipInfoRead
All Resources
*
NoneNone
kvstore:DescribeInstanceAttributeDescribeInstanceAttributeRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeInstanceAutoRenewalAttributeDescribeInstanceAutoRenewalAttributeRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeInstanceConfigDescribeInstanceConfigRead
All Resources
*
NoneNone
kvstore:DescribeInstanceSSLDescribeInstanceSSLRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeInstanceTDEStatusDescribeInstanceTDEStatusRead
All Resources
*
NoneNone
kvstore:DescribeInstancesDescribeInstancesRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeInstancesOverviewDescribeInstancesOverviewRead
All Resources
*
NoneNone
kvstore:DescribeIntranetAttributeDescribeIntranetAttributeRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeLogicInstanceTopologyDescribeLogicInstanceTopologyRead
All Resources
*
NoneNone
kvstore:DescribeMonitorItemsDescribeMonitorItemsRead
All Resources
*
NoneNone
kvstore:DescribeParameterModificationHistoryDescribeParameterModificationHistoryRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
NoneNone
kvstore:DescribeParameterTemplatesDescribeParameterTemplatesRead
All Resources
*
NoneNone
kvstore:DescribeParametersDescribeParametersRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
NoneNone
kvstore:DescribePriceDescribePrice
All Resources
*
NoneNone
kvstore:DescribeRoleZoneInfoDescribeRoleZoneInfoRead
All Resources
*
NoneNone
kvstore:DescribeRunningLogRecordsDescribeRunningLogRecordsRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeSecurityGroupConfigurationDescribeSecurityGroupConfigurationRead
dbinstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:DescribeSecurityIpsDescribeSecurityIpsRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeSlowLogRecordsDescribeSlowLogRecordsRead
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:DescribeTasksDescribeTasksRead
All Resources
*
NoneNone
kvstore:EnableAdditionalBandwidthEnableAdditionalBandwidthWrite
All Resources
*
NoneNone
kvstore:FlushExpireKeysFlushExpireKeysWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:FlushInstanceFlushInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:FlushInstanceForDBFlushInstanceForDBWrite
All Resources
*
NoneNone
kvstore:GrantAccountPrivilegeGrantAccountPrivilegeWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:InitializeKvstorePermissionInitializeKvstorePermissionWrite
All Resources
*
NoneNone
kvstore:ListTagResourcesListTagResourcesList
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
NoneNone
kvstore:MigrateToOtherZoneMigrateToOtherZoneWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyAccountDescriptionModifyAccountDescriptionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyAccountPasswordModifyAccountPasswordWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyActiveOperationTaskModifyActiveOperationTaskWrite
All Resources
*
NoneNone
kvstore:ModifyAuditLogConfigModifyAuditLogConfigWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId}
kvstore:DbAudit
None
kvstore:ModifyBackupPolicyModifyBackupPolicyWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:EnableBackupLog
None
kvstore:ModifyDBInstanceConnectionStringModifyDBInstanceConnectionStringWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyGlobalSecurityIPGroupModifyGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:ModifyGlobalSecurityIPGroupNameModifyGlobalSecurityIPGroupName
All Resources
*
NoneNone
kvstore:ModifyGlobalSecurityIPGroupRelationModifyGlobalSecurityIPGroupRelation
All Resources
*
NoneNone
kvstore:ModifyInstanceAttributeModifyInstanceAttributeWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceAutoRenewalAttributeModifyInstanceAutoRenewalAttributeWrite
All Resources
*
NoneNone
kvstore:ModifyInstanceConfigModifyInstanceConfigWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:InstanceAofConfig
kvstore:TLSVersion
None
kvstore:ModifyInstanceMaintainTimeModifyInstanceMaintainTimeWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceMajorVersionModifyInstanceMajorVersionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceMinorVersionModifyInstanceMinorVersionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceNetExpireTimeModifyInstanceNetExpireTimeWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceSSLModifyInstanceSSLWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:SSLEnabled
None
kvstore:ModifyInstanceSpecModifyInstanceSpecWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceTDEModifyInstanceTDEWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:TDEStatus
None
kvstore:ModifyInstanceVpcAuthModeModifyInstanceVpcAuthModeWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:VpcAuthMode
None
kvstore:ModifyIntranetAttributeModifyIntranetAttributeWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyResourceGroupModifyResourceGroupWrite
All Resources
*
NoneNone
kvstore:ModifySecurityGroupConfigurationModifySecurityGroupConfigurationWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:ModifySecurityIpsModifySecurityIpsWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ReleaseDirectConnectionReleaseDirectConnectionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ReleaseInstancePublicConnectionReleaseInstancePublicConnectionWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:RemoveSubInstanceRemoveSubInstanceWrite
All Resources
*
NoneNone
kvstore:RenewAdditionalBandwidthRenewAdditionalBandwidthWrite
All Resources
*
NoneNone
kvstore:RenewInstanceRenewInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ResetAccountPasswordResetAccountPasswordWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:RestartInstanceRestartInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:RestoreInstanceRestoreInstanceWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:SwitchInstanceHASwitchInstanceHAWrite
All Resources
*
NoneNone
kvstore:SwitchInstanceProxySwitchInstanceProxyWrite
All Resources
*
NoneNone
kvstore:SwitchNetworkSwitchNetworkWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:SyncDtsStatusSyncDtsStatusWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:TagResourcesTagResourcesWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
NoneNone
kvstore:TransformInstanceChargeTypeTransformInstanceChargeTypeWrite
All Resources
*
NoneNone
kvstore:TransformToPrePaidTransformToPrePaidWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:UntagResourcesUntagResourcesWrite
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
NoneNone

Resource

Redis defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
DBInstanceacs:kvstore:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}

Condition

Redis defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Redis. For more information about the common condition keys, see Generic Condition Keyword.
The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
Condition keyDescriptionData type
kvstore:InstanceClassString
kvstore:InstanceTypeString
kvstore:SSLEnabledString
kvstore:DbAuditBoolean
kvstore:TDEStatusString
kvstore:VpcAuthModeString
kvstore:InstanceAofConfigString
kvstore:AppendonlyString
kvstore:TLSVersionString
kvstore:EnableBackupLogString
kvstore:ResourceTagString

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: