Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the permissions of an Alibaba Cloud account. Different RAM users can be granted different permissions to allow or deny access to specific cloud resources.

Background information

Note
  • Alibaba Cloud accounts can create RAM users to carry out specific features. RAM users cannot own or retain resources. All resources belong only to Alibaba Cloud accounts.
  • If you use a RAM user to create an data warehouse edition (V3.0) cluster, only the RAM user and the corresponding Alibaba Cloud account can be used to access the cluster. If you want other RAM users to access this cluster, you must grant them the required permissions.

Scenarios

Assume that you use an Alibaba Cloud account to create an data warehouse edition (V3.0) cluster and share the AccessKey pair to members of your organization and only to these members. This may cause the following issues:
  • If your AccessKey pair is shared by multiple users, the risk of leaks is high.
  • You cannot control the operations that specific users can perform on the cluster. For example, a user may scale out or restart the cluster.

To avoid the preceding issues, you can create RAM users and grant only required permissions to each RAM user. These RAM users, instead of your Alibaba Cloud account, can be used to access or manage your data warehouse edition (V3.0) cluster.

Implementation

To allow RAM users to access or manage your data warehouse edition (V3.0) cluster, you must perform the following operations:
  1. Create a RAM user.
  2. Grant permissions to the RAM user.

Create a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User. On the Create User page, specify Logon Name and Display Name.
    Note You can click Add User to create multiple RAM users at a time.
  4. In the Access Mode section, select Console Access or OpenAPI Access.
    • Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
    • OpenAPI Access: If you select this access mode, an AccessKey pair is generated for the RAM user. Then, the RAM user can use other development tools to access your data warehouse edition (V3.0) cluster.

    To ensure account security, we recommend that you select only a single access mode for RAM users. This prevents RAM users from using their AccessKey pairs to access your data warehouse edition (V3.0) cluster after the users leave your organization.

  5. Click OK.

Grant permissions to the RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions. Then, click Add Permissions in the Actions column.
  4. In the Add Permissions panel, select System Policy and enter a policy name to search for the policy. Click the policy to add it to the Selected section on the right.
    You can attach the following policies to the RAM user:
    • AliyunADBReadOnlyAccess: allows the RAM user to access your data warehouse edition (V3.0) cluster in read-only mode.
    • AliyunADBFullAccess: allows the RAM user to manage all permissions on your data warehouse edition (V3.0) cluster.
  5. Click OK.

    After you grant permissions to the RAM user, you can use the RAM user to access or manage your data warehouse edition (V3.0) cluster.

Create a policy

If you need to authorize RAM users to perform operations on a specific AnalyticDB for MySQL cluster, you must create a custom policy in the RAM console.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy. In this example, a policy that is used to manage data warehouse edition (V3.0) clusters is created.
  4. On the Create Policy page, click the JSON tab.
  5. In the code editor, enter the following scripts.

    In the following example, a policy is created to allow RAM users to manage the am-xxx cluster:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
                "Resource": "acs:adb:*:*:dbcluster/*",
                "Effect": "Allow"
            },
            {
                "Action": "adb:*",
                "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
                "Effect": "Allow"
            }
        ]
    }

    In the following example, a policy is created to allow RAM users to access the am-xxx cluster in read-only mode:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
                "Resource": "acs:adb:*:*:dbcluster/*",
                "Effect": "Allow"
            },
            {
                "Action": "adb:Describe*",
                "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
                "Effect": "Allow"
            }
        ]
    }

    If the RAM user needs to manage multiple clusters or access multiple clusters in read-only mode, add the corresponding cluster IDs to the "Resource": ["acs:adb:*:*:dbcluster/am-xxx"] section of the script. Example: "Resource": ["acs:adb:*:*:dbcluster/am-xxx", "acs:adb:*:*:dbcluster/am-yyy"].

    After the policy is created, you must attach the policy to the specific RAM user.

  6. Click Next: Edit Basic Information.
  7. Enter a policy name and click OK.

References

If a RAM user no longer requires specific permissions or if the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Remove permissions from a RAM user and Delete a RAM user.