Grant access to Hologres for RAM users

Updated at:
Copy as MD

Grant Resource Access Management (RAM) users access to Hologres to implement the principle of least privilege — without sharing your Alibaba Cloud account credentials or AccessKey pairs.

Two permission layers

Hologres uses two separate permission layers. Understanding the distinction upfront prevents most authorization errors:

Layer

What it controls

Managed from

Console permissions (RAM policies)

Whether a RAM user can view instances, manage billing, and log on to HoloWeb

RAM console

Development permissions (instance-level)

Whether a RAM user can connect to an instance for data development

Hologres instance details page

This topic covers console permissions. To grant development permissions, see Grant a RAM user development permissions on an instance.

Prerequisites

Before you begin, ensure that you have:

  • An Alibaba Cloud account with RAM administrator permissions

  • At least one RAM user or RAM user group to grant permissions to

Grant permissions to a RAM user

  1. Log on to the RAM console as a RAM administrator.

  2. In the left navigation pane, choose Identities > Groups.

  3. On the Groups page, find the RAM user group you want to manage, then click Attach Policy in the Actions column. To grant permissions to multiple groups at once, select multiple RAM user groups and click Attach Policy at the bottom of the page.

    image

  4. In the Add Permissions dialog box, configure the following parameters:

    1. Select a resource scope: > Important: Resource group-level permissions are only available when the corresponding Alibaba Cloud service and resource type support resource groups. See Alibaba Cloud services that support resource groups. For an authorization example, see Use a resource group to control the permissions of a RAM user on specified ECS instances.

    2. Select an authorization entity: the system auto-selects the current RAM user.

    3. Select access policies: select one or more policies. Access policies fall into two types: system policies and custom policies.

    HoloWeb cannot belong to a resource group. If permissions are granted at the resource group level, RAM users cannot log on to or use HoloWeb. The access policies below control whether a RAM user can log on to and use HoloWeb — not whether the user can connect to a Hologres instance. For instance-level access, grant development permissions from the instance details page.
  5. Click Confirm Authorization Policy, then click Disable.

System policies

System policies are created and maintained by Alibaba Cloud. You can use them but cannot modify them. See Alibaba Cloud services that support RAM for the full list.

Important

Always include AliyunRAMReadOnlyAccess in any policy configuration to make sure the RAM user can access the console.

The system automatically flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid granting these unless explicitly required.

AliyunHologresFullAccess

Grants full management access to the Hologres service in the console.

After this policy is granted, the RAM user can:

  • View all instance information in the console (instance list, instance details, and monitoring pages)

  • Perform billing operations, including purchasing, upgrading, downgrading, renewing, stopping, and deleting instances

  • Log on to and use HoloWeb

Additional notes:

  • This policy does not include permissions to use instances. A superuser must create the RAM user in the instance before the user can connect. See FAQ: RAM user cannot log on to a Hologres instance.

  • When a RAM user purchases an instance, both the RAM user and the Alibaba Cloud account become superusers of that instance.

  • For instances purchased by the Alibaba Cloud account, RAM users have no instance permissions by default. Grant them separately from the instance details page.

  • To let the RAM user view all users on the Users page of the console, also grant AliyunRAMReadOnlyAccess.

AliyunHologresWarehouseFullAccess

Grants full management access to Hologres virtual warehouses.

After this policy is granted, the RAM user can:

  • Manage virtual warehouses, including creating, deleting, scaling out, scaling in, stopping, and resuming

  • Configure scheduled scaling

  • Log on to and use HoloWeb

This policy does not include permissions to use instances. A superuser must create the RAM user in the instance before the user can connect.

AliyunBSSOrderAccess

Grants permission to view, pay for, and cancel orders in User Center (BSS).

After this policy is granted, the RAM user can upgrade, downgrade, and renew instances in the console.

AliyunRAMReadOnlyAccess

Grants read-only access to RAM.

After this policy is granted, the RAM user can view all RAM users and RAM roles under the current Alibaba Cloud account when adding a user on the Users page of HoloWeb.

AliyunHologresReadOnlyAccess

Grants read-only access to Hologres.

After this policy is granted, the RAM user can:

  • View all instance information in the console (instance list and instance details)

  • Log on to and use HoloWeb

Restrictions:

  • No billing operations (purchasing, upgrading, or downgrading instances)

  • No instance management. The Alibaba Cloud account must grant instance-level permissions separately.

  • Cannot view RAM users on the User Management page without also having AliyunRAMReadOnlyAccess.

Custom policies

Custom policies are managed by you. You can create, update, delete, and version them. See Create a custom policy for general instructions. To write policies directly in JSON, see the script mode guide.

Important

Remove all comments from the policy JSON before saving. The policy will fail if comments are present.

The following custom actions are supported for Hologres:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:*:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:*",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:DeleteInstance",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "bss:PayOrder",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:GetInstance",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:ListInstances",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:StopInstance",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:ResumeInstance",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:UpdateInstanceNetworkType",
            "Resource": "acs:hologram:cn-<region>:<AccountID>:instance/*"
        },
        {
            "Effect": "Allow",
            "Action": "hologram:HoloWebAccess",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Replace the placeholders with your actual values:

Placeholder

Description

Example

<region>

Region name

beijing

<AccountID>

Alibaba Cloud account ID

4322xxxxx

* in instance/*

All instances in the account. Can be replaced with a specific instance ID for most actions (see note below).

hhhgggxxxx

Example resource string:

acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx
Important

For the following actions, the * in instance/* cannot be replaced with a specific instance ID — it must remain *:

  • hologram:* (all operations)

  • hologram:ListInstances

  • hologram:DeleteInstance — Note: if this permission is not configured, delete operations will fail even though a success message is displayed.

  • hologram:StopInstance

  • hologram:ResumeInstance

  • cms:DescribeMetricList and cms:QueryMetricList (for monitoring alerts)

FAQ: Console permissions {#faq-console}

RAM user cannot view the instance list

Error: You are not authorized to view the purchased instances. Contact the relevant Alibaba Cloud account to grant the hologram:ListInstances permission to you in the RAM console.

The RAM user is missing the hologram:ListInstances permission.

Performed by the Alibaba Cloud account owner: Log on to the RAM console and grant the RAM user the AliyunHologresReadOnlyAccess policy.

RAM user with superuser priviledge cannot list or add users in HoloWeb

Error

You are unauthorized to view all the RAM users. Contact the relevant Alibaba Cloud account to grant the ram:ListUsers permission to you through a permission policy, such as AliyunRAMReadOnlyAccess, in the RAM console.

Cause

The RAM user doesn't have the permission to list users in HoloWeb.

Solution

Performed by the Alibaba Cloud account owner: Log on to the RAM console and grant the RAM user the ram:ListUsers permission (or AliyunRAMReadOnlyAccess policy).

RAM user have no access to Account Management and Database Management

Error

You are not authorized to perform this operation. Contact the superuser to add your account to the current instance.

Cause

The RAM user doesn't have development permissions on the instance.

Solution

Performed by the Alibaba Cloud account owner: Grant the user the development permissions. See Grant development permissions.

RAM user cannot manage instances

Error

An error occurred while performing RAM authorization.

This error appears when a RAM user tries to purchase, upgrade, downgrade, or change the billing method of an instance from Pay-as-you-go to subscription. These operations involve billing and require permissions at the Alibaba Cloud account level.

Performed by the Alibaba Cloud account owner: Log on to the RAM console and grant the RAM user both AliyunHologresFullAccess and AliyunBSSOrderAccess.

FAQ: Instance usage permissions {#faq-instance-usage}

RAM user cannot log on to a Hologres instance

Error: role "<role_name>" does not exist

When a Hologres instance is created, only the Alibaba Cloud account and the RAM user who purchased the instance are added as superusers. Other RAM users must be explicitly created as instance users by a superuser before they can connect.

To check who the current superusers are, run: select * from pg_user;

Performed by a superuser: Ask a superuser to do one of the following:

All superusers were accidentally removed

If all superusers of an instance are changed to regular users, most operations — including user management and instance configuration — become unavailable.

Contact Hologres technical support through the official Q&A DingTalk group. See Online support.

What's next