This topic describes how to grant RAM users permissions to call API operations to analyze the cache of ApsaraDB for Redis instances.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can grant permissions to the RAM user by using one of the following methods:
  • Simple mode: You can grant all permissions to the RAM user. You do not need to configure parameters.
  • Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, this mode requires complex configurations.

Simple mode

Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account and grant the RAM user the AliyunHDMFullAccess permission on Database Autonomy Service (DAS). For more information, see Grant permissions to the RAM user.

Custom mode

In this topic, permissions on a specified ApsaraDB for Redis instance are granted to the RAM user.

Create a policy

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the following policy document and click Next to edit policy information. 
    {
    "Statement": [
        {
            "Action": [
                "hdm:CreateCacheAnalysisTask",
                "hdm:DescribeCacheAnalysisReportList",
                "hdm:DescribeCacheAnalysisReport",
                "hdm:CreateCacheAnalysisJob",
                "hdm:DescribeCacheAnalysisJob",
                "hdm:DescribeCacheAnalysisJobs",
                "hdm:GetInstanceLatestBackup"
            ],
            "Resource": "acs:kvstore:*:*:instance/<ID of your ApsaraDB for Redis instance>",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "hdm.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

    For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

  6. Specify the Name and Note parameters.

    For example, set the Name parameter to das-redis-key-analysis-policy.

  7. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  8. Click OK.

Grant permissions to the RAM user

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  3. In the Select Policy section of the Add Permissions panel, click Custom Policy and select the policy that you created, such as das-redis-key-analysis-policy.
  4. Click OK.
  5. Click Complete.

Related API operations