Effect | Specify whether to grant the RAM user the permissions on an Alibaba Cloud service. Example: Allow. |
Service | Select the Alibaba Cloud service on which you want to grant permissions to the RAM user. Example: rds / RDS. |
Action | Select the actions on which you want to grant permissions to the RAM user. Valid values: All action(s) and Select action(s). If you select Select action(s), you need to select the actions in the All action(s) section and add them to the Select action(s) section. Example: Read actions. 
Note We recommend that you add the DescribDBInstances read action. Otherwise, you cannot view the instance list. |
Resource | Select the resources on which you want to grant permissions to the RAM user. Valid values: All resource(s) and Specified resource(s). If you select Specified resource(s), you need to add a resource based on the Alibaba Cloud Resource Name (ARN) format of the resource. To add a resource, click Add source to the right of the ARN format.
Important The resource ARNs that are required for an action are tagged with Required. To ensure that the policy takes effect as expected, we recommend that you configure the resource ARNs that are tagged with Required. For example, acs:rds:*:{#accountId}:dbinstance/* is tagged with Required. If you do not configure this resource ARN, the RAM user cannot view instances in the instance list. acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} is required and matches resources by region, account, and instance ID.
Note acs:rds:*:{#accountId}:dbinstance/* is required and matches all resources within the account. In this case, RAM matches all RDS instances regardless of whether the instance ID is specified in acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} . You must replace dabinstanceId in acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} with an asterisk (* ). acs:rds:{#regionId}:{#accountId}:dbinstance/* matches resources by region and account. acs:rds:*:{#accountId}:dbinstance/* is required and matches resources by account.
Note acs:rds:*:{#accountId}:dbinstance/* is required and matches all resources within the account. In this case, RAM matches all RDS instances regardless of whether the instance ID is specified in acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} . For more information about how to grant a RAM user permissions on a specific RDS instance, such as read-only permissions, see Grant a RAM user the read-only permissions on an ApsaraDB RDS instance. acs:rds:*:{#accountId}:dbinstance/{#dbinstanceId} is required and matches resources by account and instance ID.
|
Condition | Specify the limits on the permissions that you want to grant to the RAM user. For example, you can limit the source IP addresses from which the RAM user can log on. For more information, see Policy elements. |