All Products
Search

This Product

    ApsaraDB RDS:Grant a RAM user the read-only permissions on a specific ApsaraDB RDS instance

    Document Center

    ApsaraDB RDS:Grant a RAM user the read-only permissions on a specific ApsaraDB RDS instance

    Last Updated:Dec 02, 2025

    Resource Access Management (RAM) provides multiple methods for fine-grained authorization, such as ARN-based authorization, resource group-based authorization, and tag-based authorization. This topic provides examples of how to use these methods to grant a RAM user read-only permissions on a specific ApsaraDB RDS instance.

    Prerequisites

    A RAM user is created. For more information, see Create a RAM user.

    How to choose an authorization method

    • ARN-based authorization

      • Features: Allows you to grant read-only permissions to specific ApsaraDB RDS instances with high precision.

      • Scenarios: Suitable for fine-grained permission control over a single or a small number of specific ApsaraDB RDS instances.

      • Example: A specific database instance in a development environment.

    • Resource group-based authorization

      • Features: Allows you to group multiple ApsaraDB RDS instances. You can grant the same permissions to multiple ApsaraDB RDS instances in a resource group in a single operation.

      • Scenarios: Suitable for granting permissions in batches to a group of ApsaraDB RDS instances that have similar features.

      • Example: If multiple ApsaraDB RDS instances are in different regions or projects but require the same security policy, you can add these instances to a resource group. Then, you can grant read-only permissions to all instances in that group.

    • Tag-based authorization

      • Features: Allows you to dynamically grant permissions based on tag key-value pairs.

      • Scenarios: Suitable for flexible permission management of ApsaraDB RDS instances based on tags. This method is ideal for controlling permissions based on business properties or other metadata.

      • Example: Suppose you have multiple ApsaraDB RDS instances with different tags, such as env=prod, env=test, and project=finance. You can use tag-based authorization rules to allow certain users to access only the ApsaraDB RDS instances with specific tags. You do not need to configure permissions for each instance one by one.

    Procedure

    Note

    Perform the following operations using your Alibaba Cloud account.

    Method 1: ARN-based authorization

    With ARN-based authorization, you use an Alibaba Cloud Resource Name (ARN) in an access policy to specify the resources that you want to authorize. This provides precise access control over specific resources. For more information about the basic elements of an access policy, see Basic elements of an access policy.

    1. Create an access policy.

      1. Log on to the RAM console.

      2. In the navigation pane on the left, choose Permissions > Policies.

      3. Click Create Policy.

      4. Click the Visual editor tab or the JSON tab.

        Visual Editor

        1. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

        2. For Action, select the Describe-related permissions under Read action. You can search for Describe and select all related permissions.

          Important

          If you select too many permissions and the policy document exceeds the length limit, you can submit a ticket to increase the limit.

        3. For Resource, select Specified resource(s). The ARN is in the format acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}. This ARN defines the Resource as the instance to which you want to grant permissions. Leave the Condition field empty.

        4. Click Add Statement. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

        5. Set Action to rds:DescribeDBInstances. Set Resource to All resource(s)(*). Leave the Condition field empty.

        JSON

        In the script editor, enter the following content:

        {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:Describe*",
      "Resource": "acs:rds:*:*:dbinstance/Instance ID"
    },
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

      5. Click OK. In the Create Policy dialog box, enter a Policy Name and Description. Confirm the policy content and click OK again.

    2. Attach the custom policy to the RAM user.

      1. In the navigation pane on the left, choose Identities > Users.

      2. Find the target user and click Add Permissions in the Actions column.

      3. For Resource Scope, select the resource group for this example. In the Policy section, click Custom Policy. Then, search for and select the policy that you created.

      4. Click Grant permissions.

    3. Log on to the ApsaraDB RDS console as the RAM user and view the instance.

      1. Go to the ApsaraDB RDS instance list. Select a region in the top navigation bar to view the instance list.

      2. Click the authorized instance to view its details.

        Note

        With this authorization method, the RAM user can see all instances in the instance list but can view the details of only the authorized instance. If the user tries to view other unauthorized instances, an "insufficient permissions" message is displayed.

    The configuration is complete. You have granted the RAM user read-only permissions on the specified ApsaraDB RDS instance. You can also grant other permissions to the RAM user as needed.

    Method 2: Resource group-based authorization

    With resource group-based authorization, you place the resources to be authorized into the same resource group. Then, when you grant permissions to a RAM user, you specify that resource group. This provides precise authorization for all resources within the group.

    1. Create a resource group.

      1. Log on to the Resource Management console. In the navigation pane on the left, click Resource Group.

      2. Click Create Resource Group. Set the Resource Group Identifier and Resource Group Name, and then click OK.

    2. Transfer the instance to the new resource group.

      1. Find the target instance in its current resource group. For example, if the target instance is in the Default Resource Group, click Manage Resource in the Actions column for that group.

      2. Search for the target instance by its instance ID. Select the instance and click Transfer.image

      3. In the Transfer Resource Group window, select the resource group that you created in Step 1, and then click Confirm.

      4. In the success window, click Confirm.

        The transfer is successful if you can see the target instance in the new resource group.

    3. Create an access policy.

      1. Log on to the RAM console.

      2. In the navigation pane on the left, choose Permissions > Policies.

      3. Click Create Policy.

      4. Click the Visual editor tab or the JSON tab.

        Visual Editor

        1. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

        2. For Action, select the Describe-related permissions under Read action. You can search for Describe and select all related permissions.

          Important

          If you select too many permissions and the policy document exceeds the length limit, you can submit a ticket to increase the limit.

        3. Set Resource to All resource(s)(*). Leave the Condition field empty.

        JSON

        In the script editor, enter the following content:

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

      5. Click OK. In the Create Policy dialog box, enter a Policy Name and Description. Confirm the policy content and click OK again.

    4. Attach the custom policy to the RAM user.

      1. In the navigation pane on the left, choose Identities > Users.

      2. Find the target user and click Add Permissions in the Actions column.

      3. For Resource Scope, select the resource group that you created. In the Policy section, click Custom Policy. Search for and select the policy that you created.

      4. Click Grant permissions.

    5. Log on to the ApsaraDB RDS console as the RAM user and view the instance.

      1. Go to the ApsaraDB RDS instance list and select a region in the top navigation bar.

      2. Select the resource group that you created in Step 1, as shown by ① in the following figure, to see the target instance.image

    The configuration is complete. You have granted the RAM user read-only permissions on the specified ApsaraDB RDS instance. You can also grant other permissions to the RAM user as needed.

    Method 3: Tag-based authorization

    With tag-based authorization, you attach the same tag to the resources that you want to authorize. When you create an access policy, the policy applies only to resources with that specific tag. This provides precise authorization for all resources that share the tag.

    1. Attach a custom tag to the ApsaraDB RDS instance.

      1. Go to the ApsaraDB RDS instance list. Select a region and find the target instance.

      2. In the Tags column, click the image icon, and then click Edit.image

      3. Set the tag key and tag value, and then click OK.

        In this example, the tag key is set to test-ram and the tag value is set to rds-mysql. When you configure the tag, use a meaningful key and value.

        The custom tag is attached successfully if you can see the tag in the Tags column, as shown in the following figure.image

    2. Create an access policy.

      1. Log on to the RAM console.

      2. In the navigation pane on the left, choose Permissions > Policies.

      3. Click Create Policy.

      4. Click the Visual editor tab or the JSON tab.

        Visual Editor

        1. Set Effect to Allow and Service to ApsaraDB RDS / RDS.

        2. For Action, select the Describe-related permissions under Read action. You can search for Describe and select all related permissions.

          Important

          If you select too many permissions and the policy document exceeds the length limit, you can submit a ticket to increase the limit.

        3. Set Resource to All resource(s)(*). Click Add condition. Set the Key, Operator, and Value.

          Note

          For the Condition parameters, the Key must be rds:ResourceTag, and the Operator must be StringEquals. For Value, enter the Tag Key and Tag Value that you attached to the ApsaraDB RDS instance in Step 1.

        JSON

        In the script editor, enter the following content:

        Note

        In the following script, test-ram and rds-mysql are examples. Replace them with the tag key and tag value that you attached to the ApsaraDB RDS instance in Step 1.

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "rds:ResourceTag/test-ram": [
            "rds-mysql"
          ]
        }
      }
    }
  ]
}

      5. Click OK. In the Create Policy dialog box, enter a Policy Name and Description. Confirm the policy content and click OK again.

    3. Attach the custom policy to the RAM user.

      1. In the navigation pane on the left, choose Identities > Users.

      2. Find the target user and click Add Permissions in the Actions column.

      3. For Resource Scope, select the resource group that you created for this example. In the Policy section, select Custom Policy. Search for and select the policy that you created.

      4. Click Grant permissions.

    4. Log on to the ApsaraDB RDS console as the RAM user and view the instance.

      1. Go to the ApsaraDB RDS instance list and select a region in the top navigation bar.

      2. Use the Filter By Tag feature to filter by the tag that you attached in Step 1. The target instance is displayed.image

    The configuration is complete. You have granted the RAM user read-only permissions on the specified ApsaraDB RDS instance. You can also grant other permissions to the RAM user as needed.