When you use a RAM user or a RAM role to access the Realtime Compute for Apache Flink console and perform operations such as purchasing, viewing, or deleting a workspace, the RAM user or RAM role must have the required permissions. This topic describes the RAM policy types that are supported by Realtime Compute for Apache Flink and how to grant permissions to a RAM user.
Policy types
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.
RAM supports the following two types of policy:
System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify the policies. For more information about the system policies that are supported by Realtime Compute for Apache Flink, see System policies.
Custom policy: You can create, update, and delete custom policies to meet your business requirements. For more information about the custom policies that are supported by Realtime Compute for Apache Flink, see Custom policies.
Procedure
You can attach a policy to a RAM user or RAM role to grant the RAM user or RAM role the access permissions in the policy. This topic describes how to grant permissions to a RAM user. The operations for granting permissions to a RAM role are similar to the operations for granting permissions to a RAM user. For more information, see Grant permissions to a RAM role.
Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the parameters. The following table describes the parameters.
Parameter
Description
Authorized Scope
Valid values:
Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect for a specific resource group.
Principal
The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.
Select Policy
System Policy: For more information about the system policies that are supported by fully managed Flink, see System policies.
Custom Policy: For more information about how to create a custom policy, see Create a custom policy. For more information about the custom policies that are supported by fully managed Flink, see Custom policies. The following sample code provides an example of the document of a policy that allows a RAM user to view the information about all workspaces.
{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpInstances", "Resource": "*", "Effect": "Allow" } ] }
Click OK.
Click Complete.
System policies
Permission set | Policy | Description |
All permissions on Realtime Compute for Apache Flink | AliyunStreamFullAccess | Includes all permissions in Custom policies. |
Permissions to access Realtime Compute for Apache Flink in read-only mode | AliyunStreamReadOnlyAccess | Includes all permissions that start with Describe and Query in Custom policies. |
Permissions on Billing Management | AliyunBSSOrderAccess | Allows you to view and pay for orders in the Billing Management console. |
Custom policies
Policies related to fully managed Flink
In a policy, Action indicates the operation that needs to be performed, Resource indicates the object on which the operation is performed, and Effect specifies whether to allow or deny the operation on the object. For more information about the syntax and structure of RAM policies, see Policy structure and syntax. You must replace the following parameters in a policy with the actual values:
{#regionId}: the ID of the region in which the desired fully managed Flink workspace resides.
{#accountId}: the ID of the Alibaba Cloud account.
{#instanceId}: the ID of the destination fully managed Flink workspace.
{#namespace}: the name of the desired namespace.
Policies related to fully managed Flink workspaces
Permission
Policy document
Purchase a fully managed Flink workspace
{ "Version": "1", "Statement": [ { "Action": "stream:CreateVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }
View information about a workspace
{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpInstances", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }
Release a pay-as-you-go workspace
{ "Version": "1", "Statement": [ { "Action": "stream:DeleteVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }
Renew a subscription workspace
{ "Version": "1", "Statement": [ { "Action": "stream:RenewVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }
Scale a subscription workspace
{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpPrepayInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }
Change the maximum quota of a pay-as-you-go workspace
{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }
Change the billing method of a workspace
{ "Version": "1", "Statement": [ { "Action": "stream:ConvertVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }
Query the price for creating a workspace
{ "Version": "1", "Statement": [ { "Action": "stream:QueryCreateVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }
Query the price for renewing a workspace
{ "Version": "1", "Statement": [ { "Action": "stream:QueryRenewVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }
Query the price for scaling a workspace
{ "Version": "1", "Statement": [ { "Action": "stream:QueryModifyVvpPrepayInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }
Query the price for switching from the pay-as-you-go billing method to the subscription billing method
{ "Version": "1", "Statement": [ { "Action": "stream:QueryConvertVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }
Policies related to fully managed Flink namespaces
ImportantBefore you configure namespace permissions, you must configure the DescribeVvpInstances permission to view existing workspaces. Otherwise, an error is returned.
Permission
Policy document
Create a namespace
{ "Version": "1", "Statement": [ { "Action": "stream:CreateVvpNamespace", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*", "Effect": "Allow" } ] }
Delete a namespace
{ "Version": "1", "Statement": [ { "Action": "stream:DeleteVvpNamespace", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }
Reconfigure resources for a subscription namespace
{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpPrepayNamespaceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }
Reconfigure resources for a pay-as-you-go namespace
{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpNamespaceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }
View the namespace list
{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpNamespaces", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*", "Effect": "Allow" } ] }
NoteAfter you configure the policy, you can click the icon to the left of the ID of the desired workspace to view the list of namespaces that are created in the workspace. If you want to log on to the console of fully managed Flink for a namespace, you must have the permissions to develop drafts in the namespace. For more information, see Authorize an account to perform operations in a namespace.
Permission operations on related services
ECS-related operations
OSS-related operations
ARMS-related operations
VPC-related operations
RAM-related operations
References
FAQ
If you want multiple users to use a fully managed Flink namespace to perform operations such as draft development and deployment O&M in the fully managed Flink console, you must grant permissions on the namespace to the users. For more information, see Authorize an account to perform operations in a namespace.
For more information about the differences between the permissions granted to a RAM user and the permissions on namespaces, see Permission management.
For more information about how to use different identities such as Alibaba Cloud accounts, RAM roles, and RAM users to access the Realtime Compute for Apache Flink console, see Supported logon methods.
For more information about the API operations related to RAM permission management, see Permission management.