If you want to use a RAM user to perform operations, such as purchasing resources or modifying resource configurations of fully managed Flink, you must grant the required permissions to the RAM user by using an Alibaba Cloud account. The RAM user can be used to access the Realtime Compute for Apache Flink console and perform operations in the console only after the RAM user is granted the required permissions by the Alibaba Cloud account. This topic describes how to authorize a RAM user to access the Realtime Compute for Apache Flink console and perform operations in the console.

Background information

Fully managed Flink provides the following policies for RAM users. You can select a policy for a RAM user based on your business requirements.
Policy Description
AliyunStreamFullAccess (system policy) This policy includes all permissions that are described in Permissions.
AliyunStreamReadOnlyAccess (system policy) This policy allows you to access the Realtime Compute for Apache Flink service in read-only mode. This policy includes only the following permissions that are described in Permissions: DescribeInstances, QueryCreateInstancePrice, QueryRenewInstancePrice, QueryModifyInstancePrice, QueryConvertPostpayInstancePrice, and DescribeNamespaces.
Custom policies You can use a custom policy to grant one or more permissions to a RAM user. Custom policies implement flexible and fine-grained permission management.
Note
  • System policy: System policies are created by Alibaba Cloud. You can use these policies but cannot modify these policies. The updates of the policies are maintained by Alibaba Cloud.
  • Custom policy: You can create, update, and delete custom policies and maintain the updates of these policies.

Prerequisites

A RAM user is created. If you have not created a RAM user, follow the instructions provided in Create a RAM user to create a RAM user.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Specify Authorized Scope. Select Alibaba Cloud Account.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on a specific resource group.
    2. Specify Principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      • System policy
        On the System Policy tab, enter stream in the text box and click the name of the policy that you want to use. System Policy
      • Custom policy
        For more information about how to create a custom policy, see Create a custom policy. Custom PolicyWhen you use a custom policy, you must replace the information in the table of Permissions with your permission information. The following sample code provides the document of a policy that authorizes the RAM user to query the information about all clusters:
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "stream:DescribeVvpInstances",
                    "Resource": "acs:stream:cn-beijing:1838996687368452:vvpinstance/*",
                    "Effect": "Allow"
                }
            ]
        }
        Note In the preceding policy, Action indicates the operation that needs to be performed and Resource indicates the object on which the operation is performed. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
  5. Click OK.
  6. Click Complete.

Permissions

Note You must replace the following parameters in the policy with the actual values:
  • {#regionId}: the ID of the region in which the desired fully managed Flink instance resides.
  • {#accountId}: the ID of the Alibaba Cloud account.
  • {#instanceId}: the ID of the desired fully managed Flink instance.
  • {#namespace}: the name of the desired workspace.
Item Permission Configuration of Action and Resource
Fully managed Flink instance Purchase a fully managed Flink instance
Action: "stream:CreateVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/*"
Release a pay-as-you-go fully managed Flink instance
Action: "stream:DeleteVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}"
Renew a fully managed Flink instance
Action: "stream:RenewVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}"
Scale a fully managed Flink instance
Action: "stream:ModifyVvpPrepayInstanceSpec"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}"
Change the billing method of a fully managed Flink instance
Action: "stream:ConvertVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}"
View information of a fully managed Flink instance
Action: "stream:DescribeVvpInstances"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/*"
Query the price for creating a fully managed Flink instance
Action: "stream:QueryCreateVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/*"
Query the price for renewing a fully managed Flink instance
Action: "stream:QueryRenewVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}"
Query the price for scaling a fully managed Flink instance
Action: "stream:QueryModifyVvpPrepayInstanceSpec"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}"
Query the price for changing the billing method of a fully managed Flink instance from pay-as-you-go to subscription
Action: "stream:QueryConvertVvpInstance"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}"
Workspace Create a workspace
Action: "stream:CreateVvpNamespace"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*"
Delete a workspace
Action: "stream:DeleteVvpNamespace"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}"
Modify workspace resources
Action: "stream:ModifyVvpPrepayNamespaceSpec"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}"
View information of a workspace
Action: "stream:DescribeVvpNamespaces"
Resource: "acs:stream:*:{#accountId}:vvpnamespace/{#InstanceId}"
Resource: "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*"