Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the permissions of an Alibaba Cloud account. Different RAM users can be granted different permissions to allow or deny access to specific cloud resources.

Background information

Note
  • Alibaba Cloud accounts can create RAM users to carry out specific features. RAM users cannot own or retain resources. All resources belong only to Alibaba Cloud accounts.
  • If you use a RAM user to create an AnalyticDB for MySQL cluster, only the RAM user and the corresponding Alibaba Cloud account can be used to access the cluster. If you want other RAM users to access this cluster, you must grant them the required permissions.

Scenarios

Assume that you use an Alibaba Cloud account to create an AnalyticDB for MySQL cluster and share your AccessKey pair to members of your organization who want to use the AnalyticDB for MySQL cluster. This may cause the following issues:
  • If your AccessKey pair is shared by multiple users, the risk of leaks is high.
  • You cannot control the operations that specific users can perform on the cluster. For example, a user may scale out or restart the cluster.

To avoid the preceding issues, you can create RAM users and grant only required permissions to each RAM user. These RAM users, instead of your Alibaba Cloud account, can be used to access or manage your AnalyticDB for MySQL cluster.

Implementation

To allow RAM users to access or manage your AnalyticDB for MySQL cluster, you must perform the following operations:
  1. Create a RAM user.
  2. Grant permissions to the RAM user.

Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Grant permissions to the RAM user

After you grant permissions to the RAM user, you can use the RAM user to access or manage your AnalyticDB for MySQL cluster. For more information, see Grant permissions to a RAM user.

For an AnalyticDB for MySQL Data Warehouse Edition (V3.0) cluster, you can attach the following policies to the RAM user:
  • AliyunADBReadOnlyAccess: allows the RAM user to access your Data Warehouse Edition (V3.0) cluster in read-only mode.
  • AliyunADBFullAccess: allows the RAM user to manage your Data Warehouse Edition (V3.0) cluster.

Create a policy

If you need to authorize RAM users to perform operations on a specific AnalyticDB for MySQL cluster, you must create a custom policy in the RAM console.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. In the code editor, enter the following scripts to create a policy for an AnalyticDB for MySQL Data Warehouse Edition (V3.0) cluster.

    In the following example, a policy is created to allow RAM users to manage the am-xxx cluster:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
                "Resource": "acs:adb:*:*:dbcluster/*",
                "Effect": "Allow"
            },
            {
                "Action": "adb:*",
                "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
                "Effect": "Allow"
            }
        ]
    }

    In the following example, a policy is created to allow RAM users to access the am-xxx cluster in read-only mode:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
                "Resource": "acs:adb:*:*:dbcluster/*",
                "Effect": "Allow"
            },
            {
                "Action": "adb:Describe*",
                "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
                "Effect": "Allow"
            }
        ]
    }

    If the RAM user needs to manage multiple clusters or access multiple clusters in read-only mode, add the corresponding cluster IDs to the "Resource": ["acs:adb:*:*:dbcluster/am-xxx"] section of the script. Example: "Resource": ["acs:adb:*:*:dbcluster/am-xxx", "acs:adb:*:*:dbcluster/am-yyy"].

    After the policy is created, you must attach the policy to the specific RAM user.

  6. Click Next: Edit Basic Information.
  7. Specify the Name and Note fields.
  8. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  9. Click OK.

References

If a RAM user no longer requires specific permissions or if the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Remove permissions from a RAM user and Delete a RAM user.