Grant permissions to a RAM user - Realtime Compute for Apache Flink

When you use a RAM user or a RAM role to access the Realtime Compute for Apache Flink console and perform operations such as purchasing, viewing, or deleting a workspace, the RAM user or RAM role must have the required permissions. This topic describes the RAM policy types that are supported by Realtime Compute for Apache Flink and how to grant permissions to a RAM user.

Policy types

A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.

RAM supports the following two types of policy:

System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify the policies. For more information about the system policies that are supported by Realtime Compute for Apache Flink, see System policies.
Custom policy: You can create, update, and delete custom policies to meet your business requirements. For more information about the custom policies that are supported by Realtime Compute for Apache Flink, see Custom policies.

Procedure

You can attach a policy to a RAM user or RAM role to grant the RAM user or RAM role the access permissions in the policy. This topic describes how to grant permissions to a RAM user. The operations for granting permissions to a RAM role are similar to the operations for granting permissions to a RAM user. For more information, see Grant permissions to a RAM role.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.

In the Add Permissions panel, configure the parameters. The following table describes the parameters.

系统策略

Parameter	Description
Authorized Scope	Valid values: Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account. Specific Resource Group: The authorization takes effect for a specific resource group.
Principal	The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.
Select Policy	System Policy: For more information about the system policies that are supported by fully managed Flink, see System policies. Custom Policy: For more information about how to create a custom policy, see Create a custom policy. For more information about the custom policies that are supported by fully managed Flink, see Custom policies. The following sample code provides an example of the document of a policy that allows a RAM user to view the information about all workspaces. `{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpInstances", "Resource": "*", "Effect": "Allow" } ] }`

Click OK.
Click Complete.

System policies

Permission set	Policy	Description
All permissions on Realtime Compute for Apache Flink	AliyunStreamFullAccess	Includes all permissions in Custom policies.
Permissions to access Realtime Compute for Apache Flink in read-only mode	AliyunStreamReadOnlyAccess	Includes all permissions that start with Describe and Query in Custom policies.
Permissions on Billing Management	AliyunBSSOrderAccess	Allows you to view and pay for orders in the Billing Management console.

Custom policies

Policies related to fully managed Flink

Note

In a policy, Action indicates the operation that needs to be performed, Resource indicates the object on which the operation is performed, and Effect specifies whether to allow or deny the operation on the object. For more information about the syntax and structure of RAM policies, see Policy structure and syntax. You must replace the following parameters in a policy with the actual values:

{#regionId}: the ID of the region in which the desired fully managed Flink workspace resides.
{#accountId}: the ID of the Alibaba Cloud account.
{#instanceId}: the ID of the destination fully managed Flink workspace.
{#namespace}: the name of the desired namespace.

Policies related to fully managed Flink workspaces

Permission	Policy document
Purchase a fully managed Flink workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:CreateVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }`
View information about a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpInstances", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }`
Release a pay-as-you-go workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:DeleteVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }`
Renew a subscription workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:RenewVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Scale a subscription workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpPrepayInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }`
Change the maximum quota of a pay-as-you-go workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }`
Change the billing method of a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:ConvertVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Query the price for creating a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryCreateVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }`
Query the price for renewing a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryRenewVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Query the price for scaling a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryModifyVvpPrepayInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Query the price for switching from the pay-as-you-go billing method to the subscription billing method	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryConvertVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`

Policies related to fully managed Flink namespaces

Important

Before you configure namespace permissions, you must configure the DescribeVvpInstances permission to view existing workspaces. Otherwise, an error is returned.

Permission	Policy document
Create a namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:CreateVvpNamespace", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*", "Effect": "Allow" } ] }`
Delete a namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:DeleteVvpNamespace", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }`
Reconfigure resources for a subscription namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpPrepayNamespaceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }`
Reconfigure resources for a pay-as-you-go namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpNamespaceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }`
View the namespace list	`{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpNamespaces", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/", "Effect": "Allow" } ] }` Note* After you configure the policy, you can click the icon to the left of the ID of the desired workspace to view the list of namespaces that are created in the workspace. If you want to log on to the console of fully managed Flink for a namespace, you must have the permissions to develop drafts in the namespace. For more information, see Authorize an account to perform operations in a namespace.

Permission operations on related services

ECS-related operations

Before you can access the console of fully managed Flink over the Internet, you must activate Elastic IP Address (EIP) by using your Alibaba Cloud account. Before you can access resources in a VPC, you must create elastic network interfaces (ENIs) in the VPC. The ENIs are added to the dedicated security group of fully managed Flink. In this case, fully managed Flink must have the operation permissions on the EIP, security group, and ENIs.

Action	Description
ecs:AssociateEipAddress	Applies for an EIP to access fully managed Flink over the Internet.
ecs:AttachNetworkInterface	Allows fully managed Flink to bind your ENI to the resource pool of fully managed Flink.
ecs:AuthorizeSecurityGroup	Allows fully managed Flink to create a security group. This permission is required to add an inbound rule to the security group.
ecs:AuthorizeSecurityGroupEgress	Allows fully managed Flink to create a security group. This permission is required to add an outbound rule to the security group.
ecs:CreateNetworkInterface	Allows fully managed Flink to create an ENI in your VPC and allows fully managed Flink to connect to your VPC.
ecs:CreateNetworkInterfacePermission	Allows fully managed Flink to bind your ENI.
ecs:CreateSecurityGroup	Allows fully managed Flink to create a security group. This permission is required to create the security group.
ecs:DeleteNetworkInterface	Deletes the ENIs of the resources that are used in a task of fully managed Flink after the task is complete.
ecs:DeleteNetworkInterfacePermission	Allows fully managed Flink to unbind your ENI.
ecs:DeleteSecurityGroup	Allows fully managed Flink to create a security group. This permission is required to delete the security group.
ecs:DescribeNetworkInterfacePermissions	Allows you to unbind your ENI from the resource pool of fully managed Flink.
ecs:DescribeNetworkInterfaces	Allows fully managed Flink to query ENIs.
ecs:DescribeSecurityGroupAttribute	Allows fully managed Flink to query the security group rules of a security group.
ecs:DescribeSecurityGroupReferences	Allows fully managed Flink to query security groups and security group-level authorization.
ecs:DescribeSecurityGroups	Allows fully managed Flink to query basic information about the created security groups.
ecs:DetachNetworkInterface	Allows fully managed Flink to unbind your ENI from the resource pool of fully managed Flink.
ecs:JoinSecurityGroup	Allows fully managed Flink to add ENIs to the specified security group.
ecs:LeaveSecurityGroup	Allows fully managed Flink to remove ENIs from the specified security group.
ecs:ModifyNetworkInterfaceAttribute	Allows fully managed Flink to modify information about an ENI, such as the name, the description, and the security group to which the ENI belongs.
ecs:ModifySecurityGroupAttribute	Allows fully managed Flink to change the name or description of a security group.
ecs:ModifySecurityGroupPolicy	Allows fully managed Flink to modify the access control policy within the security group.
ecs:ModifySecurityGroupRule	Allows fully managed Flink to modify the descriptions of security group inbound rules.
ecs:RevokeSecurityGroup	Allows fully managed Flink to delete a security group inbound rule.
ecs:RevokeSecurityGroupEgress	Allows fully managed Flink to delete a security group outbound rule.
ecs:UnassociateEipAddress	Allows fully managed Flink to release EIPs.

OSS-related operations

Before you can query OSS buckets, you must obtain the permissions on Object Storage Service (OSS) resources.

Action	Description
oss:ListBuckets	Allows fully managed Flink to query OSS buckets.
oss:GetBucketInfo	Queries the statistics about a bucket.
oss:GetObjectMetadata	Obtains the metadata of an object.
oss:GetObject	Obtains an object.
oss:ListObjects	Lists the information about all objects in a bucket.
oss:PutObject	Uploads an object.
oss:CopyObject	Copies objects that are stored in the same bucket or different buckets in the same region.
oss:CompleteMultipartUpload	Completes multipart upload of an object after all parts of the object are uploaded.
oss:AbortMultipartUpload	Cancels a multipart upload task and deletes the uploaded parts.
oss:InitiateMultipartUpload	Requires OSS to initiate a multipart upload task before data is transmitted in multipart upload mode.
oss:UploadPartCopy	Copies data from an existing object and uploads a part of the object.
oss:UploadPart	Uploads an object by part based on the specified object name and the upload ID.
oss:DeleteObject	Deletes an object.
oss:PutBucketcors	Configures CORS rules for a bucket.
oss:GetBucketCors	Queries the CORS rules configured for a bucket.
oss:PutBucket	Creates a bucket.

Note

If you use the Key Management Service (KMS) encryption capability of OSS, you must attach KMS-related policies to the AliyunStreamAsiDefaultRole role. For more information, see Upload an object to a bucket for which the default encryption method is configured.

ARMS-related operations

Application Real-Time Monitoring Service (ARMS) is activated for you. The metrics of deployments in fully managed Flink are stored in ARMS.

Action	Description
arms:ListDashboards	Queries ARMS dashboards.
arms:CreateContact	Creates a contact.
arms:DeleteContact	Deletes a contact.
arms:SearchContact	Queries a contact.
arms:UpdateContact	Updates a contact.
arms:CreateContactGroup	Creates a contact group.
arms:DeleteContactGroup	Deletes a contact group.
arms:SearchContactGroup	Queries a contact group.
arms:UpdateContactGroup	Updates a contact group.
arms:SearchAlertRules	Queries one or more alert rules.
arms:CreateAlertRules	Creates one or more alert rules.
arms:UpdateAlertRules	Updates one or more alert rules.
arms:DeleteAlertRules	Delete one or more alert rules.
arms:StartAlertRule	Enables an alert rule.
arms:StopAlertRule	Disables an alert rule.
arms:SearchAlarmHistories	Views historical alert information.
arms:OpenArmsService	Activates the ARMS service.
arms:CreateWebhook	Creates a webhook.
arms:UpdateWebhook	Updates a webhook.
arms:CreateDispatchRule	Creates a dispatch rule.
arms:ListDispatchRule	Queries dispatch rules.
arms:DeleteDispatchRule	Deletes a dispatch rule.
arms:UpdateDispatchRule	Updates a dispatch rule.
arms:DescribeDispatchRule	Queries details about a dispatch rule.

VPC-related operations

When you activate fully managed Flink, the Describe permission on resources in the virtual private cloud (VPC) in which fully managed Flink resides is required.

Action	Description
vpc:DescribeVpcAttribute	Allows fully managed Flink to query the configurations of the specified VPC.
vpc:DescribeVpcs	Allows fully managed Flink to query the created VPCs.
vpc:DescribeVSwitchAttributes	Allows fully managed Flink to query information about the specified vSwitch.
vpc:DescribeVSwitches	Allows fully managed Flink to query the created vSwitches.
vpc:DescribeRouteTableList	Allows fully managed Flink to query route tables.
vpc:DescribeRouteTables	Allows fully managed Flink to query the specified route table.
vpc:DescribeRouteEntryList	Allows fully managed Flink to query route entries in a route table.
vpc:DescribeRouterInterfaceAttribute	Allows fully managed Flink to query the configurations of the router interface.
vpc:DescribeRouterInterfaces	Allows fully managed Flink to query router interfaces.
vpc:DescribeVRouters	Allows fully managed Flink to query vRouters in the specified region.
vpc:CreateVpc	Creates a VPC.
vpc:CreateVSwitch	Creates a vSwitch.

RAM-related operations

When you activate fully managed Flink, you must have permissions on Resource Access Management (RAM) resources to configure the RAM resources.

Action	Description
ram:*	Allows you to add, remove, modify, and query the RAM resources domain and application.

References

FAQ
- What do I do if my account does not have the required permissions when I log on to the Realtime Compute for Apache Flink console?
- Why am I unable to go to the RAM console after I click Authorize in RAM?
If you want multiple users to use a fully managed Flink namespace to perform operations such as draft development and deployment O&M in the fully managed Flink console, you must grant permissions on the namespace to the users. For more information, see Authorize an account to perform operations in a namespace.
For more information about the differences between the permissions granted to a RAM user and the permissions on namespaces, see Permission management.
For more information about how to use different identities such as Alibaba Cloud accounts, RAM roles, and RAM users to access the Realtime Compute for Apache Flink console, see Supported logon methods.
For more information about the API operations related to RAM permission management, see Permission management.