Enterprise-grade SaaS service - PolarDB - Alibaba Cloud Documentation Center

The PolarDB Agent Express SaaS management application is a web service deployed within your VPC to centrally create and manage PolarDB Agent Express applications. This service allows you to use templates for PolarDB Agent Express application configurations and integrate with enterprise applications, such as Feishu, DingTalk, or WeCom, to achieve unified authentication and authorization for your team members. This topic walks you through preparing credentials, creating the application, configuring network access, and using the application.

Overview

The PolarDB Agent Express SaaS management application is a private management platform deployed in your Alibaba Cloud account. It encapsulates the complex configuration process of PolarDB Agent Express applications into a graphical interface that solves the following problems:

Simplified deployment: Provides predefined templates that let team members create PolarDB Agent Express applications with a single click, eliminating the need to understand underlying details.
Unified authentication: Integrates with your organization's directory from enterprise applications like Feishu, DingTalk, or WeCom to enable secure, identity-based login.
Permission control: Lets SaaS administrators centrally manage and maintain configuration templates for PolarDB Agent Express applications.

Before you begin

Before creating the application, prepare the following credentials:

An AccessKey from a RAM user with specific permissions.
Credentials from a custom enterprise application that you have created and published in Feishu, DingTalk, or WeCom.

Preparation 1: Obtain a RAM user AccessKey

The PolarDB Agent Express SaaS management application uses an AccessKey to call Alibaba Cloud APIs for creating and managing resources. To follow the principle of least privilege, use a dedicated RAM user and AccessKey for this task.

Create a permission policy

Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies.
Click Create Policy and go to the Script tab.

Paste the following JSON policy into the policy editor, and then click OK.

JSON policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "polardb:DescribeDBClusters",
        "polardb:DescribeAIDBClusters",
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeRegions",
        "polardb:DescribeHistoryEvents",
        "polardb:DescribePolarAgents",
        "polardb:DescribeApplications",
        "polardb:CreateApplication",
        "polardb:DeleteApplication",
        "polardb:DescribeApplicationAttribute",
        "polardb:OperateApplication",
        "polardb:UpgradeApplicationVersion",
        "polardb:DescribeApplicationParameters",
        "polardb:ModifyApplicationParameter",
        "polardb:ModifyApplicationDescription",
        "polardb:ModifyApplicationWhitelist",
        "polardb:CreateApplicationEndpointAddress",
        "polardb:DeleteApplicationEndpointAddress",
        "polardb:DescribePolarClawSkills",
        "polardb:ModifyPolarClawSkill",
        "polardb:DescribeApplicationPerformance",
        "polardb:DescribeApplicationBackupPolicy",
        "polardb:ModifyApplicationBackupPolicy",
        "polardb:DescribeApplicationBackups",
        "polardb:CreateApplicationBackup",
        "polardb:DeleteApplicationBackup",
        "polardb:RestoreApplicationByBackupSet",
        "polardb:DescribeApplicationPrompts",
        "polardb:CreateApplicationPrompt",
        "polardb:ModifyApplicationPrompt",
        "polardb:DeleteApplicationPrompt",
        "polardb:ApplyApplicationPrompts",
        "polardb:ModifyApplicationPromptStatus",
        "polardb:DescribeApplicationLogs",
        "polardb:DescribeApplicationSessionIds",
        "polardb:DescribeApplicationSessionLogs",
        "polardb:DescribePolarClawSkillsMarket",
        "polardb:DescribePolarClawSkillTemplates",
        "polardb:DescribePolarClawSkillTemplate",
        "polardb:DescribePolarClawSkillAssessment",
        "polardb:CreatePolarClawSkillTemplate",
        "polardb:DeletePolarClawSkillTemplate",
        "polardb:CreatePolarClawSkill",
        "polardb:GetPolarClawSkillRegion",
        "polardb:CheckPolarClawSkill",
        "polardb:DeletePolarClawSkill",
        "polardb:CreateBatchTask",
        "polardb:DescribeBatchTasks",
        "polardb:DescribeBatchTask",
        "polardb:DescribeGatewayList",
        "polardb:DescribeAIGatewayInstances",
        "polardb:DescribeAIGatewayAttribute",
        "polardb:ListAIGatewayModelApis",
        "polardb:GetAIGatewayModelApiCreationOptions",
        "polardb:CreateAIGatewayModelApi",
        "polardb:ModifyAIGatewayModelApi",
        "polardb:DeleteAIGatewayModelApi",
        "polardb:ListAIGatewayModelServices",
        "polardb:CreateAIGatewayModelService",
        "polardb:ListAIGatewayConsumerGroups",
        "polardb:CreateAIGatewayConsumerGroup",
        "polardb:DeleteAIGatewayConsumerGroup",
        "polardb:ModifyAIGatewayConsumerGroup",
        "polardb:ListAIGatewayConsumers",
        "polardb:DescribeAIGatewayConsumer",
        "polardb:CreateAIGatewayConsumer",
        "polardb:ResetAIGatewayConsumerApiKey",
        "polardb:DeleteAIGatewayConsumer",
        "polardb:ListAIGatewayRateLimitPolicies",
        "polardb:CreateAIGatewayRateLimitPolicy",
        "polardb:DeleteAIGatewayRateLimitPolicy",
        "polardb:ModifyAIGatewayRateLimitPolicy",
        "polardb:ListAIGatewayBudgetPolicies",
        "polardb:CreateAIGatewayBudgetPolicy",
        "polardb:DeleteAIGatewayBudgetPolicy",
        "polardb:ModifyAIGatewayBudgetPolicy",
        "polardb:DescribeGatewayAttribute",
        "polardb:DescribeBudgetStats",
        "polardb:DescribeCostRules",
        "polardb:CreateCostRule",
        "polardb:ModifyCostRule",
        "polardb:DeleteCostRule",
        "polardb:StartAIGateway",
        "polardb:StopAIGateway",
        "polardb:RestartAIGateway",
        "polardb:ReleaseAIGateway",
        "polardb:CreateAIGatewayPublicEndpoint",
        "polardb:DescribeAIGatewaySecurityGroups",
        "polardb:DescribeAIGatewayIPArrayList",
        "polardb:ModifyAIGatewaySecurityIPs",
        "polardb:DescribeAIGatewayPerformance",
        "polardb:ListAIGatewayEvents",
        "polardb:ListTagResourcesForRegion",
        "polardb:TagResources",
        "polardb:UntagResources",
        "polardb:DescribeModelServices",
        "polardb:DescribeModelApis",
        "polardb:DescribeConsumerGroups",
        "polardb:DescribeRateLimitPolicy"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "tag:ListTagKeys",
        "tag:ListTagValues"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutBucketPolicy",
        "oss:GetBucketPolicy",
        "oss:PutObject"
      ],
      "Resource": "*"
    },  
    {
      "Effect": "Allow",
      "Action": [
        "bss:Refund*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "bss:Renew*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "bss:ModifyInstance"
      ],
      "Resource": "*"
    }
  ]
}

Name the policy (for example, PolarDB Agent ExpressSaaSMinimalAccess) and complete the creation.

Create a RAM user and grant permissions
1. In the left-side navigation pane, choose Identities > Users, and then select or create a RAM user.
  1. To use an existing user: Go to the user details page. On the AccessKey tab, you can use an existing AccessKey or create a new one. To create a new AccessKey, select Used in local development environment and securely save the generated AccessKey ID and AccessKey Secret.
  2. To create a new user: On the Create User page, fill in the Basic Information and select Use permanent AccessKey for access. After the user is created, save the AccessKey ID and AccessKey Secret.
2. On the user details page, switch to the Permission Management tab, click Add Authorization, and grant the PolarDB Agent ExpressSaaSMinimalAccess policy that you created in the previous step to the user.

Preparation 2: Obtain enterprise app credentials

The PolarDB Agent Express SaaS management application uses a custom application from Feishu, DingTalk, or WeCom for user authentication.

DingTalk

Create a DingTalk application:
1. Go to the DingTalk Open Platform and click Application Development in the top navigation bar. In the left-side navigation pane of the Application Development page, click Internal Apps > DingTalk Apps, and then click Create App in the upper-right corner.
2. In the Create App panel, enter the app name, description, and optionally an icon. Click Save to finish.
Add required permissions: In the left-side navigation pane, click Development Configuration > Permissions, and add the permission Contact.User.Read.
Publish the DingTalk application: You must publish a version to make the application available to other users in your organization.
1. In the left-side navigation pane, click App Release > Version Management and Release, and then click Create New Version.
2. On the version details page, enter a version number and description, select the appropriate availability scope, and then click Save. In the pop-up window, click Confirm Release.
After the application is published, go to the Credentials and Basic Information page and record the Client ID and Client Secret. You will need these values to configure the PolarDB Agent Express SaaS management application.

Feishu

Log on to the Feishu Open Platform and click Developer Console in the upper-right corner. In the console, click Create Custom App, enter the App Name, App Description, and App Icon, and then click Create.
In the left-side navigation pane, click Permissions, and then click Enable Permissions.

Search for and select the following permissions. Click Confirm to Enable Permissions, and then click Confirm.

Important

After adding permissions, you must click Confirm to save the changes. Otherwise, the permissions will not take effect.

Permission ID	Description
`contact:user.employee:readonly`	Get user employee information
`contact:user.phone:readonly`	Get user phone number
`contact:user.base:readonly`	Get user basic information
`contact:user.email:readonly`	Get user email address

After configuring the permissions, you must publish the application. In the left-side navigation pane, click Version Management and Release, and then click Create New Version in the upper-right corner.
Change the Availability to All members, fill in the version number and update description, and then click Save and Confirm Release at the bottom of the page.
After the application is published, go to the Credentials and Basic Information page and record the App ID and App Secret. You will need this information to configure the PolarDB Agent Express SaaS management application.

WeCom

Create a WeCom application:
1. Log on to the WeCom Admin Console. In the left-side navigation pane, choose App Management > Custom, and then click Create App.
2. Enter the application name, logo, and availability scope, and then click Create App.
Obtain application credentials:
- Get Agent ID and Secret: Click the application you just created. On the application details page, find and record the AgentId and Secret.
- Get Corp ID: In the left-side navigation pane, choose My Company. On the company information page, find and record the enterprise ID (Corp ID).
Record the Corp ID, Agent ID, and Secret. You will need this information to configure the PolarDB Agent Express SaaS management application later.

Procedure

Follow these steps to create and configure the application.

Step 1: Create a PolarDB Agent Express SaaS management application

Log on to the PolarDB console. In the left-side navigation pane, click PolarDB AI > PolarDB Agent Express. In the top navigation bar, select your target region.
On the PolarDB Agent Express page, switch to the SaaS Configuration tab, and click Create Now.
On the creation page, configure the following parameters:
- Alibaba Cloud Account AccessKey: Enter the AccessKey ID and AccessKey Secret that you obtained in Preparations.
- VPC Network and Zone and vSwitch: Select the VPC and vSwitch where the PolarDB Agent Express SaaS management application will be deployed.
- Security Group: Select a security group and ensure that its inbound rules allow traffic on port 8080.
- SaaS Login Method: For Application Type, select Lark, DingTalk, or WeCom, and enter the corresponding enterprise application credentials obtained in Preparations.
Click OK to start the creation process.

Step 2: Configure networking and access

After a PolarDB Agent Express SaaS management application is created, it is accessible only from within a VPC by default. To allow the PolarDB Agent Express SaaS management application to communicate with Feishu, DingTalk, or WeCom authentication services on the public internet and be publicly accessible, you need to configure the network.

graph TD A["Step 1: Create SaaS management app"] --> B["Step 2: Configure network & access"] B --> C["Step 3: Configure callback address"] C --> D["Step 4: Access & use SaaS app"]

Create a public NAT gateway: Go to the NAT Gateway - Public NAT Gateway Purchase Page to create one. During the creation process, ensure that you select the same VPC and vSwitch as the PolarDB Agent Express SaaS management application.
Configure an SNAT entry: Go to the NAT Gateway page. In the Actions column of the target gateway, click Configure SNAT , and then click Create SNAT Entry. Configure the parameters as follows:
- SNAT Entry: VPC-level.
- Select EIP: From the drop-down list, select an EIP to provide public access.
Note
Enabling public access will incur charges for the nat gateway and public network traffic. For more information, see NAT Gateway Billing.
(Optional) Request a public address
If you want to access the management application from the internet, return to the PolarDB Agent Express SaaS management application details page in the PolarDB console and click Enable Public Endpoint to request a public address for it.

Step 3: Configure the enterprise app callback address

DingTalk

Get the callback address
On the details page of the PolarDB Agent Express SaaS management application, in the PolarDB Agent SaaS Workflow > Application Security Settings section, copy the system-generated DingTalk redirect URL.
Configure DingTalk security settings
Return to the DingTalk Open Platform, go to your custom application, and on the Security Settings page, add the copied callback address to Redirect URL (Callback Domain).

graph TD A["SaaS workflow"] --> B["Application Security Settings"] B -- "Copy Redirect URL" --> C["DingTalk Open Platform"] C -- "Paste Redirect URL" --> D["Security Settings"]

Feishu

Get the callback address
On the details page of the PolarDB Agent Express SaaS management application, in the PolarDB Agent SaaS Workflow > Application Security Settings section, copy the system-generated Feishu redirect URL.
Configure Feishu security settings
Return to the Feishu Open Platform and go to your custom application. On the Security Settings page, add the copied callback address to the redirect URL and enter the IP address from the callback address in the IP whitelist.

WeCom

Set a trusted domain
Log on to the WeCom admin console, go to your custom application, and in the Developer Interface > Web Authorization and JS-SDK section, set the trusted domain. This domain must be bound to the public IP address of the SaaS management service.
Note
When you set a trusted domain, download the verification file and deploy it to the root directory of the domain's server. Ensure the verification file is publicly accessible before you submit it for verification. To obtain the public IP address of the SaaS management service, submit a ticket to contact us.
Configure a trusted corporate IP address
On the application details page, in the Developer Interface > Trusted Corporate IP section, add the public egress IP address of the SaaS management service. To obtain this IP address, submit a ticket to contact us.

Step 4: Access and use the SaaS management application

Configure the access allowlist
In the allowlist settings for the PolarDB Agent Express SaaS management application, add the IP addresses of clients that are allowed to access the application.
- If accessing over the internet, add the public egress IP address of your local network.
- If accessing over an internal network, add the client IP address within your VPC.
Access the application
On the details page for the PolarDB Agent Express SaaS management application, find the private address or the public address that you have requested, and access it in a browser.
Log in and create a PolarDB Agent Express template
First-time users are automatically granted administrator permissions. On the Account Management page, create a configuration template for the PolarDB Agent Express application (Lobster module). For example, specify the model source as Model Studio, and enter the corresponding ModelFrom and ModelApiKey.
How team members create applications
After the template is configured, other team members can log in to the SaaS management application. On the PolarDB Agent Express Management page, they can then select a template to create their own PolarDB Agent Express application with a single click.