This topic describes how to authorize a RAM user to manage ApsaraDB RDS instances
by using Resource Access Management (RAM).
Background information
You can grant the permissions to call API operations to RAM users. For example, if
you grant a RAM user the permission to call the CreateDBInstance operation, the RAM
user can create an RDS instance in the ApsaraDB RDS console.
The following procedure shows how to grant a RAM user the permission to check the
information about RDS instances. The procedures to grant other permissions to a RAM
user are similar.
Procedure
- Log on to the RAM console.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Custom Policy page, specify the Policy Name and the Note.
- Select a Configuration Mode.
- Visualized
If you select the Visualized configuration mode, click Add Statement and configure the following parameters.

Parameter |
Description |
Permission Effect |
Specify whether to grant the permissions on an Alibaba Cloud service to the RAM user.
Valid values: Allow and Deny. In this example, select Allow.
|
Select Product/Service |
Select the Alibaba Cloud service on which you want to grant permissions to the RAM
user. In this example, select RDS.
|
Actions |
Select the API operations on which you want to grant permissions to the RAM user.
Valid values: All Actions and Specified Actions. If you select Specified Actions, you must also select the required API operations from the drop-down list that appears.
In this example, select all API operations whose names start with Describe .
|
Resources |
Select the resources on which you want to grant permissions to the RAM user. Valid
values: All Resources and Specified Resources. If you select Specified Resources, you must also enter the names of the required resources in the following format:
acs:<service-name>:<region>:<account-id>:<relative-id> . In this example, enter acs:rds:*:*:*/* . This way, the RAM user can be granted the permissions on all RDS instances that
are created within your Alibaba Cloud account.
|
Conditions |
Specify the limits on the permissions that you want to grant to the RAM user. For
example, you can limit the source IP addresses from which the RAM user can log on.
|
Note If you select Specified Actions, we recommend that you select the DescribeDBInstances
operation. If you do not select this API operation, you cannot view the RDS instances
in a specified region.
- Script
If you select the Script configuration mode, enter the following code snippet in the
edit box that appears:
{ "Version": "1",
"Statement": [
{ "Effect": "Allow",
"Action": [
"rds:Describe*" ],
"Resource": [
"acs:rds:*:*:*/*"
],
"Condition": {}
}
]
}
Note The Script configuration mode is more efficient than the Visualized configuration mode. For example, in the Script configuration mode, you can enter
Describe*
in the edit box to specify all API operations whose names start with Describe. However,
in the Visualized configuration mode, you can select only one API operation whose
name starts with Describe at a time.
- Click OK.
- In the left-side navigation pane, choose .
- Find the RAM user. Then, click Add Permissions in the Actions column.
- In the Select Policy section, click Custom Policy, find the permission policy that you created, and then click OK.
After the preceding steps are complete, you can log on to the ApsaraDB RDS console
and check the information about RDS instances by using the credentials of the RAM
user. You can also grant other permissions to a RAM user within your Alibaba Cloud
account based on your business requirements.