How do I grant a RAM user the read-only permissions on an ApsaraDB RDS instance? - ApsaraDB RDS

RAM authorization supports multiple methods, such as Alibaba Cloud Resource Name (ARN)-based authorization, resource group-based authorization, and tag-based authorization, to implement fine-grained management. This topic describes how to grant a RAM user the read-only permissions on a specified RDS instance.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Procedure

Note

You must perform the following operations by using your Alibaba Cloud account.

Method 1: ARN-based authorization

ARN-based authorization indicates that a resource ARN is used to specify one or more objects to be authorized when you create a policy. This helps implement precise access control on specific resources. For more information about resource ARNs, see Policy elements.

Create a policy.
1. Log on to the Resource Access Management (RAM) console.
2. In the left-side navigation pane, choose Permissions > Policies.
3. Click Create Policy.
4. Select an edit mode.
  - Visual editor
    Set the Effect parameter to Allow.
    Set the Service parameter to rds / RDS.
    Set the Action parameter to Select action(s). Then, add the Describe-related read actions.
    Note
    You can search for Describe and then select related actions.
    Set the Resource parameter to Specified resource(s). The ARN is in the format of acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}. You need to set the Resource parameter in the Add resource dialog box to the RDS instance to which you want to apply the policy.
    Leave the Condition parameter empty.
    Click Add statement.
    Set the Effect parameter to Allow and the Service parameter to rds / RDS.
    Set the Action parameter to DescribeDBInstances.
    Set the Resource parameter to All resources and leave the Condition parameter empty.
  - JSON
    Enter the following code snippet in the code editor:
    { "Statement": [ { "Effect": "Allow", "Action": "rds:Describe*", "Resource": "acs:rds:*:*:dbinstance/ID of the RDS instance" }, { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ], "Version": "1" }
5. Click Next to edit policy information.
6. Configure the Name and Description parameters. Then, click OK.
Attach the custom policy to a RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
3. Set the Authorized Scope parameter to Alibaba Cloud Account. In the Select Policy section, click Custom Policy, search for the policy that you created, select the policy, and then click OK.
4. Click Complete.
Log on to the ApsaraDB RDS console as a RAM user and view the RDS instance.
1. Go to the Instances page. In the top navigation bar, select the region and view the RDS instances in the region.
2. Click the ID of the authorized RDS instance to view the information about the instance.
  Note
  When you use this authorization method, the RAM user can view all RDS instances on the Instances page, but can only view the information about the authorized instance. If you view other unauthorized instances, a message appears, indicating that the RAM user has insufficient permissions.

The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.

Method 2: Resource group-based authorization

Resource group-based authorization indicates that the resources to be authorized are added to a resource group. When you grant permissions to a RAM user, you can specify the resource group to which the authorized resources belong to implement precise access control for all resources in the specified resource group.

Create a resource group.
1. Log on to the Resource Management console. In the left-side navigation pane, choose Resource Group > Resource Group.
2. On the page that appears, click Create Resource Group. On the page that appears, configure the Resource Group Identifier and Resource Group Name parameters. Then, click Confirm.
Add the required RDS instance to the new resource group.
1. Find the resource group to which the required RDS instance is added. Then, click Manage Resource in the Actions column of the resource group. In this example, the required RDS instance is added to Default Resource Group.
2. Find the required RDS instance by instance ID, select the instance, and then click Transfer resource group.
3. In the Transfer Out panel, select the resource group that you created in Step 1 and click OK.
4. In the panel that appears, click OK.
  If you find the required RDS instance in the created resource group, the resource group of the instance is transferred.
Create a policy.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Permissions > Policies.
3. On the page that appears, click Create Policy.
4. Select an edit mode.
  - Visual editor
    Set the Effect parameter to Allow.
    Set the Service parameter to rds / RDS.
    Set the Action parameter to Select action(s). Then, add the Describe-related read actions.
    Note
    You can search for Describe and then select related actions.
    Set the Resource parameter to All resource(s).
    Leave the Condition parameter empty.
  - JSON
    Enter the following code snippet in the code editor:
    { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*" ], "Resource": "*" } ] }
5. Click Next to edit policy information.
6. Configure the Name and Description parameters. Then, click OK.
Attach the custom policy to a RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
3. Set the Authorized Scope parameter to Specific Resource Group and select the resource group that you created. In the Select Policy section, click Custom Policy, search for the policy that you created, select the policy, and then click OK.
4. Click Complete.
Log on to the ApsaraDB RDS console as a RAM user and view the RDS instance.
1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides.
2. Select the resource group created in Step 1 to view the required RDS instance, as shown in the following figure.

The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.

Method 3: Tag-based authorization

Tag-based authorization indicates that a tag is added to the resources that need to be authorized. When you create a policy, the policy is applied only to the resources to which the tag is added. This way, you can implement precise access control on the resources.

Add custom tags to an RDS instance.
1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance.
2. In the Tags column, click the icon. Then, click Edit.
3. Configure the Tag Key and Tag Value parameters. Then, click OK.
  In this example, the Tag Key parameter is set to test-ram and the Tag Value parameter is set to rds-mysql. We recommend that you set these parameters to meaningful values.
  If the following information is displayed in the Tags column, the custom tag is added to the RDS instance.
Create a policy.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Permissions > Policies.
3. On the page that appears, click Create Policy.
4. Select an edit mode.
  - Visual editor
    Set the Effect parameter to Allow.
    Set the Service parameter to rds / RDS.
    Set the Action parameter to Select action(s). Then, add the Describe-related read actions.
    Note
    You can search for Describe and then select related actions.
    Set the Resource parameter to All resource(s).
    Click Add condition. In the dialog box that appears, configure the following parameters: Key, Tag Key, Operator, and Value.
    Note
    The value of the Key parameter is fixed as rds:ResourceTag. The value of the Operator parameter is fixed as StringEquals. The values of the Tag Key and Value parameters must be the same as the values of the Tag Key and Tag Value parameters of the tag that is added to the RDS instance in Step 1.
  - JSON
    Enter the following code snippet in the code editor:
    Note
    In the code snippet, test-ram and rds-mysql are used only for reference. You must replace these values with the values of the Tag Key and Tag Value parameters of the tag that is added to the RDS instance in Step 1.
    { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "rds:ResourceTag/test-ram": [ "rds-mysql" ] } } } ] }
5. Click Next to edit policy information.
6. Configure the Name and Description parameters. Then, click OK.
Attach the custom policy to a RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
3. Set the Authorized Scope parameter to Alibaba Cloud Account. In the Select Policy section, click Custom Policy, search for the policy that you created, select the policy, and then click OK.
4. Click Complete.
Log on to the ApsaraDB RDS console as the RAM user and view the RDS instance.
1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides.
2. Use the Filter by Tag feature to search for the tag that is added to the RDS instance in Step 1 and view the RDS instance.

The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.