RAM users and permissions - AnalyticDB - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the permissions of an Alibaba Cloud account. Different RAM users can be granted different permissions to allow or deny access to specific cloud resources.

Background information

Note

Alibaba Cloud accounts can create RAM users to carry out specific features. RAM users cannot own or retain resources. All resources belong only to Alibaba Cloud accounts.
If you use a RAM user to create an AnalyticDB for MySQL cluster, only the RAM user and the corresponding Alibaba Cloud account can be used to access the cluster. If you want other RAM users to access this cluster, you must grant them the required permissions.

Scenarios

Assume that you use an Alibaba Cloud account to create an AnalyticDB for MySQL cluster and share your AccessKey pair to members of your organization who want to use the AnalyticDB for MySQL cluster.

Warning

If the AccessKey pair of your Alibaba Cloud account is shared by multiple users, the following risks exist.

Your AccessKey pair is highly prone to leaks.
You cannot control the operations that specific users can perform on the cluster. For example, a user may scale up or restart the cluster.

To prevent the preceding issues, you can create RAM users and grant only required permissions to each RAM user. These RAM users, instead of your Alibaba Cloud account, can be used to access or manage your AnalyticDB for MySQL cluster.

Implementation

To allow RAM users to access or manage your AnalyticDB for MySQL cluster, you must perform the following operations:

Create a RAM user.
Grant permissions to a RAM user.

Create a RAM user

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User. On the Create User page, configure the Logon Name and Display Name parameters.
Note
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select Console Access or Using permanent AccessKey to access.
- Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
- Using permanent AccessKey to access: If you select this access mode, an AccessKey pair is generated for the RAM user. Then, the RAM user can use other development tools to access your AnalyticDB for MySQL cluster.
To ensure account security, we recommend that you select only a single access mode for RAM users. This prevents RAM users from using their AccessKey pairs to access your AnalyticDB for MySQL cluster after the users leave your organization.
Click OK.

Grant permissions to a RAM user

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions. Then, click Add Permissions in the Actions column.
In the Add Permissions panel, select System Policy and enter a policy name to search for the policy. Click the policy to add it to the right-side Selected Policy section.
Warning
Do not grant excessive permissions to users to prevent security risks or business loss.
You can attach the following policies to the RAM user:
- For Data Warehouse Edition clusters:
  - AliyunADBReadOnlyAccess: allows the RAM user to access your Data Warehouse Edition cluster in read-only mode.
  - AliyunADBFullAccess: allows the RAM user to manage your Data Warehouse Edition cluster.
- For Data Lakehouse Edition clusters:
  - AliyunADBReadOnlyAccess: allows the RAM user to access your Data Lakehouse Edition cluster in read-only mode.
  - AliyunADBFullAccess: allows the RAM user to manage your Data Lakehouse Edition cluster.
  - AliyunADBDeveloperAccess: allows the RAM user to develop your Data Lakehouse Edition cluster. Compared with the AliyunADBFullAccess policy, AliyunADBDeveloperAccess does not contain the permissions to create and delete clusters, change cluster configurations, and associate with RAM users.
Click OK.
After you grant permissions to the RAM user, you can use the RAM user to access or manage your AnalyticDB for MySQL cluster.

Create a policy

If you need to authorize RAM users to perform operations on a specific AnalyticDB for MySQL cluster, you must create a custom policy in the RAM console.

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy. In this example, a policy that is used to manage AnalyticDB for MySQL clusters is created.
On the Create Policy page, click the JSON tab.

In the code editor, enter the following scripts.

In the following example, a policy is created to allow RAM users to manage the am-xxx cluster:

{
    "Version": "1",
    "Statement": [
        {
            "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
            "Resource": "acs:adb:*:*:dbcluster/*",
            "Effect": "Allow"
        },
        {
            "Action": "adb:*",
            "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
            "Effect": "Allow"
        }
    ]
}

In the following example, a policy is created to allow RAM users to access the am-xxx cluster in read-only mode:

{
    "Version": "1",
    "Statement": [
        {
            "Action": ["adb:DescribeDBClusters", "adb:ListTagResources"],
            "Resource": "acs:adb:*:*:dbcluster/*",
            "Effect": "Allow"
        },
        {
            "Action": "adb:Describe*",
            "Resource": ["acs:adb:*:*:dbcluster/am-xxx"],
            "Effect": "Allow"
        }
    ]
}

If the RAM user needs to manage multiple clusters or access multiple clusters in read-only mode, add the corresponding cluster IDs to the "Resource": ["acs:adb:*:*:dbcluster/am-xxx"] section of the script. Example: "Resource": ["acs:adb:*:*:dbcluster/am-xxx", "acs:adb:*:*:dbcluster/am-yyy"].

After the policy is created, you must attach the policy to the specific RAM user.

Click OK.
Enter a policy name and a description and then click OK.

References

For an AnalyticDB for MySQL Enterprise Edition, Basic Edition, and Data Lakehouse Edition cluster, you can associate a standard database account with a RAM user and perform database development in the SQL or Spark editor of the AnalyticDB for MySQL console. For more information, see Associate or disassociate a database account with or from a RAM user.
If a RAM user no longer requires specific permissions or if the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user and Delete a RAM user.