RAM authorization supports multiple methods, such as Alibaba Cloud Resource Name (ARN)-based authorization, resource group-based authorization, and tag-based authorization, to implement fine-grained management. This topic describes how to grant a RAM user the read-only permissions on a specified RDS instance.
Prerequisites
A RAM user is created. For information about how to create a RAM user, see Create a RAM user.
Authorization methods
ARN-based authorization
Description: ARN-based authorization allows you to precisely assign read-only permissions to specific RDS instances.
Scenarios: suitable for fine-grained permission control for a single RDS instance or a small number of RDS instances.
Examples: a specific database instance in the development environment.
Resource group-based authorization
Description: Resource group-based authorization allows you to grant the same permissions on multiple RDS instances that are added to a resource group at a time.
Scenarios: suitable for granting permissions on RDS instances that have the same characteristics at a time.
Examples: If multiple RDS instances reside in different regions or projects but require the same security policy, you can add the RDS instances to a resource group and specify read-only permissions for all RDS instances in the resource group.
Tag-based authorization
Description: Tag-based authorization allows you to dynamically grant permissions based on the key and value of the tag that is added to your RDS instance.
Scenario: suitable for flexible permission management based on business attributes and metadata.
Examples: You create multiple RDS instances with different tags, such as
env=prod,env=test, andproject=finance. You can use tag-based authorization to allow specific users to access only the RDS instances with specific tags. You do not need to configure permissions for the RDS instances one by one.
Procedure
You must perform the following operations by using your Alibaba Cloud account.
Method 1: ARN-based authorization
ARN-based authorization indicates that a resource ARN is used to specify one or more objects to be authorized when you create a policy. This helps implement precise access control on specific resources. For more information about resource ARNs, see Policy elements.
Create a policy.
Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the page that appears, click Create Policy.
On the page that appears, click the Visual editor or JSON tab.
Visual editor
Set the Effect parameter to Allow and the Service parameter to ApsaraDB RDS.
Set the Action parameter to Select action(s). Then, add the Describe-related read actions. You can search for Describe and then select related actions.
Set the Resource parameter to Specified resource(s). The ARN is in the format of
acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}. You must set the Resource parameter in the Add resource dialog box to the RDS instance to which you want to apply the policy. Leave the Condition parameter empty.Click Add Statement. Set the Effect parameter to Allow and the Service parameter to ApsaraDB RDS.
Set the Action parameter to rds:DescribeDBInstances. Set the Resource parameter to All resource(s) and leave the Condition parameter empty.
JSON
Enter the following code snippet in the code editor:
{ "Statement": [ { "Effect": "Allow", "Action": "rds:Describe*", "Resource": "acs:rds:*:*:dbinstance/ID of the RDS instance" }, { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ], "Version": "1" }Click OK. In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the settings and click OK.
Attach the custom policy to a RAM user.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
Set the Resource Scope parameter to the resource group that you created. In the Policy section, select Custom Policy from the drop-down list, search for the policy that you created, and select the policy.
Click Grant permissions.
Log on to the ApsaraDB RDS console as a RAM user and view the RDS instance.
Go to the Instances page. In the top navigation bar, select the region and view the RDS instances in the region.
Click the ID of the authorized RDS instance to view the information about the instance.
NoteWhen you use this authorization method, the RAM user can view all RDS instances on the Instances page, but can only view the information about the authorized instance. If you view other unauthorized instances, a message appears, indicating that the RAM user has insufficient permissions.
The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.
Method 2: Resource group-based authorization
Resource group-based authorization indicates that the resources to be authorized are added to a resource group. When you grant permissions to a RAM user, you can specify the resource group to which the authorized resources belong to implement precise access control for all resources in the specified resource group.
Create a resource group.
Log on to the Resource Management console. In the left-side navigation pane, choose Resource Group > Resource Group.
Click Create Resource Group. In the dialog box that appears, configure the Resource Group Identifier and Resource Group Name parameters and click OK.
Add the required RDS instance to the new resource group.
Find the resource group to which the required RDS instance is added. Then, click Manage Resource in the Actions column of the resource group. In this example, the required RDS instance is added to Default Resource Group.
Find the required RDS instance by instance ID, select the instance, and then click Transfer resource group.
In the Transfer Out panel, select the resource group that you created in Step 1 and click OK.
In the panel that appears, click OK.
If you find the required RDS instance in the created resource group, the resource group of the instance is transferred.
Create a policy.
Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the page that appears, click Create Policy.
On the page that appears, click the Visual editor or JSON tab.
Visual editor
Set the Effect parameter to Allow and the Service parameter to ApsaraDB RDS.
Set the Action parameter to Select action(s). Then, add the Describe-related read actions. You can search for Describe and then select related actions.
Set the Resource parameter to All resource(s) and leave the Condition parameter empty.
JSON
Enter the following code snippet in the code editor:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*" ], "Resource": "*" } ] }Click OK. In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the settings and click OK.
Attach the custom policy to a RAM user.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
Set the Resource Scope parameter to the resource group that you created. In the Policy section, select Custom Policy from the drop-down list, search for the policy that you created, and select the policy.
Click Done.
Log on to the ApsaraDB RDS console as a RAM user and view the RDS instance.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides.
Select the resource group created in Step 1 to view the required RDS instance, as shown in the following figure.
The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.
Method 3: Tag-based authorization
Tag-based authorization indicates that a tag is added to the resources that need to be authorized. When you create a policy, the policy is applied only to the resources to which the tag is added. This way, you can implement precise access control on the resources.
Add custom tags to an RDS instance.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance.
In the Tags column, click the
icon. Then, click Edit.
Configure the Tag Key and Tag Value parameters. Then, click OK.
In this example, the Tag Key parameter is set to
test-ramand the Tag Value parameter is set tords-mysql. We recommend that you set these parameters to meaningful values.If the following information is displayed in the Tags column, the custom tag is added to the RDS instance.
Create a policy.
Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the page that appears, click Create Policy.
On the page that appears, click the Visual editor or JSON tab.
Visual editor
Set the Effect parameter to Allow and the Service parameter to ApsaraDB RDS.
Set the Action parameter to Select action(s). Then, add the Describe-related read actions. You can search for Describe and then select related actions.
Set the Resource parameter to All resource(s). Click Add condition. In the dialog box that appears, configure the Key, Operator, and Value parameters.
NoteThe value of the Key parameter is fixed as
rds:ResourceTag. The value of the Operator parameter is fixed asStringEquals. The values of the Key and Value parameters must be the same as the values of the Tag Key and Tag Value parameters of the tag that is added to the RDS instance in Step 1.
JSON
Enter the following code snippet in the code editor:
NoteIn the code snippet,
test-ramandrds-mysqlare used only for reference. You must replace these values with the values of the Tag Key and Tag Value parameters of the tag that is added to the RDS instance in Step 1.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "rds:ResourceTag/test-ram": [ "rds-mysql" ] } } } ] }Click OK. In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the settings and click OK.
Attach the custom policy to a RAM user.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
Set the Resource Scope parameter to the resource group that you created. In the Policy section, select Custom Policy from the drop-down list, search for the policy that you created, and select the policy.
Click Done.
Log on to the ApsaraDB RDS console as a RAM user and view the RDS instance.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides.
Use the Filter by Tag feature to search for the tag that is added to the RDS instance in Step 1 and view the RDS instance.
The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.