All Products
Search

This Product

    ApsaraDB RDS:Grant a RAM user the read-only permissions on a specific ApsaraDB RDS instance

    Document Center

    ApsaraDB RDS:Grant a RAM user the read-only permissions on a specific ApsaraDB RDS instance

    Last Updated:Mar 28, 2026

    Resource Access Management (RAM) supports three methods for granting a RAM user read-only permissions on a specific ApsaraDB RDS instance: ARN-based authorization, resource group-based authorization, and tag-based authorization. Each method targets a different permission management scenario.

    Perform all operations using your Alibaba Cloud account.

    Prerequisites

    Before you begin, ensure that you have:

    Choose an authorization method

    MethodHow it worksBest for
    ARN-basedSpecifies individual instances by ARN in the policySingle or a small number of specific instances
    Resource group-basedGroups instances and grants permissions at the resource group scopeMultiple instances that share the same permission requirements
    Tag-basedApplies permissions to all instances that carry a specific tagDynamic, business-property-driven permission management

    Method 1: ARN-based authorization

    ARN-based authorization uses an Alibaba Cloud Resource Name (ARN) in the policy to target a specific instance. This gives you precise access control at the individual instance level. For details about policy elements, see Basic elements of an access policy.

    Step 1: Create an access policy

    1. Log on to the RAM console.

    2. In the navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the Visual editor tab or the JSON tab and configure the policy. Visual editor The ARN format for an RDS instance is:

      Visual Editor

      1. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

      2. For Action, select the Describe-related permissions under Read action. You can search for Describe and select all related permissions.

        Important

        If you select too many permissions and the policy document exceeds the length limit, you can submit a ticket to increase the limit.

      3. For Resource, select Specified resource(s). The ARN is in the format acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}. This ARN defines the Resource as the instance to which you want to grant permissions. Leave the Condition field empty.

      4. Click Add Statement. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

      5. Set Action to rds:DescribeDBInstances and Resource to **All resource(s)(*). Leave Condition** blank.

      Important

      If the selected permissions cause the policy document to exceed the length limit, submit a ticketsubmit a ticketsubmit a ticket to increase the limit.

      This second statement lets the RAM user see the instance list. Without it, the user cannot navigate to the authorized instance in the console.
      acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}

      For example, to target instance rm-bp1xxxxxxxxx in region cn-hangzhou under account 123456789012:

      acs:rds:cn-hangzhou:123456789012:dbinstance/rm-bp1xxxxxxxxx

      JSON

      JSON In the script editor, enter:

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:Describe*",
      "Resource": "acs:rds:*:*:dbinstance/Instance ID"
    },
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

      Replace Instance ID with the actual instance ID.

    5. Click OK. In the Create Policy dialog box, enter a Policy Name and Description, then click OK.

    Step 2: Attach the policy to the RAM user

    1. In the navigation pane, choose Identities > Users.

    2. Find the target user and click Add Permissions in the Actions column.

    3. For Resource Scope, select the appropriate resource group. In the Policy section, click Custom Policy, then search for and select the policy you created.

    4. Click Grant permissions.

    Step 3: Verify as the RAM user

    1. Log on to the ApsaraDB RDS console as the RAM user. Select a region in the top navigation bar.

    2. Click the authorized instance to view its details.

    With this method, the RAM user can see all instances in the list but can view details only for the authorized instance. Attempting to access an unauthorized instance shows an "insufficient permissions" message.

    Method 2: Resource group-based authorization

    Resource group-based authorization places the target instance in a dedicated resource group, then scopes the policy to that group. All instances in the group inherit the same permissions in a single grant operation.

    Step 1: Create a resource group

    1. Log on to the Resource Management console. In the navigation pane, click Resource Group.

    2. Click Create Resource Group. Set the Resource Group Identifier and Resource Group Name, then click OK.

    Step 2: Transfer the instance to the resource group

    1. Find the target instance in its current resource group. For example, if it is in the Default Resource Group, click Manage Resource in the Actions column for that group.

    2. Search for the instance by ID, select it, and click Transfer.image

    3. In the Transfer Resource Group window, select the resource group you created, then click Confirm.

    4. In the success window, click Confirm.

    The transfer is complete when the instance appears in the new resource group.

    Step 3: Create an access policy

    1. Log on to the RAM console.

    2. In the navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the Visual editor tab or the JSON tab and configure the policy. Visual editor JSON In the script editor, enter:

      Visual Editor

      1. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

      2. For Action, select the Describe-related permissions under Read action. You can search for Describe and select all related permissions.

        Important

        If you select too many permissions and the policy document exceeds the length limit, you can submit a ticket to increase the limit.

      3. Set Resource to **All resource(s)(*). Leave Condition** blank.

      Important

      If the selected permissions cause the policy document to exceed the length limit, submit a ticketsubmit a ticketsubmit a ticket to increase the limit.

      JSON

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

    5. Click OK. In the Create Policy dialog box, enter a Policy Name and Description, then click OK.

    Step 4: Attach the policy to the RAM user

    1. In the navigation pane, choose Identities > Users.

    2. Find the target user and click Add Permissions in the Actions column.

    3. For Resource Scope, select the resource group you created. In the Policy section, click Custom Policy, then search for and select the policy you created.

    4. Click Grant permissions.

    Step 5: Verify as the RAM user

    1. Log on to the ApsaraDB RDS console as the RAM user. Select a region in the top navigation bar.

    2. Select the resource group you created (① in the figure below) to see the target instance.image

    Method 3: Tag-based authorization

    Tag-based authorization attaches a tag to the target instance and adds a tag condition to the policy. The policy applies only to instances that carry the specified tag, giving you flexible, metadata-driven permission management.

    Step 1: Attach a tag to the instance

    1. Go to the ApsaraDB RDS instance list. Select a region and find the target instance.

    2. In the Tags column, click the image icon, then click Edit.image

    3. Enter a tag key and tag value, then click OK. In this example, the tag key is test-ram and the tag value is rds-mysql. Use values that reflect your access control requirements.

    The tag is attached when it appears in the Tags column.image

    Step 2: Create an access policy

    1. Log on to the RAM console.

    2. In the navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the Visual editor tab or the JSON tab and configure the policy. Visual editor JSON In the script editor, enter:

      Visual Editor

      1. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

      2. For Action, select the Describe-related permissions under Read action. You can search for Describe and select all related permissions.

        Important

        If you select too many permissions and the policy document exceeds the length limit, you can submit a ticket to increase the limit.

      3. Set Resource to **All resource(s)(*). Click Add condition** and set the condition parameters:

      Important

      If the selected permissions cause the policy document to exceed the length limit, submit a ticketsubmit a ticketsubmit a ticket to increase the limit.

      Replace test-ram and rds-mysql with the tag key and tag value you attached to the instance in Step 1.
      ParameterValue
      Keyrds:ResourceTag
      OperatorStringEquals
      ValueThe tag key and tag value you attached in Step 1

      JSON

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "rds:ResourceTag/test-ram": [
            "rds-mysql"
          ]
        }
      }
    }
  ]
}

    5. Click OK. In the Create Policy dialog box, enter a Policy Name and Description, then click OK.

    Step 3: Attach the policy to the RAM user

    1. In the navigation pane, choose Identities > Users.

    2. Find the target user and click Add Permissions in the Actions column.

    3. For Resource Scope, select the resource group you created for this example. In the Policy section, click Custom Policy, then search for and select the policy you created.

    4. Click Grant permissions.

    Step 4: Verify as the RAM user

    1. Log on to the ApsaraDB RDS console as the RAM user. Select a region in the top navigation bar.

    2. Use Filter By Tag to filter by the tag attached in Step 1. The target instance appears in the list.image

    What's next

    The RAM user now has read-only permissions on the specified ApsaraDB RDS instance. To grant additional permissions, repeat the steps above and add the required actions to the policy.