Resource Access Management (RAM) lets you grant sub-accounts fine-grained access to PolarDB-X 1.0 resources. This page lists the RAM authorization rules supported by PolarDB-X 1.0 and the regions where RAM is available.
How authorization rules work
Each RAM policy statement requires an Action and a Resource. For PolarDB-X 1.0, resources follow this pattern:
acs:drds:<regionId>:<accountId>:<resourcePath>Replace the placeholders with actual values:
| Placeholder | Description | Example |
|---|---|---|
<regionId> | Region ID where the instance resides. See Regions that support RAM. | cn-hangzhou |
<accountId> | Your Alibaba Cloud account ID | 123456789012 |
<resourcePath> | The resource path. See the authorization rules tables below. | instance/drds-abc123 |
Example: To grant access to a specific instance in China (Hangzhou):
acs:drds:cn-hangzhou:123456789012:instance/drds-abc123Resource types
PolarDB-X 1.0 supports five resource patterns:
| Resource pattern | Scope |
|---|---|
instance/* | All instances (wildcard) |
instance/$instanceid | A specific instance |
instance/$instanceid/db/* | All databases in a specific instance (wildcard) |
instance/$instanceid/db/$dbname | A specific database in a specific instance |
contacts/* | All alert contacts (wildcard) |
Authorization rules
The following tables list all supported actions, grouped by access level. Use these tables to build RAM policies with the minimum required permissions.
Replace all$-prefixed parameters in the Authorization rule column with actual values. For$regionId, use the region ID from Regions that support RAM.
Instance management
These actions operate at the instance level (instance/* or instance/$instanceid).
| Action | Authorization rule | Description |
|---|---|---|
CreateDrdsInstance | acs:drds:$regionid:$accountid:instance/* | Create an instance |
DescribeDrdsInstanceList | acs:drds:$regionid:$accountid:instance/* | List instances |
UpgradeDrdsInstance | acs:drds:$regionid:$accountid:instance/$instanceid | Change instance configurations |
RemoveDRDSInstance | acs:drds:$regionid:$accountid:instance/$instanceid | Release an instance |
DescribeDrdsInstance | acs:drds:$regionid:$accountid:instance/$instanceid | Get instance details |
VersionChanage | acs:drds:$regionid:$accountid:instance/$instanceid | Upgrade or roll back the instance version |
CreateInternetAddress | acs:drds:$regionid:$accountid:instance/$instanceid | Create a public IP address for the instance |
ReleaseInternetAddress | acs:drds:$regionid:$accountid:instance/$instanceid | Release the public IP address of the instance |
DescribeInstanceMonitor | acs:drds:$regionid:$accountid:instance/$instanceid | Get instance monitoring information |
DescribeSlowSql | acs:drds:$regionid:$accountid:instance/$instanceid | Query slow SQL statements |
Database management
These actions operate at the database level (instance/$instanceid/db/* or instance/$instanceid/db/$dbname).
| Action | Authorization rule | Description |
|---|---|---|
CreateDrdsDB | acs:drds:$regionid:$accountid:instance/$instanceid/db/* | Create a database |
DescribeDrdsDbList | acs:drds:$regionid:$accountid:instance/$instanceid/db/* | List databases in the instance |
DescribeDrdsDb | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Get database details |
DeleteDrdsDb | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Delete a database |
ModifyReadWriteWeight | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Modify the read policy |
DescribeLogicTableList | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | List tables in the database |
ExecuteDDL | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Execute a data definition language (DDL) statement in the PolarDB-X 1.0 console |
ModifyDrdsIpWhiteList | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Modify the IP address whitelist of the database |
DrdsDataImport | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Import data |
DrdsSmoothExpand | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Perform smooth scale-out |
CreateReadOnlyAccount | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Create a read-only account |
ModifyReadOnlyAccountPassword | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Change the password of a read-only account |
RemoveReadOnlyAccount | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Delete a read-only account |
DrdsShardTool | acs:drds:$regionid:$accountid:instance/$instanceid/db/$dbname | Use the shard change tool |
Alert management
Alert contact and group actions use the contacts/* wildcard and cannot be scoped to individual contacts. Alert rule actions operate at the instance level.
CreateAlarmRuleandModifyAlarmRulerequire theDescribeAlarmGrouppermission to query alert contact groups.
| Action | Authorization rule | Description |
|---|---|---|
DescribeAlarmContacts | acs:drds:$regionid:$accountid:contacts/* | List alert contacts |
AddAlarmContacts | acs:drds:$regionid:$accountid:contacts/* | Add an alert contact |
ModifyAlarmContacts | acs:drds:$regionid:$accountid:contacts/* | Modify an alert contact |
RemoveAlarmContacts | acs:drds:$regionid:$accountid:contacts/* | Delete an alert contact |
DescribeAlarmGroup | acs:drds:$regionid:$accountid:contacts/* | List alert contact groups |
AddAlarmGroup | acs:drds:$regionid:$accountid:contacts/* | Add an alert contact group |
ModifyAlarmGroup | acs:drds:$regionid:$accountid:contacts/* | Modify an alert contact group |
RemoveAlarmGroup | acs:drds:$regionid:$accountid:contacts/* | Delete an alert contact group |
DescribeAlarmRule | acs:drds:$regionid:$accountid:instance/$instanceid | List alert rules |
CreateAlarmRule | acs:drds:$regionid:$accountid:instance/$instanceid | Create an alert rule |
ModifyAlarmRule | acs:drds:$regionid:$accountid:instance/$instanceid | Modify an alert rule |
RemoveAlarmRule | acs:drds:$regionid:$accountid:instance/$instanceid | Delete an alert rule |
DescribeAlarmHistory | acs:drds:$regionid:$accountid:instance/$instanceid | Query alert history |
Regions that support RAM
RAM authorization is supported in the following regions. Use the Region ID value as $regionId in your authorization rules.
| Region ID | Region name |
|---|---|
cn-hangzhou | China (Hangzhou) |
cn-shenzhen | China (Shenzhen) |
cn-shanghai | China (Shanghai) |
cn-qingdao | China (Qingdao) |
cn-beijing | China (Beijing) |