A Resource Access Management (RAM) user must be granted the AliyunClickHouseFullAccess permission before the RAM user follows instructions in the Quick Start tutorial to perform operations in the ApsaraDB for ClickHouse console, such as creating a cluster and creating an account. This topic describes how to use an Alibaba Cloud account to grant permissions to a RAM user. If you use an Alibaba Cloud account to log on to ApsaraDB for ClickHouse, skip this topic.
Prerequisites
An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, visit the Alibaba Cloud official website to create an account.
A RAM user is created. For more information, see Create a RAM user.
Procedure
Log on to the RAM console as a RAM administrator.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant the required permissions to the RAM user. The following table describes the parameters.
Parameter
Description
Example
Resource Scope
Alibaba Cloud Account: The permissions take effect on all resources of the current Alibaba Cloud account.
NoteApsaraDB for ClickHouse does not support Specific Resource Group.
Alibaba Cloud Account
Principal
The RAM user to which you want to grant permissions. The system automatically sets this parameter to the current RAM user. You can also specify a different RAM user.
ClickHouse***@1648821913965368.onaliyun.com
Policy
Policies are categorized into system policies and custom policies.
System Policy: Alibaba Cloud provides various default policies for different management purposes. ApsaraDB for ClickHouse uses the following system policies:
AliyunClickHouseFullAccess: The user that is granted this permission can perform all operations on all resources in ApsaraDB for ClickHouse.
AliyunClickHouseReadOnlyAccess: The user that is granted this permission can view a list of ApsaraDB for ClickHouse clusters and view database accounts.
ApsaraDB for ClickHouse depends on the following system policies of other services:
AliyunVPCFullAccess: The user that is granted this permission can manage Virtual Private (VPC).
You must select a VPC and a vSwitch when you create a ApsaraDB for ClickHouse cluster. If you do not have a VPC or vSwitch under your account, you must create one. We recommend that you grant this permission to your RAM user.
AliyunARMSFullAccess: The user that is granted this permission can manage Application Real-time Monitoring Service (ARMS).
The alerting feature of ApsaraDB for ClickHouse depends on the alerting service provided by ARMS. We recommend that you grant this permission ot your RAM user.
Custom Policy: You can customize policies based on your business requirements. Custom policies are suitable for users who are familiar with the APIs of Alibaba Cloud services and require fine-grained control.
NoteYou can attach up to five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
AliyunClickHouseFullAccess
AliyunVPCFullAccess
AliyunARMSFullAccess
Click Grant Permissions.
Click Close.
In the left-side navigation pane, choose .