edit-icon download-icon

Authorization for RDS instances

Last Updated: Apr 20, 2018

Questions

View RDS permission definitions

See RDS resource authorization

Assign the RDS read-only permission to a RAM user

Create a RAM user in the RAM console and add the system authorization policy AliyunRDSReadOnlyAccess to the user. For more information about how to add an authorization policy, see Authorization.

Assign full RDS service management permissions to a RAM user

Add the system authorization policy AliyunRDSFullAccess to the RAM user in the RAM console.

Authorize a RAM user to manage two specified RDS instances

You must use the function of customizing authorization policies.

For example, you have two instances and the IDs are i-001 and i-002:

First, you must create a custom authorization policy that includes permissions for managing i-001 and i-002 and viewing all RDS resources:

  1. {
  2. "Statement": [
  3. {
  4. "Action": "rds:*",
  5. "Effect": "Allow",
  6. "Resource": [
  7. "acs:rds:*:*:dbinstance/i-001",
  8. "acs:rds:*:*:dbinstance/i-002"
  9. ]
  10. },
  11. {
  12. "Action": "rds:Describe*",
  13. "Effect": "Allow",
  14. "Resource": "*"
  15. }
  16. ],
  17. "Version": "1"
  18. }

Then, add the custom authorization policy for this user.

Access the content of the DMS management database as a RAM user

Access ApsaraDB for RDS through DMS. The corresponding authorization action is dms:LoginDatabase.

Authorize the RAM user to log on to the specified RDS instance

Authorization policy example:

  1. {
  2. "Statement": [
  3. {
  4. "Action": "dms:LoginDatabase",
  5. "Effect": "Allow",
  6. "Resource": "acs:rds:*:*:dbinstance/rds783a0639ks5k7328y"
  7. }
  8. ],
  9. "Version": "1"
  10. }

Replace rds783a0639ks5k7328y with the ID of the RDS instance to be accessed.

Authorize the RAM user to log on to all RDS instances

Authorization policy example:

  1. {
  2. "Statement": [
  3. {
  4. "Action": "dms:LoginDatabase",
  5. "Effect": "Allow",
  6. "Resource": "acs:rds:*:*:*"
  7. }
  8. ],
  9. "Version": "1"
  10. }
Thank you! We've received your feedback.