All Products
Search
Document Center

Database Autonomy Service:How do I use DAS as a RAM user?

Last Updated:Sep 14, 2023

You can use the Resource Access Management (RAM) console to grant a RAM user different permissions on Database Autonomy Service (DAS). This helps you grant fine-grained permissions and improve account security.

Use system policies to grant permissions to a RAM user

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Grant the RAM user permissions on DAS. For more information, see Grant permissions to RAM users.

Use custom policies to grant permissions to a RAM user

If the preceding method cannot meet your requirements, you can create custom policies to implement more fine-grained access control.

A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Create a custom policy. For more information, see the Create a custom policy on the JSON tab section of the "Create a custom policy" topic.

  3. Attach the created custom policy to the RAM user. For more information, see Grant permissions to RAM users.

Use custom policies to grant a RAM user the permissions to use the search and export features in the SQL Explorer and Audit module

  1. Create a custom policy that grants the permissions to use the export feature. For more information, see the Create a custom policy on the JSON tab section of the "Create a custom policy" topic.

    • ApsaraDB RDS instances

      {
        "Version": "1",
        "Statement": [
          {
            "Action":
            [
            "rds:DescribeSQLLogRecordsList",
            "rds:DescribeSqlLogDetailArchiveStatus",
            "rds:StartSqlLogDetailArchive"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
      Note

      The preceding custom policy grants the RAM user the permissions to export the information about all ApsaraDB RDS instances. If you want to grant the RAM user the permissions to export the information about a specific ApsaraDB RDS instance, replace "Resource": "*" with "Resource": "acs:rds:*:*:dbinstance/<ApsaraDB RDS instance ID>".

    • PolarDB for MySQL clusters

      {
        "Version": "1",
        "Statement": [
          {
            "Action":
            [
            "polardb:DescribeSQLLogRecords",
            "polardb:DescribeSqlLogDetailArchiveStatus",
            "polardb:StartSqlLogDetailArchive"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
      Note

      The preceding custom policy grants the RAM user the permissions to export the information about all PolarDB for MySQL clusters. If you want to grant the RAM user the permissions to export the information about a specific PolarDB for MySQL cluster, replace "Resource": "*" with "Resource": "acs:polardb:*:*:dbcluster/<PolarDB for MySQL cluster ID>".

    • PolarDB-X 2.0 instances

      {
        "Version": "1",
        "Statement": [
          {
            "Action":
            [
            "hdm:DescribeDasSQLLogRecordsList",
            "hdm:DescribeDasSqlLogDetailArchiveStatus",
            "hdm:StartDasSqlLogDetailArchive"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
      Note

      The preceding custom policy grants the RAM user the permissions to export the information about all PolarDB-X 2.0 instances. If you want to grant the RAM user the permissions to export the information about a specific PolarDB-X 2.0 instance, replace "Resource": "*" with "Resource": "acs:polardbx:*:*:instance/<PolarDB-X 2.0 instance ID>".

  2. Attach the created custom policy to the RAM user. For more information, see Grant permissions to RAM users.

    Note

    If you want to export data in the console of a database service, make sure that the RAM user has the read-only permissions on the database service.

Sample custom policy

The following code provides an example on how to use a custom policy to grant a RAM user the read-only permissions on an ApsaraDB RDS instance:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "hdm:Get*",
                "hdm:Describe*",
                "hdm:Query*"
            ],
            "Resource": "acs:rds:*:*:dbinstance/<ApsaraDB RDS instance ID>",
            "Effect": "Allow"
        }
    ]
}
Note
  • Replace the instance ID with your actual one.

  • After the permissions are granted to the RAM user, the following message is displayed when you log on to the DAS console as the RAM user: You do not have permissions. Contact the Alibaba Cloud account administrator for authorization. In this case, click the 关闭 icon to close the message. Append performance/instance/<Instance ID>/detail to the URL of the console and refresh the page. Then, the details page of the instance is displayed.

  • You can add related permissions on DAS to a custom policy of a database service. This way, you can use related DAS features in the console of the database service.

For different database instances, you must replace the Resource part in the sample custom policy based on your business requirements. Examples:

  • ApsaraDB RDS instances

    "Resource": "acs:rds:*:*:dbinstance/<ApsaraDB RDS instance ID>"
  • ApsaraDB for Redis instances

    "Resource": "acs:kvstore:*:*:*/<ApsaraDB for Redis instance ID>"
  • ApsaraDB for MongoDB instances

    "Resource": "acs:dds:*:*:dbinstance/<ApsaraDB for MongoDB instance ID>"
  • PolarDB for MySQL, PolarDB for PostgreSQL, and PolarDB for PostgreSQL (Compatible with Oracle) clusters

    "Resource": "acs:polardb:*:*:*/<PolarDB cluster ID>"
  • PolarDB-X 2.0 instances

    "Resource": "acs:polardbx:*:*:*/<PolarDB-X 2.0 instance ID>"