Use RAM to manage ApsaraDB RDS permissions - Resource Access Management

This topic describes how to manage ApsaraDB RDS permissions of Resource Access Management (RAM) users. In the RAM console, you can create custom policies and attach them to the RAM users.

Background information

Before you manage the ApsaraDB RDS permissions of RAM users, take note of the following system policies:
- AliyunRDSFullAccess: grants a RAM user the permissions to manage ApsaraDB RDS instances.
- AliyunRDSReadOnlyAccess: grants read-only permissions on ApsaraDB RDS instances.
If the system policies cannot meet your business requirements, you can create custom policies.
Before you manage the ApsaraDB RDS permissions of RAM users, take note of the ApsaraDB RDS permissions. For more information, see Use RAM for resource authorization.

Procedure

Create a RAM user.
For more information, see Create a RAM user.
Create a custom policy.
For more information, see Create a custom policy and Policy examples.
Attach the policy to the RAM user.
For more information, see Grant permissions to a RAM user.

Policy examples

Example 1: Authorize a RAM user to manage two specified ApsaraDB RDS instances.
To authorize a RAM user to manage the ApsaraDB RDS instances i-001 and i-002 in your Alibaba Cloud account, use the following sample script:
```
{
  "Statement": [
    {
      "Action": "rds:*",
      "Effect": "Allow",
      "Resource": [
                  "acs:rds:*:*:dbinstance/i-001",
                  "acs:rds:*:*:dbinstance/i-002"
                  ]
    },
    {
      "Action": "rds:Describe*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
```
Note
- The authorized RAM user can view all ApsaraDB RDS instances but can manage only the specified two ApsaraDB RDS instances.
- The Describe* element is required in the policy. Otherwise, the authorized RAM user cannot view instances in the ApsaraDB RDS console. However, the RAM user can manage the two specified ApsaraDB RDS instances by calling API operations or using the CLI or SDK.
Example 2: Authorize a RAM user to access Data Management (DMS).
- To authorize a RAM user to log on to a specific ApsaraDB RDS instance, use the following sample script:
```
{
  "Statement": [
    {
      "Action": "dms:LoginDatabase",
      "Effect": "Allow",
      "Resource": "acs:rds:*:*:dbinstance/rds783a0639ks5k7****"
    }
  ],
  "Version": "1"
}
```
  Note You must replace rds783a0639ks5k7**** with the ID of the ApsaraDB RDS instance.
- To authorize a RAM user to log on to all ApsaraDB RDS instances, use the following sample script:
```
{
  "Statement": [
    {
      "Action": "dms:LoginDatabase",
      "Effect": "Allow",
      "Resource": "acs:rds:*:*:*"
    }
  ],
  "Version": "1"
}
```