Grant permissions to a RAM user - Realtime Compute for Apache Flink

When you access the Realtime Compute for Apache Flink console as a Resource Access Management (RAM) user or by using a RAM role and perform operations such as purchasing, viewing, or deleting a workspace, the RAM user or RAM role must have the required permissions. This topic describes the RAM policy types that are supported by Realtime Compute for Apache Flink and how to grant permissions to a RAM user.

Policy types

A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information about the policy elements, structure, and syntax, see Policy elements and Policy structure and syntax.

RAM supports the following two types of policy:

System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify the policies. For more information about the system policies that are supported by Realtime Compute for Apache Flink, see the System policies section of this topic.
Custom policy: You can create, update, and delete custom policies to meet your business requirements. For more information about the custom policies that are supported by Realtime Compute for Apache Flink, see the Custom policies section of this topic.

Procedure

You can attach a policy to a RAM user or RAM role to grant the RAM user or RAM role the access permissions in the policy. This section describes how to grant permissions to a RAM user. The operations for granting permissions to a RAM role are similar to the operations for granting permissions to a RAM user. For more information, see Grant permissions to a RAM role.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

In the Grant Permission panel, grant permissions to the RAM user.

Parameter	Description
Resource Scope	The scope of resources that you can access with the granted permissions. Valid values: Account: The permissions are granted to the current Alibaba Cloud account. ResourceGroup: The permissions are valid for a specific resource group.
Principal	The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.
Policy	System policy: For more information about the system policies that are supported by Realtime Compute for Apache Flink, see the System policies section of this topic. Custom policy: For more information about how to create a custom policy, see Create custom policies. For more information about the custom policies that are supported by Realtime Compute for Apache Flink, see the Custom policies section of this topic. The following sample code provides the document of a policy that allows a RAM user to view the information about all workspaces. `{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpInstances", "Resource": "*", "Effect": "Allow" } ] }`

Click Grant permissions.
Click Close.

System policies

Permission set	Policy	Description
All permissions on Realtime Compute for Apache Flink	AliyunStreamFullAccess	Includes all permissions in Custom policies.
Permissions to access Realtime Compute for Apache Flink in read-only mode	AliyunStreamReadOnlyAccess	Includes all permissions that start with Describe and Query in Custom policies.
Permissions on Expenses and Costs	AliyunBSSOrderAccess	Allows you to view and pay for orders in the Expenses and Costs console.

Custom policies

Policies related to Realtime Compute for Apache Flink

Note

In a policy, Action indicates the operation that needs to be performed, Resource indicates the object on which the operation is performed, and Effect specifies whether to allow or deny the operation on the object. For more information about the syntax and structure of RAM policies, see Policy structure and syntax. You must replace the following parameters in a policy with the actual values:

{#regionId}: the ID of the region in which the Realtime Compute for Apache Flink workspace that you want to manage resides.
{#accountId}: the ID of the Alibaba Cloud account.
{#instanceId}: the ID of the Realtime Compute for Apache Flink workspace that you want to manage.
{#namespace}: the name of the namespace.

Policies related to Realtime Compute for Apache Flink workspaces

Permission	Policy document
Purchase a Realtime Compute for Apache Flink workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:CreateVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }`
View information about a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpInstances", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }`
Release a pay-as-you-go workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:DeleteVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }`
Renew a subscription workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:RenewVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Scale a subscription workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpPrepayInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }`
Change the maximum quota of a pay-as-you-go workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}", "Effect": "Allow" } ] }`
Change the billing method of a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:ConvertVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Query the price for creating a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryCreateVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/*", "Effect": "Allow" } ] }`
Query the price for renewing a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryRenewVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Query the price for scaling a workspace	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryModifyVvpPrepayInstanceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`
Query the price for switching from the pay-as-you-go billing method to the subscription billing method	`{ "Version": "1", "Statement": [ { "Action": "stream:QueryConvertVvpInstance", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#InstanceId}", "Effect": "Allow" } ] }`

Policies related to Realtime Compute for Apache Flink namespaces

Important

Before you configure namespace permissions, you must configure the DescribeVvpInstances permission to view existing workspaces. Otherwise, an error is returned.

Permission	Policy document
Create a namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:CreateVvpNamespace", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/*", "Effect": "Allow" } ] }`
Delete a namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:DeleteVvpNamespace", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }`
Change resources for a subscription namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpPrepayNamespaceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }`
Change resources for a pay-as-you-go namespace	`{ "Version": "1", "Statement": [ { "Action": "stream:ModifyVvpNamespaceSpec", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/{#namespace}", "Effect": "Allow" } ] }`
View the namespace list	`{ "Version": "1", "Statement": [ { "Action": "stream:DescribeVvpNamespaces", "Resource": "acs:stream:{#regionId}:{#accountId}:vvpinstance/{#instanceId}/vvpnamespace/", "Effect": "Allow" } ] }` Note* After you configure the policy, you can click the icon to the left of the ID of a specific workspace to view the list of namespaces that are created in the workspace. If you want to log on to the development console of a specific Realtime Compute for Apache Flink namespace, you must have the permission to develop drafts in the namespace. For more information, see Grant namespace permissions.

Permission operations on related services

ECS-related operations

Before you can access the development console of Realtime Compute for Apache Flink over the Internet, you must activate Elastic IP Address (EIP) by using your Alibaba Cloud account. Before you can access resources in a virtual private cloud (VPC), you must create elastic network interfaces (ENIs) in the VPC. The ENIs are added to the dedicated security group of Realtime Compute for Apache Flink. In this case, Realtime Compute for Apache Flink must have the operation permissions on the EIP, security group, and ENIs.

Action	Description
ecs:AssociateEipAddress	Applies for an EIP to access Realtime Compute for Apache Flink over the Internet.
ecs:AttachNetworkInterface	Binds your ENI to a resource pool in Realtime Compute for Apache Flink.
ecs:AuthorizeSecurityGroup	Creates a security group in Realtime Compute for Apache Flink and adds an inbound rule to the security group.
ecs:AuthorizeSecurityGroupEgress	Creates a security group in Realtime Compute for Apache Flink and adds an outbound rule to the security group.
ecs:CreateNetworkInterface	Creates an ENI in your VPC and connects Realtime Compute for Apache Flink to your VPC.
ecs:CreateNetworkInterfacePermission	Binds your ENI to Realtime Compute for Apache Flink.
ecs:CreateSecurityGroup	Creates a security group in Realtime Compute for Apache Flink.
ecs:DeleteNetworkInterface	Deletes the ENIs of the resources that are used in a task of Realtime Compute for Apache Flink after the task is complete.
ecs:DeleteNetworkInterfacePermission	Unbinds your ENI from Realtime Compute for Apache Flink.
ecs:DeleteSecurityGroup	Deletes a security group in Realtime Compute for Apache Flink.
ecs:DescribeNetworkInterfacePermissions	Unbinds your ENI from a serverless resource pool in Realtime Compute for Apache Flink.
ecs:DescribeNetworkInterfaces	Queries ENIs bound to Realtime Compute for Apache Flink.
ecs:DescribeSecurityGroupAttribute	Queries the security group rules of a security group in Realtime Compute for Apache Flink.
ecs:DescribeSecurityGroupReferences	Queries security groups and security group-level authorization in Realtime Compute for Apache Flink.
ecs:DescribeSecurityGroups	Queries basic information about the created security groups in Realtime Compute for Apache Flink.
ecs:DetachNetworkInterface	Unbinds your ENI from a resource pool in Realtime Compute for Apache Flink.
ecs:JoinSecurityGroup	Adds ENIs to a security group in Realtime Compute for Apache Flink.
ecs:LeaveSecurityGroup	Removes ENIs from a security group in Realtime Compute for Apache Flink.
ecs:ModifyNetworkInterfaceAttribute	Modifies information about an ENI, such as the name, the description, and the security group to which the ENI belongs.
ecs:ModifySecurityGroupAttribute	Modifies the name or description of a security group in Realtime Compute for Apache Flink.
ecs:ModifySecurityGroupPolicy	Modifies the access control policy within a security group in Realtime Compute for Apache Flink.
ecs:ModifySecurityGroupRule	Modifies the description of security group inbound rules in Realtime Compute for Apache Flink.
ecs:RevokeSecurityGroup	Deletes a security group inbound rule in Realtime Compute for Apache Flink.
ecs:RevokeSecurityGroupEgress	Deletes a security group outbound rule in Realtime Compute for Apache Flink.
ecs:UnassociateEipAddress	Releases EIPs that are used by Realtime Compute for Apache Flink.

OSS-related operations

Before you can query Object Storage Service (OSS) buckets, you must obtain the permissions on OSS resources.

Action	Description
oss:ListBuckets	Queries OSS buckets that are used by Realtime Compute for Apache Flink.
oss:GetBucketInfo	Queries the statistics about a bucket.
oss:GetObjectMetadata	Obtains the metadata of an object.
oss:GetObject	Obtains an object.
oss:ListObjects	Lists the information about all objects in a bucket.
oss:PutObject	Uploads an object.
oss:CopyObject	Copies objects that are stored in the same bucket or different buckets in the same region.
oss:CompleteMultipartUpload	Completes multipart upload of an object after all parts of the object are uploaded.
oss:AbortMultipartUpload	Cancels a multipart upload task and deletes the uploaded parts.
oss:InitiateMultipartUpload	Instructs OSS to initiate a multipart upload task before data is transmitted in multipart upload mode.
oss:UploadPartCopy	Copies data from an existing object and uploads a part of the object.
oss:UploadPart	Uploads an object by part based on the specified object name and upload ID.
oss:DeleteObject	Deletes an object.
oss:PutBucketcors	Configures cross-origin resource sharing (CORS) rules for a bucket.
oss:GetBucketCors	Queries the CORS rules configured for a bucket.
oss:PutBucket	Creates a bucket.

Note

If you use the Key Management Service (KMS) encryption capability of OSS, you must attach KMS-related policies to the AliyunStreamAsiDefaultRole role. For more information, see the Upload an object to a bucket for which an encryption method is configured section of the "Server-side encryption" topic.

ARMS-related operations

After you activate the Application Real-Time Monitoring Service (ARMS) service, the metrics of deployments in Realtime Compute for Apache Flink are stored in ARMS.

Action	Description
arms:ListDashboards	Queries ARMS dashboards.
arms:CreateContact	Creates a contact.
arms:DeleteContact	Deletes a contact.
arms:SearchContact	Queries a contact.
arms:UpdateContact	Updates a contact.
arms:CreateContactGroup	Creates a contact group.
arms:DeleteContactGroup	Deletes a contact group.
arms:SearchContactGroup	Queries a contact group.
arms:UpdateContactGroup	Updates a contact group.
arms:SearchAlertRules	Queries one or more alert rules.
arms:CreateAlertRules	Creates one or more alert rules.
arms:UpdateAlertRules	Updates one or more alert rules.
arms:DeleteAlertRules	Deletes one or more alert rules.
arms:StartAlertRule	Enables an alert rule.
arms:StopAlertRule	Disables an alert rule.
arms:SearchAlarmHistories	Queries historical alert information.
arms:OpenArmsService	Activates the ARMS service.
arms:CreateWebhook	Creates a webhook.
arms:UpdateWebhook	Updates a webhook.
arms:CreateDispatchRule	Creates a dispatch rule.
arms:ListDispatchRule	Queries dispatch rules.
arms:DeleteDispatchRule	Deletes a dispatch rule.
arms:UpdateDispatchRule	Updates a dispatch rule.
arms:DescribeDispatchRule	Queries details about a dispatch rule.

VPC-related operations

The Describe permission on resources in a VPC is required when you create a Realtime Compute for Apache Flink workspace.

Action	Description
vpc:DescribeVpcAttribute	Queries the configurations of a VPC.
vpc:DescribeVpcs	Queries the created VPCs.
vpc:DescribeVSwitchAttributes	Queries information about a vSwitch.
vpc:DescribeVSwitches	Queries the created vSwitches.
vpc:DescribeRouteTableList	Queries route tables.
vpc:DescribeRouteTables	Queries a route table.
vpc:DescribeRouteEntryList	Queries route entries in a route table.
vpc:DescribeRouterInterfaceAttribute	Queries the configurations of the router interface.
vpc:DescribeRouterInterfaces	Queries router interfaces.
vpc:DescribeVRouters	Queries vRouters in a region.
vpc:CreateVpc	Creates a VPC.
vpc:CreateVSwitch	Creates a vSwitch.

RAM-related operations

When you create a Realtime Compute for Apache Flink workspace, you must have relevant RAM permissions to configure resources.

Action	Description
ram:*	Adds, removes, modifies, and queries the following RAM resources: domains and applications.

DLF-related operations

When you create a Realtime Compute for Apache Flink workspace, you must have Data Lake Formation (DLF) permissions to access related catalogs.

Action	Description
dlf:BatchCreatePartitions	Creates multiple partitions at a time.
dlf:BatchCreateTables	Creates multiple tables at a time.
dlf:BatchDeletePartitions	Deletes multiple partitions at a time.
dlf:BatchDeleteTables	Deletes multiple tables at a time.
dlf:BatchGetPartitions	Queries multiple partitions at a time.
dlf:BatchGetTables	Queries multiple tables at a time.
dlf:BatchUpdatePartitions	Updates multiple partitions at a time.
dlf:BatchUpdateTables	Updates multiple tables at a time.
dlf:CreateCatalog	Creates a data lake catalog.
dlf:CreateDatabase	Creates a database.
dlf:CreateFunction	Creates a function.
dlf:CreatePartition	Creates a partition.
dlf:CreateTable	Creates a table.
dlf:DeleteCatalog	Deletes a data lake catalog.
dlf:DeleteDatabase	Deletes a database.
dlf:DeleteFunction	Deletes a function.
dlf:DeletePartition	Deletes a partition.
dlf:DeleteTable	Deletes a table.
dlf:GetAsyncTaskStatus	Queries the status of an asynchronous task.
dlf:GetCatalog	Queries a data lake catalog.
dlf:GetCatalogByInstanceId	Queries catalogs by instance ID.
dlf:GetCatalogSettings	Queries the data lake configuration.
dlf:GetDatabase	Queries a database.
dlf:GetFunction	Queries a function.
dlf:GetPartition	Queries a partition.
dlf:GetTable	Queries a table.
dlf:ListCatalogs	Queries catalogs.
dlf:ListDatabases	Queries databases.
dlf:ListFunctionNames	Queries function names.
dlf:ListFunctions	Queries functions.
dlf:ListPartitionNames	Queries partition names.
dlf:ListPartitions	Queries partitions.
dlf:ListPartitionsByExpr	Queries partitions by using an expression.
dlf:ListPartitionsByFilter	Queries partitions by using a filter.
dlf:ListTableNames	Queries table names.
dlf:ListTables	Queries tables.
dlf:RenamePartition	Renames a partition.
dlf:RenameTable	Renames a table.
dlf:UpdateCatalog	Updates a data lake catalog.
dlf:UpdateDatabase	Updates a database.
dlf:UpdateFunction	Updates a function.
dlf:UpdateTable	Updates a table.
dlf:BatchGetPartitionColumnStatistics	Queries the statistics on multiple metadata table partitions at a time.
dlf:DeletePartitionColumnStatistics	Deletes the statistics on a metadata table partition.
dlf:DeleteTableColumnStatistics	Deletes the statistics on a metadata table.
dlf:GetPartitionColumnStatistics	Queries the statistics on the fields in a metadata table partition.
dlf:GetTableColumnStatistics	Queries the statistics on the fields in a metadata table.
dlf:UpdateTableColumnStatistics	Updates the statistics on a metadata table.
dlf:UpdatePartitionColumnStatistics	Updates the statistics on a metadata table partition.
dlf:CreateLock	Creates a metadata lock.
dlf:UnLock	Unlocks a metadata lock.
dlf:AbortLock	Aborts a metadata lock.
dlf:RefreshLock	Refreshes a metadata lock.
dlf:GetLock	Queries a metadata lock.
dlf:GetCatalogAccessInfo	Queries the information such as the storage name and storage endpoint about backend storage based on the catalog UUID.
dlf:GetDataToken	Queries catalog- or table-level keys based on the catalog UUID.
dlf:GetDataTokenByName	Queries catalog- or table-level keys based on the catalog UUID, database name, or table name.
dlf-auth:ActOnBehalfOfAnotherUser	Uses a service-linked role (SLR) or service role (SR) to access DLF.
dlf:GrantPermissions	Grants permissions on the principal resources.
dlf:RevokePermissions	Revokes permissions on the principal resources.
dlf:BatchGrantPermissions	Grants multiple permissions at a time.
dlf:BatchRevokePermissions	Revokes multiple permissions at a time.
dlf:UpdatePermissions	Updates permissions on the principal resources.
dlf:ListPermissions	Queries the permissions of a resource or principal.
dlf:CreateRole	Creates a role.
dlf:UpdateRole	Updates a role.
dlf:DeleteRole	Deletes a role.
dlf:GetRole	Queries a role.
dlf:ListRoles	Queries roles.
dlf:GrantRolesToUser	Grants multiple role permissions to a user at a time.
dlf:RevokeRolesFromUser	Revokes multiple role permissions of a user at a time.
dlf:GrantRoleToUsers	Grants a role permission to multiple users at a time.
dlf:RevokeRoleFromUsers	Revokes a role permission of multiple users at a time.
dlf:UpdateRoleUsers	Updates users of a role.
dlf:ListRoleUsers	Queries users of a role.
dlf:ListUserRoles	Queries user roles.
dlf:GrantRolesToPrincipal	Grants multiple role permissions to a principal at a time.
dlf:RevokeRolesFromPrincipal	Revokes multiple role permissions of a principal at a time.
dlf:GrantRoleToPrincipals	Grants a role permission to multiple principals at a time.
dlf:RevokeRoleFromPrincipals	Revokes a role permission of multiple principals at a time.
dlf:UpdateRolePrincipals	Updates the principals in a role.
dlf:BatchDeleteRoles	Deletes multiple roles at a time.
dlf:CheckPermissions	Checks permissions.
dlf:GetCatalogStorageStatistics	Queries the catalog statistics.
dlf:GetCatalogStorageIndicatorDetails	Queries the trend of a catalog metric.
dlf:GetCatalogStorageRank	Queries the ranking of catalog storage statistics.
dlf:GetCatalogStorageAnalysis	Queries the data distribution in a catalog.
dlf:GetDatabaseProfile	Queries the data profile of a database.
dlf:GetDatabaseStorageAnalysis	Queries the data distribution in a database.
dlf:GetTableProfile	Queries the data profile of a table.
dlf:GetTableStorageAnalysis	Queries the data distribution in a table.
dlf:ListPartitionProfiles	Queries partition data profiles.
dlf:getLatestStorageStatisticsDate	Queries the time when the storage overview data was last updated.
dlf:SubscribeOptimize	Submits optimization.
dlf:GetOptimizeRegionStatus	Queries the region and status of optimization.
dlf:GetOptimizeWorkspaceAuthorization	Queries authorization for the optimized workspace.
dlf:AddOptimizeWorkspace	Adds an optimized workspace.
dlf:ListOptimizeWorkspaces	Queries optimized workspaces.
dlf:PreCheckOptimizeWorkspaceConnection	Prechecks the connection to an optimized workspace.
dlf:CheckOptimizeWorkspaceConnection	Checks the connection to an optimized workspace.
dlf:DeleteOptimizeWorkspace	Deletes an optimized workspace.
dlf:SetOptimizeEnable	Enables storage optimization.
dlf:SetOptimizePolicy	Configures a storage optimization policy.
dlf:GetOptimizePolicy	Queries a storage optimization policy.
dlf:SetOptimizeScheduleRule	Adds a storage optimization scheduling rule.
dlf:ListOptimizeScheduleRules	Queries optimization scheduling rules.
dlf:DeleteOptimizeScheduleRule	Deletes a storage optimization scheduling rule.
dlf:RunOptimizeImmediately	Immediately runs storage optimization.
dlf:GetOptimizeInfo	Queries optimization information.
dlf:UpdateOptimizeTaskResult	Updates the result of a storage optimization task.

References

For more information about how to use different identities such as Alibaba Cloud accounts, RAM roles, and RAM users to access the Realtime Compute for Apache Flink console, see Supported logon methods.
If you want multiple users to use a Realtime Compute for Apache Flink namespace to perform operations such as draft development and deployment O&M in the development console of Realtime Compute for Apache Flink, you must grant permissions on the namespace to the users. For more information, see Grant namespace permissions.
For more information about the differences between the permissions granted to a RAM user and the permissions on namespaces, see Permission management.
For more information about the API operations related to RAM permission management, see Permission management.
Why am I unable to go to the RAM console after I click Authorize in RAM?
What do I do if my account does not have the required permissions when I log on to the Realtime Compute for Apache Flink console?