This topic describes how to use tags to grant RAM users access to ApsaraDB for RDS instances by group. After authorization, RAM users can view and manage only the tagged resources.


An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.


You have 10 ApsaraDB for RDS instances. You want to authorize the dev team to manage five instances and the ops team to manage the other five. However, you want each team to view only the instances that you authorize each team to manage.


For more information, see Use tags to grant access to ECS instances by group.

The custom policy used to grant access to ApsaraDB for RDS instances is as follows:

  "Statement": [
      "Action": "rds:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "rds:ResourceTag/team": "dev"
       "Action": "rds:DescribeTag*",
       "Effect": "Allow",
       "Resource": "*"
  "Version": "1"

The preceding policy consists of two parts:

  • The "Action": "rds:*" part with Condition is used to filter the instances tagged as "team": "dev". The keyword of Condition is rds:ResourceTag.
  • The "Action": "rds:DescribeTag*" part is used to display all tags. When a RAM user performs operations in the ApsaraDB for RDS console, the system displays all optional tags. After the RAM user selects the tag key and tag value, the system filters the relevant instances.


If the relevant permissions of a RAM user are missing after you tag ApsaraDB for RDS instances into groups and grant permissions, see What can I do if the permissions of RAM users are missing after I have attached tags to a group of RDS instances and granted permissions to RAM users?