AnalyticDB:RAM users and permissions - AnalyticDB

When multiple team members need access to AnalyticDB for MySQL clusters, sharing an Alibaba Cloud account's AccessKey pair is a common but risky practice: the key is more likely to be compromised, and you lose visibility into who did what. Resource Access Management (RAM) solves both problems by letting you create individual users with only the permissions their role requires.

How RAM ownership works

RAM users belong to an Alibaba Cloud account and cannot own resources. All clusters—even those created by a RAM user—are owned by the Alibaba Cloud account.
When a RAM user creates a cluster, only that RAM user and the Alibaba Cloud account owner can access it by default. Other RAM users must be explicitly granted permissions.

Prerequisites

Before you begin, ensure that you have:

An Alibaba Cloud account with administrator access
At least one AnalyticDB for MySQL cluster to grant access to

Create a RAM user

Log on to the RAM console.
In the navigation pane on the left, choose Identities > Users.
On the Users page, click Create User. Enter a Logon Name and a Display Name.
To create multiple RAM users at once, click Add User.

In the Access Mode section, select the access mode that matches how the user will interact with your clusters:

Important

Select only one access mode per RAM user. Limiting access to a single mode prevents a user who leaves your organization from retaining an alternative way in.

Access mode	When to use
Console Access	The user needs to log on to the Alibaba Cloud console. Configure a logon password, optionally require a password reset upon next logon, and optionally enable multi-factor authentication (MFA).
Using permanent AccessKey to access	The user needs programmatic access via development tools or APIs. An AccessKey pair is created automatically.

Click OK.

Grant permissions to a RAM user

Choose a system policy

RAM provides three built-in system policies for AnalyticDB for MySQL. Pick the one that matches the user's role:

Policy	Permissions	Recommended for
AliyunADBReadOnlyAccess	View cluster information; no modifications	Analysts, auditors
AliyunADBDeveloperAccess	Run queries and manage data; cannot create, delete, or reconfigure clusters, or attach RAM users	Developers, data engineers
AliyunADBFullAccess	Full cluster management including creation, deletion, and configuration changes	Cluster administrators

All three policies apply to Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters. For Data Warehouse Edition (V3.0) clusters, only AliyunADBReadOnlyAccess and AliyunADBFullAccess are available.

Choosing the right policy for common scenarios:

Scenario	Recommended policy
User only needs to view cluster details or run reports	AliyunADBReadOnlyAccess
User needs to run queries and manage data in the SQL or Spark editor	AliyunADBDeveloperAccess
User needs to create, delete, or reconfigure clusters	AliyunADBFullAccess
User accesses only via API or CLI, not the console	Grant the matching policy above; no additional console permissions are needed

Warning

Grant the least privilege needed for the role. Over-privileged users can accidentally delete clusters, change configurations, or cause data loss. If a user only needs to run queries, use AliyunADBDeveloperAccess instead of AliyunADBFullAccess.

Attach a system policy

Log on to the RAM console.
In the navigation pane on the left, choose Identities > Users.
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
On the Add Permissions page, select System Policy from the drop-down list. Search for the policy by name and click it to add it to the Selected section.
Click OK.

After the policy is attached, the RAM user can access or manage your AnalyticDB for MySQL cluster.

Create a custom policy for a specific cluster

System policies apply to all clusters in your account. To restrict a RAM user to a single cluster—or a specific set of clusters—create a custom policy.

Create the custom policy

Log on to the RAM console.
In the navigation pane on the left, choose Permissions > Policies.
Click Create Policy and select the JSON tab.

Paste the policy JSON for your use case: Full management of cluster `am-xxx`:

{
    "Version": "1",
    "Statement": [
        {
            "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
            "Resource": "acs:adb:*:*:dbcluster/*",
            "Effect": "Allow"
        },
        {
            "Action": "adb:*",
            "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
            "Effect": "Allow"
        }
    ]
}

Read-only access to cluster `am-xxx`:

{
    "Version": "1",
    "Statement": [
        {
            "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
            "Resource": "acs:adb:*:*:dbcluster/*",
            "Effect": "Allow"
        },
        {
            "Action": "adb:Describe*",
            "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
            "Effect": "Allow"
        }
    ]
}

Replace am-xxx with your actual cluster ID. To include multiple clusters, add their IDs to the Resource array in Statement 2:

"Resource": ["acs:adb:*:*:dbcluster/am-xxx", "acs:adb:*:*:dbcluster/am-yyy"]

Click OK, enter a policy name and description, then click OK again.
Attach the custom policy to the RAM user following the steps in Attach a system policy.

Next steps

For Enterprise, Basic, and Data Lakehouse editions, attach a database standard account to a RAM user to enable database development directly in the AnalyticDB for MySQL console's SQL and Spark editors.
When a RAM user no longer needs access or leaves your organization, remove their permissions or delete the RAM user.