Grant RAM users the permissions to call API operations to analyze the cache of ApsaraDB for Redis instances - Database Autonomy Service

This topic describes how to grant Resource Access Management (RAM) users the permissions to call API operations to analyze the cache of ApsaraDB for Redis instances.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can grant permissions to a RAM user by using one of the following methods:

Simple mode: Grant all permissions to the RAM user. You do not need to configure parameters.
Custom mode: Create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, this mode requires complex configurations.

Simple mode

Log on to the RAM console by using your Alibaba Cloud account and grant a RAM user the AliyunHDMFullAccess permission on Database Autonomy Service (DAS). For more information, see Grant permissions to RAM users.

Custom mode

In this example, permissions on a specific ApsaraDB for Redis instance are granted to a RAM user.

Create a policy

Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

Enter the following policy document and click Next to edit policy information.

{
    "Statement": [
        {
            "Action": [
                "hdm:CreateCacheAnalysisTask",
                "hdm:DescribeCacheAnalysisReportList",
                "hdm:DescribeCacheAnalysisReport",
                "hdm:CreateCacheAnalysisJob",
                "hdm:DescribeCacheAnalysisJob",
                "hdm:DescribeCacheAnalysisJobs",
                "hdm:GetInstanceLatestBackup"
            ],
            "Resource": "acs:kvstore:*:*:instance/<ID of your ApsaraDB for Redis instance>",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "hdm.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

Configure the Name and Description parameters.
For example, you can set the Name parameter to das-redis-key-analysis-policy.
Check and optimize the document of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- Optional: Advanced optimization
  You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Attach the policy to a RAM user

In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
In the Select Policy section of the Add Permissions panel, click Custom Policy and select the policy that you created, such as das-redis-key-analysis-policy.
Click OK.
Click Complete.

Related API operations

Operation	Description
CreateCacheAnalysisJob	Creates a cache analysis task.
DescribeCacheAnalysisJob	Queries the information about a cache analysis task.
DescribeCacheAnalysisJobs	Queries a list of cache analysis tasks.