This topic describes how to authorize a RAM user to manage ApsaraDB RDS instances by using Resource Access Management (RAM).

Prerequisites

Create a RAM user

Background information

You can grant the permissions to call API operations to RAM users. For example, if you grant a RAM user the permission to call the CreateDBInstance operation, the RAM user can create an RDS instance in the ApsaraDB RDS console.

The following procedure shows how to grant a RAM user the permission to check the information about RDS instances. The procedures to grant other permissions to a RAM user are similar.

Procedure

  1. Create a policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. Select an edit mode.
      • Visual editor
        ParameterDescription
        EffectSpecify whether to grant the RAM user the permissions on an Alibaba Cloud service. Example: Allow.
        ServiceSelect the Alibaba Cloud service on which you want to grant permissions to the RAM user. Example: rds / RDS.
        ActionSelect the actions on which you want to grant permissions to the RAM user. Valid values: All action(s) and Select action(s). If you select Select action(s), you need to select the actions in the All action(s) section and add them to the Select action(s) section.

        Example: Read actions.

        Read actions
        Note We recommend that you add the DescribDBInstances read action. Otherwise, you cannot view the instance list.
        ResourceSelect the resources on which you want to grant permissions to the RAM user. Valid values: All resource(s) and Specified resource(s).
        If you select Specified resource(s), you need to add a resource based on the Alibaba Cloud Resource Name (ARN) format of the resource. To add a resource, click Add source to the right of the ARN format.
        Important The resource ARNs that are required for an action are tagged with Required. To ensure that the policy takes effect as expected, we recommend that you configure the resource ARNs that are tagged with Required.

        For example, acs:rds:*:{#accountId}:dbinstance/* is tagged with Required. If you do not configure this resource ARN, the RAM user cannot view instances in the instance list.

        • acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} is required and matches resources by region, account, and instance ID.
          Note acs:rds:*:{#accountId}:dbinstance/* is required and matches all resources within the account. In this case, RAM matches all RDS instances regardless of whether the instance ID is specified in acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}. You must replace dabinstanceId in acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} with an asterisk (*).
        • acs:rds:{#regionId}:{#accountId}:dbinstance/* matches resources by region and account.
        • acs:rds:*:{#accountId}:dbinstance/* is required and matches resources by account.
          Note acs:rds:*:{#accountId}:dbinstance/* is required and matches all resources within the account. In this case, RAM matches all RDS instances regardless of whether the instance ID is specified in acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}.

          For more information about how to grant a RAM user permissions on a specific RDS instance, such as read-only permissions, see Grant a RAM user the read-only permissions on an ApsaraDB RDS instance.

        • acs:rds:*:{#accountId}:dbinstance/{#dbinstanceId} is required and matches resources by account and instance ID.
        ConditionSpecify the limits on the permissions that you want to grant to the RAM user. For example, you can limit the source IP addresses from which the RAM user can log on. For more information, see Policy elements.
      • JSON

        Enter the following code snippet in the code editor:

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "rds:Describe*",
                    "Resource": "*"
                }
            ]
        }
        Note The JSON mode is more efficient than the Visual editor mode. For example, in JSON mode, you can enter Describe* in the code editor to specify all API operations whose names start with Describe. However, in Visual editor mode, you can select only one API operation whose name starts with Describe at a time.
    5. Click Next to edit policy information.
    6. Configure the Name and Description parameters. Then, click OK.
  2. Attach the custom policy to a RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
    3. In the Select Policy section, click Custom Policy, find and select the policy that you created, and then click OK. Select Policy

After the preceding steps are complete, you can log on to the ApsaraDB RDS console and check the information about RDS instances by using the credentials of the RAM user. You can also grant other permissions to a RAM user within your Alibaba Cloud account based on your business requirements.