All Products
Search

This Product

    Resource Access Management:Use RAM to manage ApsaraDB RDS permissions

    Document Center

    Resource Access Management:Use RAM to manage ApsaraDB RDS permissions

    Last Updated:Feb 07, 2024

    This topic describes how to manage ApsaraDB RDS permissions of Resource Access Management (RAM) users. In the RAM console, you can create custom policies and attach them to the RAM users.

    Background information

    • Before you manage the ApsaraDB RDS permissions of RAM users, take note of the following system policies:

      • AliyunRDSFullAccess: grants a RAM user the permissions to manage ApsaraDB RDS instances.

      • AliyunRDSReadOnlyAccess: grants read-only permissions on ApsaraDB RDS instances.

      If the system policies cannot meet your business requirements, you can create custom policies.

    • Before you manage the ApsaraDB RDS permissions of RAM users, take note of the ApsaraDB RDS permissions. For more information, see Use RAM for resource authorization.

    Procedure

    1. Create a RAM user.

      For more information, see Create a RAM user.

    2. Create a custom policy.

      For more information, see Create custom policies and Policy examples.

    3. Attach the policy to the RAM user.

      For more information, see Grant permissions to RAM users.

    Policy examples

    • Example 1: Authorize a RAM user to manage two specified ApsaraDB RDS instances.

      To authorize a RAM user to manage the ApsaraDB RDS instances rm-abcdxxxx001 and rm-abcdxxxx002 in your Alibaba Cloud account, use the following sample script: 

      {
  "Statement": [
    {
      "Action": "rds:*",
      "Effect": "Allow",
      "Resource": [
                  "acs:rds:*:*:dbinstance/rm-abcdxxxx001",
                  "acs:rds:*:*:dbinstance/rm-abcdxxxx002"
                  ]
    },
    {
      "Action": "rds:Describe*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
      Note

      • The authorized RAM user can view all ApsaraDB RDS instances but can manage only the specified two ApsaraDB RDS instances.

      • The Describe* element is required in the policy. Otherwise, the authorized RAM user cannot view instances in the ApsaraDB RDS console. However, the RAM user can call API operations or use a CLI or SDK to manage the two specified ApsaraDB RDS instances.

    • Example 2: Authorize a RAM user to access Data Management (DMS).

      • To authorize a RAM user to log on to a specific ApsaraDB RDS instance, use the following sample script: 

        {
  "Statement": [
    {
      "Action": "dms:LoginDatabase",
      "Effect": "Allow",
      "Resource": "acs:rds:*:*:dbinstance/rds783a0639ks5k7****"
    }
  ],
  "Version": "1"
}
        Note

        You must replace rds783a0639ks5k7**** with the ID of the ApsaraDB RDS instance.

      • To authorize a RAM user to log on to all ApsaraDB RDS instances, use the following sample script: 

        {
  "Statement": [
    {
      "Action": "dms:LoginDatabase",
      "Effect": "Allow",
      "Resource": "acs:rds:*:*:*"
    }
  ],
  "Version": "1"
}