By using resource groups to manage resources, you can integrate with RAM to enforce resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes how AnalyticDB for PostgreSQL supports resource groups and outlines the steps for resource group-level authorization.
-
Resource group-level authorization applies only to resource types that support resource groups and operations that support resource group-level authorization.
-
For resource types that do not support resource groups, permissions granted at the resource group scope have no effect. You must grant permissions at the account level instead. For more information, see Operations that do not support resource group-level authorization.
Resource group authorization
Use Resource Groups to organize and manage resources in your Alibaba Cloud account. For example, you can create a dedicated Resource Group for each project and move the project's resources into that group for centralized management. For more information, see What is a Resource Group?.
After grouping your resources, you can grant permissions on a specific Resource Group to various RAM principals, such as RAM users, RAM user groups, or RAM roles. This limits the principal to managing only the resources in that Resource Group. For more information, see Resource grouping and authorization.
This authorization method provides the following advantages:
-
Fine-grained permissions: Ensures that each identity has only the specific permissions it requires, preventing it from managing resources from other projects.
-
Scalability: When you add new resources, you only need to assign them to the Resource Group. The RAM principal automatically inherits permissions for these new resources, so you do not have to grant permissions again.
Grant resource group-level permissions to a RAM user
This topic describes how to grant a RAM user permissions for AnalyticDB for PostgreSQL resources within a specific resource group.
1. Prerequisites
-
Create the RAM user that you want to use. For more information, see Create a RAM user.
-
Create a resource group and transfer your existing resources to it. For more information, see Create a resource group, Automatic resource transfer, and Manual resource transfer.
2. Grant resource group permissions
You can grant permissions at the resource group level by using one of the following methods.
Method 1: Resource Management console
Use the permission management feature of a resource group to grant permissions to a specific RAM user. For detailed instructions, see Grant resource group-scoped permissions to a RAM identity.
-
Log on to the Resource Management console.
-
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
-
On the Permission Management tab, click Add Authorization.
-
In the Add Authorization panel, configure the principal and policy.
-
Principal: Select an existing RAM user.
-
Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Method 2: RAM console
You can grant permissions to a RAM user in the RAM console. For detailed instructions, see Manage the permissions of a RAM user.
-
Log on to the RAM console with an Alibaba Cloud account or as a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Add Authorization panel, configure the authorization settings.
-
Resource Scope: Select resource group level.
-
Principal: Select the RAM user.
-
Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Resource types that support resource groups
This table lists the resource types for AnalyticDB for PostgreSQL that support resource groups.
|
Cloud service |
Service code |
Resource type |
|
AnalyticDB for PostgreSQL |
gpdb |
instance |
If a resource type you need is not yet supported, you can submit feedback in the Resource Group console.
Unsupported resource group-level operations
|
Actions |
Description |
|
gpdb:AddAINode |
Adds an AI node. |
|
gpdb:AllocateInstancePublicConnection |
Allocates a public endpoint for an instance. |
|
gpdb:BindDBResourceGroupWithRole |
Binds a resource group to a database role. |
|
gpdb:BindToVirtualCluster |
- |
|
gpdb:CancelActiveOperationTasks |
- |
|
gpdb:ChatWithKnowledgeBase |
Provides an intelligent Q&A service by combining a knowledge base with a large language model. |
|
gpdb:ChatWithKnowledgeBaseStream |
Provides an intelligent Q&A service by combining a knowledge base with a large language model. This streaming API is callable via Server-Sent Events (SSE) or an asynchronous Java SDK. |
|
gpdb:CheckHadoopDataSource |
Checks the configuration of a Hadoop data source. |
|
gpdb:CheckHadoopNetConnection |
Checks network connectivity to an external Hadoop data source. |
|
gpdb:CheckJDBCSourceNetConnection |
Checks the network connectivity of a JDBC connection string. |
|
gpdb:CheckServiceLinkedRole |
Checks if a service-linked role exists. |
|
gpdb:CloneDBInstance |
Clones an instance. |
|
gpdb:CountVswitchIPNums |
- |
|
gpdb:CreateAccount |
Creates an initial account for an AnalyticDB for PostgreSQL instance. |
|
gpdb:CreateBackup |
Creates a backup. |
|
gpdb:CreateDBInstance |
Creates an AnalyticDB for PostgreSQL instance. |
|
gpdb:CreateDBInstanceIPArray |
Creates an IP whitelist for an instance. |
|
gpdb:CreateDBInstancePlan |
Creates a scheduled plan. |
|
gpdb:CreateDBResourceGroup |
Creates a resource group. |
|
gpdb:CreateDatabase |
Creates a database. |
|
gpdb:CreateExtensions |
Installs extensions. |
|
gpdb:CreateExternalDataService |
Creates an external data service. |
|
gpdb:CreateHadoopDataSource |
Creates a Hadoop data source configuration. |
|
gpdb:CreateJDBCDataSource |
Creates a JDBC data source. |
|
gpdb:CreateModelService |
Creates a model service. |
|
gpdb:CreateOrder |
- |
|
gpdb:CreateRemoteADBDataSource |
Creates a homogeneous data source. |
|
gpdb:CreateSampleData |
Creates a sample dataset for an AnalyticDB for PostgreSQL instance. |
|
gpdb:CreateServiceLinkedRole |
Creates a service-linked role (SLR). |
|
gpdb:CreateStreamingDataService |
Creates a streaming data service. |
|
gpdb:CreateStreamingDataSource |
Creates a streaming data source. |
|
gpdb:CreateStreamingJob |
Creates a real-time data synchronization job. |
|
gpdb:CreateSupabaseBackup |
- |
|
gpdb:CreateSupabaseProject |
Creates a Supabase project. |
|
gpdb:CreateVirtualCluster |
- |
|
gpdb:DeleteAINode |
Deletes an AI node. |
|
gpdb:DeleteBackup |
Deletes a backup. Only manual physical backups can be deleted. |
|
gpdb:DeleteDBInstance |
Deletes a pay-as-you-go instance. |
|
gpdb:DeleteDBInstanceIPArray |
- |
|
gpdb:DeleteDBInstancePlan |
Deletes a scheduled plan for an instance. |
|
gpdb:DeleteDBResourceGroup |
Deletes a resource group. |
|
gpdb:DeleteDatabase |
- |
|
gpdb:DeleteExtension |
Uninstalls an extension. |
|
gpdb:DeleteExternalDataService |
Deletes an external data service. |
|
gpdb:DeleteHadoopDataSource |
Deletes an external Hadoop data source. |
|
gpdb:DeleteJDBCDataSource |
Deletes a JDBC data source. |
|
gpdb:DeleteModelService |
Deletes a model service. |
|
gpdb:DeletePrivateRAGService |
- |
|
gpdb:DeleteRemoteADBDataSource |
Deletes a homogeneous data source. |
|
gpdb:DeleteStreamingDataService |
Deletes a streaming data service. |
|
gpdb:DeleteStreamingDataSource |
Deletes a streaming data source. |
|
gpdb:DeleteStreamingJob |
Deletes a real-time data synchronization job. |
|
gpdb:DeleteSupabaseBackup |
- |
|
gpdb:DeleteSupabaseProject |
Deletes a Supabase project. |
|
gpdb:DeleteVirtualCluster |
- |
|
gpdb:DeployPrivateRAGService |
- |
|
gpdb:DescribeAccounts |
Queries account information for an instance. |
|
gpdb:DescribeActiveSQLRecords |
Queries active SQL records. |
|
gpdb:DescribeAvailableResources |
Queries the resources available for creating an instance. |
|
gpdb:DescribeBackupJob |
Queries the details of a backup job. |
|
gpdb:DescribeBackupPolicy |
Queries the backup policy for an instance. |
|
gpdb:DescribeDBClusterNode |
Queries information about nodes in an instance. |
|
gpdb:DescribeDBClusterPerformance |
Queries performance metrics for an instance over a specified time period. |
|
gpdb:DescribeDBInstanceAttribute |
Queries the details of an instance. |
|
gpdb:DescribeDBInstanceDataBloat |
Queries information about data bloat in an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceDataSkew |
Queries information about data skew in an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceDiagnosisSummary |
Queries the node details of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceErrorLog |
Queries the error logs of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceIPArrayList |
Queries the IP whitelist of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceIndexUsage |
Queries the index usage of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceNetInfo |
Queries the connection information of an instance. |
|
gpdb:DescribeDBInstancePerformance |
Queries the performance monitoring data for specified metrics of an instance in storage-reserved mode over a specified time period. |
|
gpdb:DescribeDBInstancePlans |
Queries the plan details of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceSQLPatterns |
- |
|
gpdb:DescribeDBInstanceSSL |
Queries the SSL information of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDBInstanceSupportMaxPerformance |
Queries the maximum throughput of an instance. |
|
gpdb:DescribeDBInstances |
Queries a list of AnalyticDB for PostgreSQL instances. |
|
gpdb:DescribeDBResourceGroup |
Queries the details of a resource group. |
|
gpdb:DescribeDBResourceManagementMode |
Queries the resource management mode of an instance. |
|
gpdb:DescribeDBVersion |
- |
|
gpdb:DescribeDBVersionInfos |
Queries kernel version information. |
|
gpdb:DescribeDataBackups |
Queries data backups and restorable points-in-time for an instance. |
|
gpdb:DescribeDataReDistributeInfo |
Queries the data redistribution progress for a storage elastic mode V6.0 instance during a node scaling operation. |
|
gpdb:DescribeDataShareInstances |
Queries the data sharing status. |
|
gpdb:DescribeDataSharePerformance |
Queries the performance metrics of data sharing. |
|
gpdb:DescribeDatabase |
- |
|
gpdb:DescribeDiagnosisDimensions |
Queries all databases and users within an instance. |
|
gpdb:DescribeDiagnosisMonitorPerformance |
Queries the SQL execution information of an AnalyticDB for PostgreSQL instance in storage elastic mode over a specified time period. |
|
gpdb:DescribeDiagnosisRecords |
Queries the list of SQL queries for an instance. |
|
gpdb:DescribeDiagnosisSQLInfo |
Queries the details of a specific query in an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDownloadRecords |
Queries the download records of query diagnostic information for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeDownloadSQLLogs |
Queries the five most recent download records of slow query information for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeExtension |
- |
|
gpdb:DescribeExternalDataService |
Queries the details of an external data service. |
|
gpdb:DescribeHadoopClustersInSameNet |
Queries E-MapReduce (EMR) cluster instances within the same VPC. |
|
gpdb:DescribeHadoopConfigs |
Queries the configuration information of a Hadoop cluster. |
|
gpdb:DescribeHadoopDataSource |
Queries the configuration information of a Hadoop data source. |
|
gpdb:DescribeHealthStatus |
Queries the health status of an instance and its nodes. |
|
gpdb:DescribeHistoryEvents |
- |
|
gpdb:DescribeHistoryEventsStat |
- |
|
gpdb:DescribeIMVInfos |
Queries the details of real-time materialized views in an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeJDBCDataSource |
Queries the configuration information of a JDBC data source. |
|
gpdb:DescribeLogBackups |
Queries a list of log backups. |
|
gpdb:DescribeModelService |
Queries a model service. |
|
gpdb:DescribeModifyParameterLog |
Queries the parameter modification history of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeParameters |
Queries the configuration parameters of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribePrivateRAGService |
- |
|
gpdb:DescribeRayCluster |
- |
|
gpdb:DescribeRebalanceStatus |
- |
|
gpdb:DescribeRegions |
- |
|
gpdb:DescribeRoles |
Queries a list of roles. |
|
gpdb:DescribeSQLCollectorPolicy |
- |
|
gpdb:DescribeSQLLogCount |
Queries the number of audit logs for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeSQLLogRecords |
- |
|
gpdb:DescribeSQLLogs |
Queries SQL execution records. |
|
gpdb:DescribeSampleData |
Queries whether a sample dataset has been loaded into an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeSpecification |
- |
|
gpdb:DescribeStreamingDataService |
Queries a streaming data service. |
|
gpdb:DescribeStreamingDataSource |
Queries a streaming data source. |
|
gpdb:DescribeStreamingJob |
Queries a real-time data synchronization job. |
|
gpdb:DescribeSupabaseBackupJob |
- |
|
gpdb:DescribeSupabaseBackupPolicy |
- |
|
gpdb:DescribeSupportFeatures |
Queries the features supported by the current AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeTags |
Queries the tags of an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeUserEncryptionKeyList |
Queries a list of KMS keys activated by the user. |
|
gpdb:DescribeWaitingSQLInfo |
Queries lock wait details for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeWaitingSQLRecords |
Queries the lock diagnostics list for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DescribeZonesPrivateRAGService |
- |
|
gpdb:DisableDBResourceGroup |
Disables resource group management for an AnalyticDB for PostgreSQL V6.0 instance in storage elastic mode. When disabled, the instance's resource management mode switches from resource groups to resource queues. |
|
gpdb:DownloadDiagnosisRecords |
Downloads the query diagnostic records for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DownloadSQLLogsRecords |
Downloads the slow SQL records for an AnalyticDB for PostgreSQL instance. |
|
gpdb:DownloadSlowSQLRecords |
Downloads slow SQL records. |
|
gpdb:EnableDBResourceGroup |
Enables resource group management for an AnalyticDB for PostgreSQL V6.0 instance in storage elastic mode. When enabled, the instance's resource management mode switches from resource queues to resource groups. |
|
gpdb:GetAINode |
- |
|
gpdb:GetAccount |
Gets information about a specific account. |
|
gpdb:GetPrice |
- |
|
gpdb:GetSupabaseDashboardAccount |
- |
|
gpdb:GetSupabaseProject |
Gets the details of a Supabase project. |
|
gpdb:GetSupabaseProjectApiKeys |
Gets the API keys for a Supabase project. |
|
gpdb:GetSupabaseProjectDashboardAccount |
Gets the dashboard account for a Supabase project. |
|
gpdb:GetSupabaseProjectSpec |
- |
|
gpdb:GetSupabaseUpdateVersion |
- |
|
gpdb:HandleActiveSQLRecord |
Handles one or more active queries. |
|
gpdb:ListAINodePools |
Queries a list of AI node pools. |
|
gpdb:ListBackupJobs |
Queries a list of backup jobs. |
|
gpdb:ListDatabaseExtensions |
- |
|
gpdb:ListExternalDataServices |
Queries a list of external data services. |
|
gpdb:ListHeadNodeSpec |
- |
|
gpdb:ListInstanceDatabases |
- |
|
gpdb:ListInstanceExtensions |
Queries a list of extensions. |
|
gpdb:ListModelServices |
Queries all model services. |
|
gpdb:ListRemoteADBDataSources |
Queries homogeneous data sources. |
|
gpdb:ListSlowSQLRecords |
Queries slow SQL records. |
|
gpdb:ListStreamingDataServices |
- |
|
gpdb:ListStreamingJobs |
Queries all real-time data synchronization jobs. |
|
gpdb:ListSupabaseBackupJobs |
- |
|
gpdb:ListSupabaseDataBackups |
- |
|
gpdb:ListSupabaseProjects |
Queries a list of Supabase projects. |
|
gpdb:ListSupportModels |
Queries a list of supported models. |
|
gpdb:ListTagResources |
Queries all tagged resources. |
|
gpdb:ListVirtualClusters |
- |
|
gpdb:ModifyAccountDescription |
Modifies the description of a database account. |
|
gpdb:ModifyActiveOperationMaintainConf |
- |
|
gpdb:ModifyActiveOperationTasks |
- |
|
gpdb:ModifyBackupPolicy |
Modifies the backup policy of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ModifyDBInstanceConfig |
Modify the compute resource threshold and idle release wait time for an AnalyticDB for PostgreSQL instance in Serverless auto-scheduling mode. |
|
gpdb:ModifyDBInstanceConnectionMode |
- |
|
gpdb:ModifyDBInstanceConnectionString |
Modifies the endpoint of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ModifyDBInstanceDeploymentMode |
Modifies the deployment mode of an instance. |
|
gpdb:ModifyDBInstanceDescription |
Modifies the description of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ModifyDBInstanceMaintainTime |
Modifies the maintenance window for an instance. |
|
gpdb:ModifyDBInstanceNetworkType |
Switches the network type of an instance. |
|
gpdb:ModifyDBInstancePayType |
Switches the billing method of an instance between subscription and pay-as-you-go. |
|
gpdb:ModifyDBInstanceResourceGroup |
Moves an instance to a different resource group. |
|
gpdb:ModifyDBInstanceSSL |
Enables, disables, or updates SSL encryption. |
|
gpdb:ModifyDBInstanceUnitCode |
- |
|
gpdb:ModifyDBResourceGroup |
Modifies a resource group. |
|
gpdb:ModifyExternalDataService |
Modifies an external data service. |
|
gpdb:ModifyHadoopDataSource |
Modifies a Hadoop data source configuration. |
|
gpdb:ModifyJDBCDataSource |
Modifies a JDBC data source configuration. |
|
gpdb:ModifyMasterSpec |
Modifies the specifications of the coordinator node. |
|
gpdb:ModifyModelServicePublicConnection |
- |
|
gpdb:ModifyModelServiceSecurityIps |
- |
|
gpdb:ModifyParameters |
Modifies the configuration parameters of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ModifyRemoteADBDataSource |
Modifies a homogeneous data source. |
|
gpdb:ModifySQLCollectorPolicy |
Enables or disables the SQL Insight feature for an instance. |
|
gpdb:ModifySecurityIps |
Modifies the IP whitelist of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ModifyStreamingDataService |
Modifies a streaming data service. |
|
gpdb:ModifyStreamingDataSource |
Modify the data source for the real-time data service. |
|
gpdb:ModifyStreamingJob |
Modifies a real-time data synchronization job. |
|
gpdb:ModifySupabaseBackupPolicy |
- |
|
gpdb:ModifySupabaseProjectSecurityIps |
Modifies the IP whitelist of a Supabase project. |
|
gpdb:ModifyVectorConfiguration |
Modifies the vector engine optimization configuration for an instance. |
|
gpdb:PauseDataRedistribute |
Pauses data redistribution. |
|
gpdb:PauseInstance |
Pauses an AnalyticDB for PostgreSQL instance. |
|
gpdb:RebalanceDBInstance |
Rebalances the deployment of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ReleaseInstancePublicConnection |
Releases the public endpoint of an AnalyticDB for PostgreSQL instance. |
|
gpdb:ResetAccountPassword |
Resets an account password. |
|
gpdb:ResetIMVMonitorData |
Resets the statistics of an incremental materialized view (IMV). |
|
gpdb:ResetSupabaseProjectPassword |
Resets the database password for a Supabase project. |
|
gpdb:RestartDBInstance |
Restarts an AnalyticDB for PostgreSQL instance. |
|
gpdb:RestartSupabaseProject |
- |
|
gpdb:ResumeDataRedistribute |
Resumes data redistribution. |
|
gpdb:ResumeInstance |
Resumes a paused AnalyticDB for PostgreSQL instance. |
|
gpdb:SetDBInstancePlanStatus |
Enables or disables a plan for an AnalyticDB for PostgreSQL instance. |
|
gpdb:SetDataShareInstance |
Adds an instance to, or removes it from, a data sharing cluster. |
|
gpdb:SwitchAINodeZone |
- |
|
gpdb:SwitchDBInstanceNetType |
Switches an instance between internal and public endpoints. |
|
gpdb:TagResources |
Tags one or more resources. |
|
gpdb:UnbindDBResourceGroupWithRole |
Unbinds a resource group from a database role. |
|
gpdb:UnloadSampleData |
Unloads the sample dataset from an AnalyticDB for PostgreSQL instance. |
|
gpdb:UntagResources |
Detaches tags from one or more instances. A tag is automatically deleted if it is no longer attached to any instance. |
|
gpdb:UpdateDBInstancePlan |
Modifies a scheduled plan for an AnalyticDB for PostgreSQL instance. |
|
gpdb:UpdateSupabaseVersion |
- |
|
gpdb:UpgradeDBInstance |
Upgrades the specifications of an AnalyticDB for PostgreSQL instance. |
|
gpdb:UpgradeDBVersion |
Upgrades the minor kernel version of an instance. |
|
gpdb:UpgradeExtensions |
Upgrades extensions. |
If an operation does not support authorization at the resource group level, granting permissions at this level will have no effect. To grant a RAM User permissions for these operations, create a custom policy and grant them at the account level.
Below are two examples of custom permission policies that you can adjust to fit your needs.
-
Allows all read-only operations that do not support resource group-level authorization: The
Actionelement lists all read-only operations that do not support resource group-level authorization.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "gpdb:CheckServiceLinkedRole", "gpdb:DescribeAccounts", "gpdb:DescribeActiveSQLRecords", "gpdb:DescribeAvailableResources", "gpdb:DescribeBackupJob", "gpdb:DescribeBackupPolicy", "gpdb:DescribeDBClusterNode", "gpdb:DescribeDBClusterPerformance", "gpdb:DescribeDBInstanceAttribute", "gpdb:DescribeDBInstanceDataBloat", "gpdb:DescribeDBInstanceDataSkew", "gpdb:DescribeDBInstanceDiagnosisSummary", "gpdb:DescribeDBInstanceErrorLog", "gpdb:DescribeDBInstanceIPArrayList", "gpdb:DescribeDBInstanceIndexUsage", "gpdb:DescribeDBInstanceNetInfo", "gpdb:DescribeDBInstancePerformance", "gpdb:DescribeDBInstancePlans", "gpdb:DescribeDBInstanceSQLPatterns", "gpdb:DescribeDBInstanceSSL", "gpdb:DescribeDBInstanceSupportMaxPerformance", "gpdb:DescribeDBInstances", "gpdb:DescribeDBResourceGroup", "gpdb:DescribeDBResourceManagementMode", "gpdb:DescribeDBVersion", "gpdb:DescribeDBVersionInfos", "gpdb:DescribeDataBackups", "gpdb:DescribeDataReDistributeInfo", "gpdb:DescribeDataShareInstances", "gpdb:DescribeDataSharePerformance", "gpdb:DescribeDatabase", "gpdb:DescribeDiagnosisDimensions", "gpdb:DescribeDiagnosisMonitorPerformance", "gpdb:DescribeDiagnosisRecords", "gpdb:DescribeDiagnosisSQLInfo", "gpdb:DescribeDownloadRecords", "gpdb:DescribeDownloadSQLLogs", "gpdb:DescribeExtension", "gpdb:DescribeExternalDataService", "gpdb:DescribeHadoopClustersInSameNet", "gpdb:DescribeHadoopConfigs", "gpdb:DescribeHadoopDataSource", "gpdb:DescribeHealthStatus", "gpdb:DescribeHistoryEvents", "gpdb:DescribeHistoryEventsStat", "gpdb:DescribeIMVInfos", "gpdb:DescribeJDBCDataSource", "gpdb:DescribeLogBackups", "gpdb:DescribeModelService", "gpdb:DescribeModifyParameterLog", "gpdb:DescribeParameters", "gpdb:DescribePrivateRAGService", "gpdb:DescribeRayCluster", "gpdb:DescribeRebalanceStatus", "gpdb:DescribeRegions", "gpdb:DescribeRoles", "gpdb:DescribeSQLCollectorPolicy", "gpdb:DescribeSQLLogCount", "gpdb:DescribeSQLLogRecords", "gpdb:DescribeSQLLogs", "gpdb:DescribeSampleData", "gpdb:DescribeSpecification", "gpdb:DescribeStreamingDataService", "gpdb:DescribeStreamingDataSource", "gpdb:DescribeStreamingJob", "gpdb:DescribeSupabaseBackupJob", "gpdb:DescribeSupabaseBackupPolicy", "gpdb:DescribeSupportFeatures", "gpdb:DescribeTags", "gpdb:DescribeUserEncryptionKeyList", "gpdb:DescribeWaitingSQLInfo", "gpdb:DescribeWaitingSQLRecords", "gpdb:DescribeZonesPrivateRAGService", "gpdb:ListAINodePools", "gpdb:ListBackupJobs", "gpdb:ListDatabaseExtensions", "gpdb:ListExternalDataServices", "gpdb:ListHeadNodeSpec", "gpdb:ListInstanceDatabases", "gpdb:ListInstanceExtensions", "gpdb:ListModelServices", "gpdb:ListRemoteADBDataSources", "gpdb:ListSlowSQLRecords", "gpdb:ListStreamingDataServices", "gpdb:ListStreamingJobs", "gpdb:ListSupabaseBackupJobs", "gpdb:ListSupabaseDataBackups", "gpdb:ListSupabaseProjects", "gpdb:ListSupportModels", "gpdb:ListTagResources", "gpdb:ListVirtualClusters" ], "Resource": "*" } ] } -
Allows all actions that do not support resource group-level authorization: The
Actionelement lists all of these actions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "gpdb:AddAINode", "gpdb:AllocateInstancePublicConnection", "gpdb:BindDBResourceGroupWithRole", "gpdb:BindToVirtualCluster", "gpdb:CancelActiveOperationTasks", "gpdb:ChatWithKnowledgeBase", "gpdb:ChatWithKnowledgeBaseStream", "gpdb:CheckHadoopDataSource", "gpdb:CheckHadoopNetConnection", "gpdb:CheckJDBCSourceNetConnection", "gpdb:CheckServiceLinkedRole", "gpdb:CloneDBInstance", "gpdb:CountVswitchIPNums", "gpdb:CreateAccount", "gpdb:CreateBackup", "gpdb:CreateDBInstance", "gpdb:CreateDBInstanceIPArray", "gpdb:CreateDBInstancePlan", "gpdb:CreateDBResourceGroup", "gpdb:CreateDatabase", "gpdb:CreateExtensions", "gpdb:CreateExternalDataService", "gpdb:CreateHadoopDataSource", "gpdb:CreateJDBCDataSource", "gpdb:CreateModelService", "gpdb:CreateOrder", "gpdb:CreateRemoteADBDataSource", "gpdb:CreateSampleData", "gpdb:CreateServiceLinkedRole", "gpdb:CreateStreamingDataService", "gpdb:CreateStreamingDataSource", "gpdb:CreateStreamingJob", "gpdb:CreateSupabaseBackup", "gpdb:CreateSupabaseProject", "gpdb:CreateVirtualCluster", "gpdb:DeleteAINode", "gpdb:DeleteBackup", "gpdb:DeleteDBInstance", "gpdb:DeleteDBInstanceIPArray", "gpdb:DeleteDBInstancePlan", "gpdb:DeleteDBResourceGroup", "gpdb:DeleteDatabase", "gpdb:DeleteExtension", "gpdb:DeleteExternalDataService", "gpdb:DeleteHadoopDataSource", "gpdb:DeleteJDBCDataSource", "gpdb:DeleteModelService", "gpdb:DeletePrivateRAGService", "gpdb:DeleteRemoteADBDataSource", "gpdb:DeleteStreamingDataService", "gpdb:DeleteStreamingDataSource", "gpdb:DeleteStreamingJob", "gpdb:DeleteSupabaseBackup", "gpdb:DeleteSupabaseProject", "gpdb:DeleteVirtualCluster", "gpdb:DeployPrivateRAGService", "gpdb:DescribeAccounts", "gpdb:DescribeActiveSQLRecords", "gpdb:DescribeAvailableResources", "gpdb:DescribeBackupJob", "gpdb:DescribeBackupPolicy", "gpdb:DescribeDBClusterNode", "gpdb:DescribeDBClusterPerformance", "gpdb:DescribeDBInstanceAttribute", "gpdb:DescribeDBInstanceDataBloat", "gpdb:DescribeDBInstanceDataSkew", "gpdb:DescribeDBInstanceDiagnosisSummary", "gpdb:DescribeDBInstanceErrorLog", "gpdb:DescribeDBInstanceIPArrayList", "gpdb:DescribeDBInstanceIndexUsage", "gpdb:DescribeDBInstanceNetInfo", "gpdb:DescribeDBInstancePerformance", "gpdb:DescribeDBInstancePlans", "gpdb:DescribeDBInstanceSQLPatterns", "gpdb:DescribeDBInstanceSSL", "gpdb:DescribeDBInstanceSupportMaxPerformance", "gpdb:DescribeDBInstances", "gpdb:DescribeDBResourceGroup", "gpdb:DescribeDBResourceManagementMode", "gpdb:DescribeDBVersion", "gpdb:DescribeDBVersionInfos", "gpdb:DescribeDataBackups", "gpdb:DescribeDataReDistributeInfo", "gpdb:DescribeDataShareInstances", "gpdb:DescribeDataSharePerformance", "gpdb:DescribeDatabase", "gpdb:DescribeDiagnosisDimensions", "gpdb:DescribeDiagnosisMonitorPerformance", "gpdb:DescribeDiagnosisRecords", "gpdb:DescribeDiagnosisSQLInfo", "gpdb:DescribeDownloadRecords", "gpdb:DescribeDownloadSQLLogs", "gpdb:DescribeExtension", "gpdb:DescribeExternalDataService", "gpdb:DescribeHadoopClustersInSameNet", "gpdb:DescribeHadoopConfigs", "gpdb:DescribeHadoopDataSource", "gpdb:DescribeHealthStatus", "gpdb:DescribeHistoryEvents", "gpdb:DescribeHistoryEventsStat", "gpdb:DescribeIMVInfos", "gpdb:DescribeJDBCDataSource", "gpdb:DescribeLogBackups", "gpdb:DescribeModelService", "gpdb:DescribeModifyParameterLog", "gpdb:DescribeParameters", "gpdb:DescribePrivateRAGService", "gpdb:DescribeRayCluster", "gpdb:DescribeRebalanceStatus", "gpdb:DescribeRegions", "gpdb:DescribeRoles", "gpdb:DescribeSQLCollectorPolicy", "gpdb:DescribeSQLLogCount", "gpdb:DescribeSQLLogRecords", "gpdb:DescribeSQLLogs", "gpdb:DescribeSampleData", "gpdb:DescribeSpecification", "gpdb:DescribeStreamingDataService", "gpdb:DescribeStreamingDataSource", "gpdb:DescribeStreamingJob", "gpdb:DescribeSupabaseBackupJob", "gpdb:DescribeSupabaseBackupPolicy", "gpdb:DescribeSupportFeatures", "gpdb:DescribeTags", "gpdb:DescribeUserEncryptionKeyList", "gpdb:DescribeWaitingSQLInfo", "gpdb:DescribeWaitingSQLRecords", "gpdb:DescribeZonesPrivateRAGService", "gpdb:DisableDBResourceGroup", "gpdb:DownloadDiagnosisRecords", "gpdb:DownloadSQLLogsRecords", "gpdb:DownloadSlowSQLRecords", "gpdb:EnableDBResourceGroup", "gpdb:GetAINode", "gpdb:GetAccount", "gpdb:GetPrice", "gpdb:GetSupabaseDashboardAccount", "gpdb:GetSupabaseProject", "gpdb:GetSupabaseProjectApiKeys", "gpdb:GetSupabaseProjectDashboardAccount", "gpdb:GetSupabaseProjectSpec", "gpdb:GetSupabaseUpdateVersion", "gpdb:HandleActiveSQLRecord", "gpdb:ListAINodePools", "gpdb:ListBackupJobs", "gpdb:ListDatabaseExtensions", "gpdb:ListExternalDataServices", "gpdb:ListHeadNodeSpec", "gpdb:ListInstanceDatabases", "gpdb:ListInstanceExtensions", "gpdb:ListModelServices", "gpdb:ListRemoteADBDataSources", "gpdb:ListSlowSQLRecords", "gpdb:ListStreamingDataServices", "gpdb:ListStreamingJobs", "gpdb:ListSupabaseBackupJobs", "gpdb:ListSupabaseDataBackups", "gpdb:ListSupabaseProjects", "gpdb:ListSupportModels", "gpdb:ListTagResources", "gpdb:ListVirtualClusters", "gpdb:ModifyAccountDescription", "gpdb:ModifyActiveOperationMaintainConf", "gpdb:ModifyActiveOperationTasks", "gpdb:ModifyBackupPolicy", "gpdb:ModifyDBInstanceConfig", "gpdb:ModifyDBInstanceConnectionMode", "gpdb:ModifyDBInstanceConnectionString", "gpdb:ModifyDBInstanceDeploymentMode", "gpdb:ModifyDBInstanceDescription", "gpdb:ModifyDBInstanceMaintainTime", "gpdb:ModifyDBInstanceNetworkType", "gpdb:ModifyDBInstancePayType", "gpdb:ModifyDBInstanceResourceGroup", "gpdb:ModifyDBInstanceSSL", "gpdb:ModifyDBInstanceUnitCode", "gpdb:ModifyDBResourceGroup", "gpdb:ModifyExternalDataService", "gpdb:ModifyHadoopDataSource", "gpdb:ModifyJDBCDataSource", "gpdb:ModifyMasterSpec", "gpdb:ModifyModelServicePublicConnection", "gpdb:ModifyModelServiceSecurityIps", "gpdb:ModifyParameters", "gpdb:ModifyRemoteADBDataSource", "gpdb:ModifySQLCollectorPolicy", "gpdb:ModifySecurityIps", "gpdb:ModifyStreamingDataService", "gpdb:ModifyStreamingDataSource", "gpdb:ModifyStreamingJob", "gpdb:ModifySupabaseBackupPolicy", "gpdb:ModifySupabaseProjectSecurityIps", "gpdb:ModifyVectorConfiguration", "gpdb:PauseDataRedistribute", "gpdb:PauseInstance", "gpdb:RebalanceDBInstance", "gpdb:ReleaseInstancePublicConnection", "gpdb:ResetAccountPassword", "gpdb:ResetIMVMonitorData", "gpdb:ResetSupabaseProjectPassword", "gpdb:RestartDBInstance", "gpdb:RestartSupabaseProject", "gpdb:ResumeDataRedistribute", "gpdb:ResumeInstance", "gpdb:SetDBInstancePlanStatus", "gpdb:SetDataShareInstance", "gpdb:SwitchAINodeZone", "gpdb:SwitchDBInstanceNetType", "gpdb:TagResources", "gpdb:UnbindDBResourceGroupWithRole", "gpdb:UnloadSampleData", "gpdb:UntagResources", "gpdb:UpdateDBInstancePlan", "gpdb:UpdateSupabaseVersion", "gpdb:UpgradeDBInstance", "gpdb:UpgradeDBVersion", "gpdb:UpgradeExtensions" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage all resources within an account. Always grant permissions according to the principle of least privilege to ensure they meet your requirements.
FAQ
View a resource's resource group
-
Method 1: Click the resource name to open its details page, where you can find the resource group.
-
Method 2: Log in to the Resource Management console and go to . In the left panel, select the account that owns the resource (the current account is selected by default). Use filters to locate the resource and view its resource group.
View product resources in a resource group
-
Method 1: Log in to the Resource Management console and go to . In the left panel, under the relevant account (the current account is selected by default), click the target resource group. In the main panel, select the desired product from the Select Resource Type list to view all its resources in that group.
-
Method 2: Log in to the Resource Management console and go to . Find the target resource group and, in the Actions column, click Resource Management. On the Resource Management page, select the desired product from the Product drop-down list to view all of its resources in the group.
Move multiple resources to another resource group
Log in to the Resource Management console and go to . Find the target resource group. In the Actions column for that group, click Resource Management. On the next page, use filters to find the target resources, select the checkbox for each resource, click Transfer Resources at the bottom of the page, and follow the on-screen instructions to complete the transfer.