A Resource Access Management (RAM) user requires the AliyunClickHouseFullAccess permission to create clusters and database accounts in the ApsaraDB for ClickHouse console as described in the Quick Start tutorial. This topic describes how to use an Alibaba Cloud account to grant permissions to a RAM user. If you use your Alibaba Cloud account to access ApsaraDB for ClickHouse, you can skip this topic.
Prerequisites
You have an Alibaba Cloud account. If you do not have an account, you can register one on the Alibaba Cloud official website.
You have created a RAM user. For more information, see Create a RAM user.
Procedure
Log on to the RAM console as a RAM administrator.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Add Permissions panel, grant permissions to the RAM user. The following table describes the parameters.
Parameter
Description
Example
Resource Scope
Account: The permissions take effect within the current Alibaba Cloud account.
NoteApsaraDB for ClickHouse does not support specifying resource groups.
Entire Alibaba Cloud account
Principal
The RAM user to grant permissions to. The system automatically adds the current RAM user. You can also add other RAM users.
ClickHouse***@1648821913965368.onaliyun.com
Policy
Access policies are categorized into system policies and custom policies.
System policies: Alibaba Cloud provides multiple default access policies for different management purposes. The system policies for ApsaraDB for ClickHouse are as follows.
AliyunClickHouseFullAccess: Grants permissions to manage ApsaraDB for ClickHouse. This includes full permissions on all ApsaraDB for ClickHouse resources.
AliyunClickHouseReadOnlyAccess: Grants read-only access to ApsaraDB for ClickHouse resources. This includes permissions to view the list of ApsaraDB for ClickHouse clusters and database accounts.
The access policies for products that ApsaraDB for ClickHouse depends on are as follows.
AliyunVPCFullAccess: Grants permissions to manage Virtual Private Cloud (VPC).
When you create an ApsaraDB for ClickHouse cluster, you must select a VPC and a vSwitch. If no VPCs or vSwitches are available under your account, you must create them. Attach this policy.
AliyunARMSFullAccess: Grants permissions to manage Application Real-Time Monitoring Service (ARMS).
The alerting feature of ApsaraDB for ClickHouse depends on the ARMS alert management service. Attach this policy.
Custom policies: Design precise access policies. This option is for users who are familiar with Alibaba Cloud service APIs and require fine-grained control.
NoteYou can attach a maximum of five policies at a time. To attach more policies, perform the operation multiple times.
AliyunClickHouseFullAccess
AliyunVPCFullAccess
AliyunARMSFullAccess
Click Grant permissions.
Click Close.