Resource Access Management (RAM) is Alibaba Cloud’s identity and access management service. RAM allows you to create and manage users (RAM users) under your Alibaba Cloud account and assign them specific permissions. This enables you to grant or deny access to your cloud resources on a granular level, improving security and operational control.
Background
RAM users belong to an Alibaba Cloud account and cannot own any resources. All resources are owned by the Alibaba Cloud account.
If a RAM user creates an AnalyticDB for MySQL cluster, that cluster is owned by the Alibaba Cloud account. By default, only that RAM user and the Alibaba Cloud account can access or manage the cluster. Other RAM users must be granted permissions.
Use cases
If multiple users in your organization need to access AnalyticDB for MySQL clusters with your Alibaba Cloud account, a common but insecure practice is to have all users share your Alibaba Cloud account's AccessKey pair.
Sharing your Alibaba Cloud account's AccessKey pair with multiple users poses the following security risks.
Your key is shared among multiple people, which increases the risk of it being compromised.
You cannot control the operations a specific user can perform on the cluster, such as scaling out or restarting it.
The recommended solution is to use RAM. By creating individual RAM users and granting them specific permissions, you can securely manage access to your AnalyticDB for MySQL clusters.
Before you start
To allow RAM users to access or manage your AnalyticDB for MySQL cluster, follow these two steps.
Create a RAM user
Log on to the RAM console.
In the navigation pane on the left, choose .
On the Users page, click Create User. Enter a Logon Name and a Display Name.
NoteClick Add User to create multiple RAM users at once.
In the Access Mode section, select Console Access or Using permanent AccessKey to access.
Console Access: Configure basic logon security settings. These include using an auto-generated or custom logon password, requiring a password reset upon next logon, and enabling multi-factor authentication (MFA).
Using permanent AccessKey to access: An AccessKey pair is automatically created for the RAM user. The RAM user can then use this pair with development tools to access the AnalyticDB for MySQL cluster.
For better account security, select only one access mode for each RAM user. This helps prevent a user who leaves your organization from accessing your AnalyticDB for MySQL cluster with an AccessKey pair.
Click OK to create the RAM user.
Grant permissions to a RAM user
Log on to the RAM console.
In the navigation pane on the left, choose .
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
On the Add Permissions page, select System Policy from the drop-down list. Search for a policy by name and click it to add it to the Selected section.
WarningDo not grant excessive permissions. Over-privileged users can perform any operation, which can lead to security risks or data loss.
Policy descriptions:
Permissions for Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters:
AliyunADBReadOnlyAccess: Grants read-only access to Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
AliyunADBFullAccess: Grants permissions to manage Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
AliyunADBDeveloperAccess: Grants developer permissions for Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters. Compared to the AliyunADBFullAccess policy, AliyunADBDeveloperAccess does not include permissions to create, delete, or change cluster configurations, or to attach RAM users.
Permissions for Data Warehouse Edition (V3.0) clusters:
AliyunADBReadOnlyAccess: Grants read-only access to Data Warehouse Edition (V3.0) clusters.
AliyunADBFullAccess: Grants permissions to manage Data Warehouse Edition (V3.0) clusters.
Click OK to grant the permissions.
After you grant the permissions, the RAM user can access or manage your AnalyticDB for MySQL cluster.
Create a custom policy
To grant a RAM user fine-grained permissions for operations on a specific instance, you can create a custom policy in RAM.
Log on to the RAM console.
In the navigation pane on the left, choose .
Create a policy. This topic uses the creation of a policy for managing an AnalyticDB for MySQL cluster as an example.
Select the JSON tab.
Enter the policy script. The following examples show the script content.
Permissions to manage the am-xxx instance:
{ "Version": "1", "Statement": [ { "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"], "Resource": "acs:adb:*:*:dbcluster/*", "Effect": "Allow" }, { "Action": "adb:*", "Resource": ["acs:adb:*:*:dbcluster/am-xxx"], "Effect": "Allow" } ] }Read-only permissions for the am-xxx instance:
{ "Version": "1", "Statement": [ { "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"], "Resource": "acs:adb:*:*:dbcluster/*", "Effect": "Allow" }, { "Action": "adb:Describe*", "Resource": ["acs:adb:*:*:dbcluster/am-xxx"], "Effect": "Allow" } ] }If a RAM user needs to manage or have read-only access to multiple clusters, add the cluster IDs to the
"Resource": ["acs:adb:*:*:dbcluster/am-xxx"]element in the script. For example:"Resource": ["acs:adb:*:*:dbcluster/am-xxx", "acs:adb:*:*:dbcluster/am-yyy"].After you create the policy, you must attach it to the RAM user.
Click OK.
Enter a policy name and description, and then click OK.
References
For AnalyticDB for MySQL Enterprise, Basic, and Data Lakehouse editions, attach a database standard account to a RAM user enable database development directly within the AnalyticDB for MySQL console's SQL and Spark editors.
If a RAM user no longer needs certain permissions or leaves the organization, you can remove these permissions or delete the RAM user.