This topic describes how to authorize Resource Access Management (RAM) users to manage PolarDB by using custom policies. If the system policies that are provided by RAM cannot meet your business requirements, you can create custom policies to manage PolarDB permissions. For example, you can create custom policies to grant permissions on specific resources and operations.
Prerequisites
Make sure that an Alibaba Cloud account is created before you use RAM to manage permissions. If not, go to the Sign up to Alibaba Cloud page.
Background information
A policy defines a set of permissions that are described based on the policy structure and syntax. A policy describes the authorized resource sets, authorized operation sets, and the authorization conditions. For more information, see Policy structure and syntax.
Before you use custom policies for fine-grained PolarDB permission management, familiarize yourself with how to specify PolarDB resources for RAM users in policies. For more information, see Use RAM for resource authorization.
To customize permissions or grant the specific permissions on tables, you can use the permission management feature of Database Management Service (DMS). For more information, see Manage user permissions on MySQL databases.
Procedure
Create a custom policy. For more information, see Create custom policies.
Sample custom policies:
Restrict access to specific clusters
Assume that you have multiple PolarDB clusters within your Alibaba Cloud account. You want to authorize a RAM user to use only two clusters whose IDs are i-001 and i-002. In this case, you can create the following policy:
{ "Statement": [ { "Action": "polardb:*", "Effect": "Allow", "Resource": [ "acs:polardb:*:*:*/i-001", "acs:polardb:*:*:*/i-002" ] }, { "Action": "polardb:Describe*", "Effect": "Allow", "Resource": "*" } ], "Version": "1" }NoteThe authorized RAM user can view all the clusters and resources, but can manage only the two clusters whose IDs are i-001 and i-002. You can still manage the two clusters by using API operations, command-line interfaces (CLIs), or software development kits (SDKs).
The policy must include
Describe*. Otherwise, the authorized RAM user cannot view clusters in the PolarDB console.
Restrict access to specific features
If you want to authorize a RAM user to use only some features of PolarDB, you can create the following policy:
{ "Statement": [ { "Action": [ "polardb:Describe*", "polardb:CreateBackup", "polardb:DeleteBackup", "polardb:ModifyDBClusterAccessWhitelist" ], "Resource": "*", "Effect": "Allow" } ], "Version": "1" }NoteThe authorized RAM user can only query cluster information and backups, create and delete backups, and modify whitelists for all the PolarDB clusters within your account.
PolarDB allows you to specify whether RAM users can perform specific operations on PolarDB resources. You can specify API operations in policies for fine-grained PolarDB permission management. For more information, see Services that work with RAM
Restrict IP access
If you want to restrict the IP access of the target RAM user, you can create the following permission policy:
{ "Version": "1", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "acs:SourceIp": [ "xxx.xxx.x.x" ] } } } ] }NoteThe RAM user to which the policy is attached can manage all PolarDB clusters within the account only from the authorized IP addresses.
Change value of the acs:SourceIp parameter to the IP addresses of your environment.
Restrict TDE status
If you want to restrict the TDE status for a RAM user when creating clusters, create the following permission policy:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": "polardb:*", "Resource": "*", "Condition": { "Bool": { "polardb:EncryptionRequired": [ "false" ] } } } ] }Attach the custom policy to a RAM user. For more information, see Grant permissions to a RAM user.