This topic describes how to use tags to grant Resource Access Management (RAM) users access to a group of ApsaraDB for RDS instances. After authorization, RAM users can view and manage only the tagged resources.
Prerequisites
An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
Scenario
Assume that you have 10 ApsaraDB for RDS instances. You want to authorize the developer team to manage five instances and the operator team to manage the other five. However, you want each team to view and manage only the authorized instances.
Procedure
The procedure for using tags to grant access to ApsaraDB for RDS instances by group is the same as that for using tags to grant access to ECS instances by group. For more information, see Use tags to grant access to a group of ECS instances.
However, you must use a custom policy that includes the permissions on ApsaraDB for RDS instances. The following script is an example policy that you can use to authorize the developer team:
{
"Statement": [
{
"Action": "rds:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"rds:ResourceTag/team": "dev"
}
}
},
{
"Action": "rds:DescribeTag*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
The policy consists of two statements:
- The statement that includes the
"Action": "rds:*"
condition
grants RAM users access to the ApsaraDB for RDS instances to which theteam:dev
tag is attached. TheCondition
key in this statement isrds:ResourceTag
. - The statement that includes the
"Action": "rds:DescribeTag*"
condition authorizes RAM users to view all tags. After a RAM user logs on to the ApsaraDB for RDS console, all existing tags are displayed. The RAM user must select the value of an authorized tag key to view the instances to which the tag is attached.
FAQ
If permission errors occur after you use tags to grant RAM users access to a group of ApsaraDB for RDS instances, check whether the following conditions are met:
- The tag is attached to the instances.
- The tag keys and values that are specified in the policies have the same keys and
values as the tags that are attached to the instances.
Note The keys and values of tags in ApsaraDB for RDS cannot contain uppercase letters. If you enter uppercase letters when you add a tag, ApsaraDB for RDS converts the uppercase letters into lowercase letters.
- The required policy is attached to the RAM users that are logged on.
- The region selected in the ApsaraDB for RDS console is the region to which the instances belong.
- The corresponding tag value to filter the instances is selected.