All instances created by an Alibaba Cloud account are resources owned by that account. By default, an Alibaba Cloud account has full permissions on resources that belong to the account. Resource Access Management (RAM) allows you to grant RAM users the permissions to access and manage resources owned by an Alibaba Cloud account. If you do not want to use RAM, ignore this topic.

Resource types that can be authorized

For ApsaraDB for Redis, only instances can be authorized in RAM.

The following table describes the Alibaba Cloud Resource Name (ARN) format in which resources are specified in authorization policies when you use RAM to authorize access to the resources.

Resource type ARN format
Instance acs:kvstore:$regionid:$accountid:instance/$instanceid acs:kvstore:$regionid:$accountid:instance/ acs:kvstore:::instance/

The $regionid field must be set to a region ID or an asterisk (*). The $instanceid field must be set to an instance ID or an asterisk (*). Similarly, the $account-id field indicates the numeric ID of your account, which can be replaced by an asterisk (*).

API operations that can be authorized in RAM

Note For more information about the API operations, see List of operations by function.
The following API operations can be authorized in RAM:
  • CreateInstance
  • DeleteInstance
  • ModifyInstanceSpec
  • RenewInstance
  • RenewMultiInstance
  • ModifyInstanceAttribute
  • FlushInstance
  • DescribeInstances
  • DescribeInstanceAttribute
  • ModifyInstanceMaintainTime
  • ModifySecurityIps
  • SwitchNetwork
  • ModifyInstanceNetExpireTime
  • CreateBackup
  • ModifyBackupPolicy
  • DescribeBackupPolicy
  • DescribeBackups
  • RestoreInstance
  • DescribeHistoryMonitorValues
  • DescribeInstanceConfig
  • ModifyInstanceConfig

Authentication rules of API operations

When you call API operations to access resources as a RAM user, ApsaraDB for Redis checks with RAM whether the RAM user is granted the required permissions.

The permissions to be checked are determined by the resources that are used by each API operation. The following table describes the corresponding authentication rule for each API operation.

Table 1. Authorization rules
Action Authorization rule
CreateDBInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
DeleteInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceSpec acs:kvstore:$regionid:$accountid:instance/$instanceid
RenewInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
RenewMultiInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceAttribute acs:kvstore:$regionid:$accountid:instance/$instanceid
FlushInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeInstances acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeInstanceAttribute acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceMaintainTime acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifySecurityIps acs:kvstore:$regionid:$accountid:instance/$instanceid
SwitchNetwork acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceNetExpireTime acs:kvstore:$regionid:$accountid:instance/$instanceid
CreateBackup acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyBackupPolicy acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeBackupPolicy acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeBackups acs:kvstore:$regionid:$accountid:instance/$instanceid
RestoreInstance acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeHistoryMonitorValues acs:kvstore:$regionid:$accountid:instance/$instanceid
DescribeInstanceConfig acs:kvstore:$regionid:$accountid:instance/$instanceid
ModifyInstanceConfig acs:kvstore:$regionid:$accountid:instance/$instanceid