This topic describes the concept of Alibaba Cloud Resource Access Management (RAM) and provides an example of using RAM in PolarDB-X 1.0.


RAM is an Alibaba Cloud service that helps you manage user identities and access to your cloud resources. You can use RAM to create and manage different accounts, such as employee accounts, system accounts, and application accounts. You can also manage the operation permissions that these user accounts have on resources of your Alibaba Cloud account. If multiple users in an enterprise or organization need to use resources in a collaborative manner, RAM can prevent the wide spread of the AccessKey pair of the Alibaba Cloud account and grant users the minimum required permissions. In this way, RAM reduces information security risks. For more information, see What is RAM?.

Before you use RAM, you must understand basic concepts, such as the Alibaba Cloud account, RAM user, credential, and RAM role. Understanding these concepts can help you get started with RAM. For more information about RAM, see Terms.

Examples of using RAM in PolarDB-X 1.0

Assume that an Alibaba Cloud user named Alice has two PolarDB-X 1.0 instances: PolarDB-X_a and PolarDB-X_b. Alice has full permissions on both instances.

  • To keep the security of the AccessKey pair of the Alibaba Cloud account, Alice uses RAM to create two RAM users: Bob and Carol.
  • Alice creates the access_drds_a and access_drds_b permission policies, which represent the read and write permissions on PolarDB-X_a and PolarDB-X_b, respectively.
  • Alice separately authorizes Bob and Carol in the console, so that Bob has read and write permissions on PolarDB-X_a and Carol has read and write permissions on PolarDB-X_b.

Bob and Carol have their own AccessKey pairs. If a RAM user's AccessKey pair is leaked, only one of the PolarDB-X 1.0 instances is affected. In the console, Alice can also timely revoke the permission of the RAM user whose AccessKey pair has been leaked.

Access control