RAM authorization - ApsaraDB RDS - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, that are defined by RDS.You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate RDS is rds. You can grant permissions on RDS at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

RDS defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
rds:ActivateMigrationTargetInstance	ActivateMigrationTargetInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:AddTagsToResource	AddTagsToResource	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:AllocateInstancePublicConnection	AllocateInstancePublicConnection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:AllocateReadWriteSplittingConnection	AllocateReadWriteSplittingConnection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CalculateDBInstanceWeight	CalculateDBInstanceWeight	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CancelImport	CancelImport	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:CheckAccountNameAvailable	CheckAccountNameAvailable	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CheckCloudResourceAuthorized	CheckCloudResourceAuthorized	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CheckCreateDdrDBInstance	CheckCreateDdrDBInstance	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:CheckDBNameAvailable	CheckDBNameAvailable	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CheckInstanceExist	CheckInstanceExist	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CheckServiceLinkedRole	CheckServiceLinkedRole	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:*:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:CloneDBInstance	CloneDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CloneParameterGroup	CloneParameterGroup	Write	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:ConfirmNotify	ConfirmNotify	Write		None	None
rds:CopyDatabase	CopyDatabase	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CopyDatabaseBetweenInstances	CopyDatabaseBetweenInstances	Write	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:CreateAccount	CreateAccount	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateBackup	CreateBackup	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateCloudMigrationPrecheckTask	CreateCloudMigrationPrecheckTask	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateCloudMigrationTask	CreateCloudMigrationTask	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateDBInstance	CreateDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/*	rds:ResourceTag	None
rds:CreateDBInstanceEndpoint	CreateDBInstanceEndpoint	Write	DBInstance acs:rds::{#accountId}:dbinstance/	rds:ResourceTag	None
rds:CreateDBInstanceEndpointAddress	CreateDBInstanceEndpointAddress	Write	DBInstance acs:rds::{#accountId}:dbinstance/	rds:ResourceTag	None
rds:CreateDBProxyEndpointAddress	CreateDBProxyEndpointAddress	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:CreateDatabase	CreateDatabase	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateDdrInstance	CreateDdrInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/*	None	None
rds:CreateDiagnosticReport	CreateDiagnosticReport	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:CreateGADInstance	CreateGADInstance	Write	All Resources acs:rds::{#accountId}:*	None	None
rds:CreateGadInstanceMember	CreateGadInstanceMember	Write	All Resources acs:rds::{#accountId}:*	None	None
rds:CreateMigrateTask	CreateMigrateTask	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateOnlineDatabaseTask	CreateOnlineDatabaseTask	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateParameterGroup	CreateParameterGroup	Write	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:CreateReadOnlyDBInstance	CreateReadOnlyDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:CreateServiceLinkedRole	CreateServiceLinkedRole	Write		None	None
rds:CreateTempDBInstance	CreateTempDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DeleteAccount	DeleteAccount	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DeleteBackup	DeleteBackup	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DeleteBackupFile	DeleteBackupFile	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DeleteDBInstance	DeleteDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DeleteDBInstanceEndpoint	DeleteDBInstanceEndpoint	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	rds:ResourceTag	None
rds:DeleteDBInstanceEndpointAddress	DeleteDBInstanceEndpointAddress	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	rds:ResourceTag	None
rds:DeleteDBProxyEndpointAddress	DeleteDBProxyEndpointAddress	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DeleteDatabase	DeleteDatabase	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DeleteGadInstance	DeleteGadInstance	Write	All Resources acs:rds::{#accountId}:*	None	None
rds:DeleteUserBackupFile	DeleteUserBackupFile	Write	BackupFile acs:rds:*:{#accountId}:backupfile/{#BackupId}	None	None
rds:DescribeADInfo	DescribeADInfo	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeAccounts	DescribeAccounts	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeActionEventPolicy	DescribeActionEventPolicy	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeAnalyticdbByPrimaryDBInstance	DescribeAnalyticdbByPrimaryDBInstance	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeAvailableClasses	DescribeAvailableClasses	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/*	rds:ResourceTag	None
rds:DescribeAvailableCrossRegion	DescribeAvailableCrossRegion	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeAvailableMetrics	DescribeAvailableMetrics	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeAvailableRecoveryTime	DescribeAvailableRecoveryTime	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeAvailableZones	DescribeAvailableZones	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/*	None	None
rds:DescribeBackupDatabase	DescribeBackupDatabase	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeBackupPolicy	DescribeBackupPolicy	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeBackupTasks	DescribeBackupTasks	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeBackups	DescribeBackups	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeBinlogFiles	DescribeBinlogFiles	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeCharacterSetName	DescribeCharacterSetName	Read		None	None
rds:DescribeCloudMigrationPrecheckResult	DescribeCloudMigrationPrecheckResult	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeCrossBackupMetaList	DescribeCrossBackupMetaList	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeCrossRegionBackupDBInstance	DescribeCrossRegionBackupDBInstance	Read	DBInstance acs:rds::{#accountId}:dbinstance/	rds:ResourceTag	None
rds:DescribeCrossRegionBackups	DescribeCrossRegionBackups	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeCrossRegionLogBackupFiles	DescribeCrossRegionLogBackupFiles	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceAttribute	DescribeDBInstanceAttribute	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceByTags	DescribeDBInstanceByTags	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceDetail	DescribeDBInstanceDetail	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeDBInstanceEncryptionKey	DescribeDBInstanceEncryptionKey	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceEndpoints	DescribeDBInstanceEndpoints	Read	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceHAConfig	DescribeDBInstanceHAConfig	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceIPArrayList	DescribeDBInstanceIPArrayList	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceIpHostname	DescribeDBInstanceIpHostname	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceMetrics	DescribeDBInstanceMetrics	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceMonitor	DescribeDBInstanceMonitor	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceNetInfo	DescribeDBInstanceNetInfo	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceNetInfoForChannel	DescribeDBInstanceNetInfoForChannel	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstancePerformance	DescribeDBInstancePerformance	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceProxyConfiguration	DescribeDBInstanceProxyConfiguration	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceSSL	DescribeDBInstanceSSL	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstanceTDE	DescribeDBInstanceTDE	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstances	DescribeDBInstances	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstancesAsCsv	DescribeDBInstancesAsCsv	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstancesByExpireTime	DescribeDBInstancesByExpireTime	Read	All Resources acs:rds:::* DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstancesByPerformance	DescribeDBInstancesByPerformance	Read	All Resources acs:rds:::* DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBInstancesForClone	DescribeDBInstancesForClone	Read		None	None
rds:DescribeDBMiniEngineVersions	DescribeDBMiniEngineVersions	Read		None	None
rds:DescribeDBProxy	DescribeDBProxy	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBProxyEndpoint	DescribeDBProxyEndpoint	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDBProxyPerformance	DescribeDBProxyPerformance	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDTCSecurityIpHostsForSQLServer	DescribeDTCSecurityIpHostsForSQLServer	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDatabases	DescribeDatabases	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeDedicatedHostGroups	DescribeDedicatedHostGroups	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeDedicatedHosts	DescribeDedicatedHosts	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeDetachedBackups	DescribeDetachedBackups	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeDiagnosticReportList	DescribeDiagnosticReportList	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeErrorLogs	DescribeErrorLogs	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeEvents	DescribeEvents	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeGadInstances	DescribeGadInstances	List	All Resources acs:rds::{#accountId}:*	None	None
rds:DescribeHADiagnoseConfig	DescribeHADiagnoseConfig	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeHASwitchConfig	DescribeHASwitchConfig	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeInstanceAutoRenewalAttribute	DescribeInstanceAutoRenewalAttribute	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeInstanceCrossBackupPolicy	DescribeInstanceCrossBackupPolicy	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeInstanceKeywords	DescribeInstanceKeywords	Read		None	None
rds:DescribeLocalAvailableRecoveryTime	DescribeLocalAvailableRecoveryTime	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeLogBackupFiles	DescribeLogBackupFiles	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeMetaList	DescribeMetaList	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeMigrateTaskById	DescribeMigrateTaskById	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeMigrateTasks	DescribeMigrateTasks	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeModifyParameterLog	DescribeModifyParameterLog	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeOssDownloads	DescribeOssDownloads	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeParameterGroup	DescribeParameterGroup	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeParameterGroups	DescribeParameterGroups	Read	DBInstance acs:rds::{#accountId}:dbinstance/	ResourceOwner	None
rds:DescribeParameters	DescribeParameters	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeRdsResourceSettings	DescribeRdsResourceSettings	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeReadDBInstanceDelay	DescribeReadDBInstanceDelay	Read	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:DescribeRenewalPrice	DescribeRenewalPrice	Read		None	None
rds:DescribeResourceUsage	DescribeResourceUsage	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSQLCollectorPolicy	DescribeSQLCollectorPolicy	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSQLCollectorRetention	DescribeSQLCollectorRetention	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:DescribeSQLLogFiles	DescribeSQLLogFiles	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSQLLogRecords	DescribeSQLLogRecords	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSQLLogReportList	DescribeSQLLogReportList	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSecurityGroupConfiguration	DescribeSecurityGroupConfiguration	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSlowLogRecords	DescribeSlowLogRecords	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeSlowLogs	DescribeSlowLogs	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeTags	DescribeTags	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeTasks	DescribeTasks	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeUpgradeMajorVersionPrecheckTask	DescribeUpgradeMajorVersionPrecheckTask	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DescribeUpgradeMajorVersionTasks	DescribeUpgradeMajorVersionTasks	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DestroyDBInstance	DestroyDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:DetachGadInstanceMember	DetachGadInstanceMember	Write	All Resources acs:rds::{#accountId}:*	None	None
rds:GetDBInstanceTopology	GetDBInstanceTopology	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:GetDbProxyInstanceSsl	GetDbProxyInstanceSsl	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:GrantAccountPrivilege	GrantAccountPrivilege	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:GrantOperatorPermission	GrantOperatorPermission	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ImportDatabaseBetweenInstances	ImportDatabaseBetweenInstances	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ImportUserBackupFile	ImportUserBackupFile	Read		None	None
rds:ListClasses	ListClasses	Read		None	None
rds:ListTagResources	ListTagResources	Read	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ListUserBackupFiles	ListUserBackupFiles	Read		None	None
rds:LockAccount	LockAccount	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:MigrateDBInstance	MigrateDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:MigrateSecurityIPMode	MigrateSecurityIPMode	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:MigrateToOtherZone	MigrateToOtherZone	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyAccountDescription	ModifyAccountDescription	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyActionEventPolicy	ModifyActionEventPolicy	Write	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ModifyBackupPolicy	ModifyBackupPolicy	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyCollationTimeZone	ModifyCollationTimeZone	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ModifyDBDescription	ModifyDBDescription	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceAutoUpgradeMinorVersion	ModifyDBInstanceAutoUpgradeMinorVersion	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceConnectionMode	ModifyDBInstanceConnectionMode	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ModifyDBInstanceConnectionString	ModifyDBInstanceConnectionString	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceDelayedReplicationTime	ModifyDBInstanceDelayedReplicationTime	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceDeletionProtection	ModifyDBInstanceDeletionProtection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceDescription	ModifyDBInstanceDescription	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceEndpoint	ModifyDBInstanceEndpoint	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceEndpointAddress	ModifyDBInstanceEndpointAddress	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceHAConfig	ModifyDBInstanceHAConfig	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceMaintainTime	ModifyDBInstanceMaintainTime	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceMetrics	ModifyDBInstanceMetrics	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceMonitor	ModifyDBInstanceMonitor	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceNetworkExpireTime	ModifyDBInstanceNetworkExpireTime	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceNetworkType	ModifyDBInstanceNetworkType	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstancePayType	ModifyDBInstancePayType	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceProxyConfiguration	ModifyDBInstanceProxyConfiguration	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceSSL	ModifyDBInstanceSSL	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceSpec	ModifyDBInstanceSpec	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBInstanceTDE	ModifyDBInstanceTDE	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBProxy	ModifyDBProxy	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBProxyEndpoint	ModifyDBProxyEndpoint	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBProxyEndpointAddress	ModifyDBProxyEndpointAddress	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDBProxyInstance	ModifyDBProxyInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDTCSecurityIpHostsForSQLServer	ModifyDTCSecurityIpHostsForSQLServer	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ModifyDasInstanceConfig	ModifyDasInstanceConfig	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyDbProxyInstanceSsl	ModifyDbProxyInstanceSsl	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyHADiagnoseConfig	ModifyHADiagnoseConfig	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyHASwitchConfig	ModifyHASwitchConfig	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyInstanceAutoRenewalAttribute	ModifyInstanceAutoRenewalAttribute	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyInstanceCrossBackupPolicy	ModifyInstanceCrossBackupPolicy	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyParameter	ModifyParameter	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyParameterGroup	ModifyParameterGroup	Write	DBInstance acs:rds::{#accountId}:dbinstance/	None	None
rds:ModifyReadWriteSplittingConnection	ModifyReadWriteSplittingConnection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifyReadonlyInstanceDelayReplicationTime	ModifyReadonlyInstanceDelayReplicationTime	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	None	None
rds:ModifyResourceGroup	ModifyResourceGroup	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifySQLCollectorPolicy	ModifySQLCollectorPolicy	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifySQLCollectorRetention	ModifySQLCollectorRetention	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ModifySecurityGroupConfiguration	ModifySecurityGroupConfiguration	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ModifySecurityIps	ModifySecurityIps	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:PurgeDBInstanceLog	PurgeDBInstanceLog	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RebuildDBInstance	RebuildDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ReceiveDBInstance	ReceiveDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:RecoveryDBInstance	RecoveryDBInstance	Write	DBInstance acs:rds::{#accountId}:dbinstance/ DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ReleaseInstanceConnection	ReleaseInstanceConnection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:ReleaseInstancePublicConnection	ReleaseInstancePublicConnection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ReleaseReadWriteSplittingConnection	ReleaseReadWriteSplittingConnection	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RemoveTagsFromResource	RemoveTagsFromResource	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RenewInstance	RenewInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ResetAccount	ResetAccount	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:ResetAccountPassword	ResetAccountPassword	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RestartDBInstance	RestartDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RestoreDdrTable	RestoreDdrTable	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:RestoreTable	RestoreTable	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RevokeAccountPrivilege	RevokeAccountPrivilege	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:RevokeOperatorPermission	RevokeOperatorPermission	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:StartDBInstance	StartDBInstance	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	None	None
rds:StopDBInstance	StopDBInstance	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:SwitchDBInstanceHA	SwitchDBInstanceHA	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:SwitchDBInstanceNetType	SwitchDBInstanceNetType	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
rds:SwitchDBInstanceVpc	SwitchDBInstanceVpc	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:TagResources	TagResources	Write	All Resources acs:rds:{#regionId}:{#accountId}:* DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:TerminateMigrateTask	TerminateMigrateTask	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	None	None
rds:TransformDBInstancePayType	TransformDBInstancePayType	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:UnlockAccount	UnlockAccount	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:UntagResources	UntagResources	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:UpdateUserBackupFile	UpdateUserBackupFile	Write	BackupFile acs:rds:*:{#accountId}:backupfile/{#BackupId}	None	None
rds:UpgradeDBInstanceEngineVersion	UpgradeDBInstanceEngineVersion	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:UpgradeDBInstanceKernelVersion	UpgradeDBInstanceKernelVersion	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:UpgradeDBInstanceMajorVersion	UpgradeDBInstanceMajorVersion	Write	DBInstance acs:rds:*:{#accountId}:dbinstance/{#DBInstanceId}	None	None
rds:UpgradeDBInstanceMajorVersionPrecheck	UpgradeDBInstanceMajorVersionPrecheck	Read	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None
rds:UpgradeDBProxyInstanceKernelVersion	UpgradeDBProxyInstanceKernelVersion	Write	DBInstance acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	None

Resource

RDS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
DBInstance	acs:{#ramcode}:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}
BackupFile	acs:{#ramcode}:*:{#accountId}:backupfile/{#BackupId}

Condition

RDS defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to RDS. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type
rds:ResourceTag		STRING

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: