All Products
Search

This Product

    ApsaraDB RDS:Authorize a RAM user with read-only permissions to download backup files

    Document Center

    ApsaraDB RDS:Authorize a RAM user with read-only permissions to download backup files

    Last Updated:Mar 28, 2026

    Read-only RAM policies cover only Describe* query operations. Because downloading backup files requires CreateDownload — a write operation — read-only users cannot download backups by default. To grant download access without giving full database permissions, create a custom policy with the two required actions and attach it to the RAM user.

    Prerequisites

    Before you begin, make sure you have:

    • An Alibaba Cloud account with administrative access to Resource Access Management (RAM)

    • An existing RAM user with read-only permissions

    How it works

    The Advanced Download feature uses RAM policy management for authentication. To let a RAM user download backup files, create a custom policy that grants dbs:CreateDownload and dbs:DescribeDBInstanceDownloadSize, then attach it to the RAM user.

    If the RAM user cannot create or query Advanced Download tasks, verify that the AliyunDBSFullAccess policy is attached. For more information, see Grant permissions to a RAM user.

    Grant download permissions to a RAM user

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy. On the page that appears, click the JSON tab and enter the following policy content, then click OK. The policy contains two statements: the first grants read access to RDS backup configurations; the second grants the two actions required to create download tasks and check download sizes.

      {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:ModifyBackupPolicy",
                "rds:CheckRegionSupportBackupEncryption"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dbs:CreateDownload",
                "dbs:DescribeDBInstanceDownloadSize"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

    4. On the Create Policy dialog box, configure Name and Description for the policy, then click OK.

    5. In the left-side navigation pane, choose Permissions > Grants.

    6. Click Grant Permission to attach the new policy to the RAM user. For more information, see Grant permissions to a RAM user.

    7. Click Grant permissions.

    Block access to advanced download URLs

    If you want a RAM user to use Data Disaster Recovery but prevent them from retrieving download URLs for advanced downloads, create a custom policy with a Deny statement and attach it to the RAM user.

    The following policy denies the action that returns download URLs, while leaving all other Data Disaster Recovery operations unaffected.

    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "dbs:DescribeDownloadBackupsetStorageInfo",
            "Resource": "*"
        }
    ]
}

    After creating the custom policy, attach it to the RAM user. For more information, see Create custom policies and Grant permissions to a RAM user.

    What's next