Resource groups let you organize and manage Alibaba Cloud resources under a single account, and scope permissions to specific groups instead of granting access across the entire account. To allow a Resource Access Management (RAM) user to access ApsaraDB for SelectDB instances through resource groups, attach two types of policies to the RAM user.
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud account with RAM management permissions
A RAM user to grant access to
Required policies
System policy
Attach one of the following system policies based on the access level needed:
| Policy | Access level |
|---|---|
AliyunSelectDBFullAccess | Full management permissions |
AliyunSelectDBReadOnlyAccess | Read-only permissions |
For details on what each policy covers, see System policies for SelectDB.
Custom policy
Attach a custom policy that grants the RAM user permission to list instances, query available regions, and verify service-linked roles. These three actions support resource group-based authorization and are required for the RAM user to view and access SelectDB instances scoped to a resource group.
Create a custom policy with the following JSON. For steps to create a custom policy, see Create custom policies.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"selectdb:DescribeDBInstances",
"selectdb:DescribeRegions",
"selectdb:CheckServiceLinkedRole"
],
"Resource": "*"
}
]
}The policy grants the following permissions:
| Action | Description |
|---|---|
selectdb:DescribeDBInstances | Lists SelectDB instances visible to the RAM user |
selectdb:DescribeRegions | Queries the regions where SelectDB is available |
selectdb:CheckServiceLinkedRole | Verifies that the required service-linked role exists |
This custom policy enables resource group-based authorization for SelectDB. It does not grant permissions for instance operations such as creating, modifying, or deleting instances. Those permissions are controlled by the system policy you attach.