Database Autonomy Service:Grant RAM users the permissions to call API operations to analyze the cache of Redis instances

Simple mode

Log on to the RAM console with your Alibaba Cloud account and grant a RAM user the AliyunHDMFullAccess permission on Database Autonomy Service (DAS). For more information, see Grant permissions to a RAM user.

Custom mode

In this example, permissions on a specific Redis instance are granted to a RAM user.

Create a policy

1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

2. In the left-side navigation pane, choose Permissions > Policies.

3. On the Policies page, click Create Policy.

4. On the Create Policy page, click the JSON tab.

5. Enter the following policy document and click Next to edit policy information:

   {
       "Statement": [
           {
               "Action": [
                   "hdm:CreateCacheAnalysisTask",
                   "hdm:DescribeCacheAnalysisReportList",
                   "hdm:DescribeCacheAnalysisReport",
                   "hdm:CreateCacheAnalysisJob",
                   "hdm:DescribeCacheAnalysisJob",
                   "hdm:DescribeCacheAnalysisJobs",
                   "hdm:GetInstanceLatestBackup"
               ],
               "Resource": "acs:kvstore:*:*:instance/<ID of your Redis instance>",
               "Effect": "Allow"
           },
           {
               "Action": "ram:CreateServiceLinkedRole",
               "Resource": "*",
               "Effect": "Allow",
               "Condition": {
                   "StringEquals": {
                       "ram:ServiceName": "hdm.aliyuncs.com"
                   }
               }
           }
       ],
       "Version": "1"
   }

   For more information about the syntax and structure of RAM policies, see Policy structure and syntax. You can configure multiple Redis instances at a time. For more information, see the Resource section in the Policy elements topic.

   "Resource": [
     "acs:kvstore:*:*:instance/<ID of your Redis instance>-001",
     "acs:kvstore:*:*:instance/<ID of your Redis instance>-002",
     "acs:kvstore:*:*:instance/<ID of your Redis instance>-003",
     "acs:kvstore:*:*:instance/<ID of your Redis instance>-004"
   ]

6. Check and optimize the content of the custom policy.

   • Basic optimization

     The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

     • Deletes unnecessary conditions.

     • Deletes unnecessary arrays.

   • (Optional) Advanced optimization

     You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

     • Splits resources or conditions that are incompatible with actions.

     • Narrows down resources.

     • Deduplicates or merges policy statements.

7. Click OK. In the dialog box that appears, set the Name and Description parameters, and then click OK.

   For example, you can set the Name parameter to das-redis-key-analysis-policy.

Attach the policy to a RAM user

1. In the left-side navigation pane, choose Identities > Users.

2. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

   

   You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

3. In the Select Policy section of the Add Permissions panel, click Custom Policy and select the policy that you created, such as das-redis-key-analysis-policy.

4. In the Grant Permission panel, grant permissions to the RAM user.

   1. Configure the Resource Scope parameter.

      • Account: The authorization takes effect on the current Alibaba Cloud account.

      • ResourceGroup: The authorization takes effect on a specific resource group.

        Important

        If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

   2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

   3. Configure the Policy parameter.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

   4. Click Grant permissions.

5. Click Close.

Related API operations