All Products
Search
Document Center

ApsaraDB RDS:Authorize a RAM user to manage ApsaraDB RDS instances

Last Updated:Jul 01, 2024

This topic describes how to authorize a RAM user to manage ApsaraDB RDS instances by using Resource Access Management (RAM).

Prerequisites

A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

Background information

You can grant the permissions to call API operations to RAM users. For example, if you grant a RAM user the permission to call the CreateDBInstance operation, the RAM user can create an RDS instance in the ApsaraDB RDS console.

The following procedure shows how to grant a RAM user the permission to check the information about RDS instances. The procedures to grant other permissions to a RAM user are similar.

Procedure

  1. Create a policy.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Select an edit mode.

      • Visual editor

        Parameter

        Description

        Effect

        Specify whether to grant the RAM user the permissions on an Alibaba Cloud service. Example: Allow.

        Service

        Select the Alibaba Cloud service on which you want to grant permissions to the RAM user. Example: rds/RDS.

        Action

        Select the actions on which you want to grant permissions to the RAM user. Valid values: All action(s) and Select action(s). If you select Select action(s), you need to select the actions in the All action(s) section and add them to the Selected action(s) section.

        Example: Read actions.

        选择操作

        Note

        We recommend that you add the DescribDBInstances read action. Otherwise, you cannot view the instance list.

        Resource

        Select the resources on which you want to grant permissions to the RAM user. Valid values: All resource(s) and Specified resource(s).

        If you select Specified resource(s), you need to add a resource based on the Alibaba Cloud Resource Name (ARN) format of the resource. To add a resource, click Add source on the right of the ARN format.

        Important

        The resource ARNs that are required for an action are tagged with Required. To ensure that the policy takes effect as expected, we recommend that you configure the resource ARNs that are tagged with Required.

        For example, acs:rds:*:{#accountId}:dbinstance/* is tagged with Required. If you do not configure this resource ARN, the RAM user cannot view instances in the instance list.

        • acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} is required and matches resources by region, account, and instance ID.

        • acs:rds:{#regionId}:{#accountId}:dbinstance/* matches resources by region and account.

        • acs:rds:*:{#accountId}:dbinstance/* is required and matches resources by account.

        • acs:rds:*:{#accountId}:dbinstance/{#dbinstanceId} is required and matches resources by account and instance ID.

        Note

        RAM authorization supports multiple methods, such as ARN, resource group-based authorization, and tag-based authorization, to implement fine-grained management. For example, you can grant a RAM user the read-only permissions on a specified RDS instance. For more information, see Grant a RAM user the read-only permissions on an ApsaraDB RDS instance.

        Condition

        Specify the limits on the permissions that you want to grant to the RAM user. For example, you can limit the source IP addresses from which the RAM user can log on. For more information, see Policy elements.

      • JSON

        Enter the following code snippet in the code editor:

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "rds:Describe*",
                    "Resource": "*"
                }
            ]
        }
        Note

        The JSON mode is more efficient than the Visual editor mode. For example, in JSON mode, you can enter Describe* in the code editor to specify all API operations whose names start with Describe.

    5. Click Next to edit policy information.

    6. Configure the Name and Description parameters. Then, click OK.

  2. Attach the custom policy to a RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. Find the RAM user. Then, click Add Permissions in the Actions column.

    3. In the Policy section, select Custom Policy from the drop-down list. Find and select the policy that you created, and then click OK.

    4. Click Grant permissions.

After the preceding steps are complete, you can log on to the ApsaraDB RDS console and check the information about RDS instances by using the credentials of the RAM user. You can also grant other permissions to a RAM user within your Alibaba Cloud account based on your business requirements.