You can use resource groups to manage resources that belong to your Alibaba Cloud account. This helps simplify the resource and permission management of your Alibaba Cloud account. This topic describes the policies that are required for RAM users to use resource groups to access ApsaraDB for SelectDB instances.
If a RAM user wants to use resource groups to access ApsaraDB for SelectDB instances, the following policies must be attached to the RAM user:
System policies of ApsaraDB for SelectDB: The AliyunSelectDBFullAccess or AliyunSelectDBReadOnlyAccess policy is attached to the RAM user based on the business requirements. The AliyunSelectDBFullAccess policy grants management permissions, and the AliyunSelectDBReadOnlyAccess policy grants read-only permissions. For more information, see System policies for SelectDB.
Custom policies to query instances and regions and check service-linked roles. The custom policies support resource group-based authentication. For information about how to create a custom policy, see Create custom policies.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "selectdb:DescribeDBInstances", "selectdb:DescribeRegions", "selectdb:CheckServiceLinkedRole" ], "Resource": "*" } ] }