You can grant required permissions to RAM users to follow the principle of least privilege and prevent multiple users from sharing your Alibaba Cloud account or AccessKey pair. This helps reduce access security risks for enterprises. This topic describes how to grant permissions to RAM users by using your Alibaba Cloud account and describes each permission.
Background information
Resource Access Management (RAM) is a permission management system that is provided by Alibaba Cloud.
RAM is used to control the permissions of accounts.
You can create RAM users within your Alibaba Cloud account and grant them different permissions on Hologres. For example, you can grant RAM users the permissions to purchase or delete instances, upgrade or downgrade instance specifications, change the network types of instances, and view instance details.
When you develop data on a Hologres instance as a RAM user, take note of the following items:
If no required permissions are granted by the Alibaba Cloud account, the RAM user cannot view or manage instances in the Hologres console.
The RAM user can be granted the development permissions on Hologres instances by the Alibaba Cloud account. The RAM user with development permissions can connect to development tools to develop data even if the RAM user cannot manage instances in the Hologres console. For more information, see Grant the development permissions on a Hologres instance to RAM users.
Grant permissions on Hologres to a RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
Grant permissions to the RAM user.
In the Add Permissions panel, configure the parameters that are described in the following table.
NoteYou cannot log on to and use HoloWeb by using a specified resource group because HoloWeb does not belong to a resource group.
The permissions mentioned in the following section only indicate whether the RAM user has the permissions to log on to and use HoloWeb. If you want to use a RAM user to connect to and use a Hologres instance, you can go to the instance details page for authorization. For more information, see Grant the development permissions on a Hologres instance to RAM users.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect for a specific resource group.
ImportantIf you select ResourceGroup for the Resource Scope parameter, make sure that the required cloud service and resource type support resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
The following table describes the system policies that you can use to grant permissions on Hologres. If you attach a system policy to a RAM user, the RAM user is granted all the permissions defined in the system policy.
Policy
Description
AliyunHologresFullAccess
Grants full access permissions on Hologres.
NoteThis policy does not include the permissions to use Hologres instances. If you want to use a Hologres instance, you must create a user in the Hologres instance as the superuser and log on to and use the Hologres instance as the created user. For more information, see FAQ about RAM user permissions on instances.
Take note of the following items about the permissions of a RAM user to which this policy is attached:
The RAM user is authorized to view information about all instances in the Hologres console. The information includes the instance list, instance details, and metrics.
The RAM user is authorized to perform operations that involve billing. For example, you can purchase instances, upgrade or downgrade instance specifications, renew instances, stop instances, or delete instances as the RAM user.
The RAM user is authorized to log on to and use the HoloWeb console.
The RAM user is authorized to perform all operations on instances after you purchase the instances as the RAM user. In this case, both the RAM user and the Alibaba Cloud account are superusers of the instances.
By default, the RAM user is not authorized to perform operations on the instances that are created by using the Alibaba Cloud account. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Grant the development permissions on a Hologres instance to RAM users.
The RAM user is not authorized to query all user permissions on the User Management page in the HoloWeb console. You can attach the AliyunRAMReadOnlyAccess policy to the RAM user. This way, the RAM user is granted the
ListUser
permission and can query all user permissions on the User Management page.
AliyunBSSOrderAccess
Grants permissions to view, pay for, and cancel orders in the Billing Management console.
If you attach this policy to a RAM user, the RAM user can upgrade or downgrade instance specifications and renew instances in the Hologres console.
AliyunRAMReadOnlyAccess
Grants read-only permissions on RAM.
If you attach this policy to a RAM user, the RAM user can view the information about all the RAM users and RAM roles of the Alibaba Cloud account to which the RAM user belongs on the User Management page in the HoloWeb console.
AliyunHologresReadOnlyAccess
Grants read-only permissions on Hologres.
Take note of the following items about the permissions of a RAM user to which this policy is attached:
The RAM user is authorized to view information about all instances in the Hologres console. The information includes the instance list and details.
The RAM user is authorized to log on to and use the HoloWeb console.
The RAM user is not authorized to perform operations that involve billing. For example, you cannot purchase instances, or upgrade or downgrade instance specifications as the RAM user.
The RAM user is not authorized to perform operations on instances. To allow the RAM user to perform the operations, you can use the Alibaba Cloud account to grant the required permissions on the instances to the RAM user.
The list of all RAM users in the Alibaba Cloud account is not displayed in the Hologres console or HoloWeb console if you log on to the console as the RAM user. To view the list of all RAM users, you must attach the
AliyunRAMReadOnlyAccess
policy to the RAM user.
NoteIf you purchase an instance as a RAM user, both the RAM user and the Alibaba Cloud account are superusers by default.
If you use an Alibaba Cloud account to purchase an instance, you can use the instance as a RAM user only after you use the Alibaba Cloud account to grant related permissions to the RAM user.
Custom policies: policies that are managed and updated based on your business requirements. You can create, update, and delete custom policies. For more information, see Create custom policies.
ImportantWhen you configure policies for a RAM user, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user to ensure that the RAM user can access the Hologres console.
On the Create Policy page, click the JSON tab. Then, configure the custom policy in the code editor.
For example, you can enter the following policy configurations:
ImportantDelete the comments from the following sample code before you run the code. Otherwise, the code cannot be run.
{ "Statement": [ { // Grant a RAM user the permissions to perform all operations. If you enter this configuration, you do not need to enter the following configurations. "Effect": "Allow", "Action": "hologram:*",// The permissions to perform all operations. "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// The permissions apply to all instances in all regions. <The asterisk (*) cannot be replaced with an instance ID.> }, { // Grant a RAM user the permissions to purchase or renew instances. "Effect": "Allow", "Action": "hologram:*", "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to delete instances. "Effect": "Allow", "Action": "hologram:DeleteInstance", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*"//<The RAM user must be granted this permission before it can be used to delete instances. Otherwise, when the RAM user deletes an instance, a success message is returned but the instance is not deleted.> }, { // Grant a RAM user the permission to purchase instances. The RAM user must be granted this permission before it can be used to purchase instances. "Effect": "Allow", "Action": "bss:PayOrder", "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<Test failed.> }, { // Grant a RAM user the permission to view instance details. "Effect": "Allow", "Action": "hologram:GetInstance", "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*" //<The asterisk (*) can be replaced with an instance ID.> }, { // Grant a RAM user the permission to view the instance list. "Effect": "Allow", "Action": "hologram:ListInstances", "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*"//<The asterisk (*) cannot be replaced with an instance ID.> }, { // Grant a RAM user the permission to suspend instances. "Effect": "Allow", "Action": "hologram:StopInstance", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to resume instances. "Effect": "Allow", "Action": "hologram:ResumeInstance", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to change the network types of instances. "Effect": "Allow", "Action": "hologram:UpdateInstanceNetworkType", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }. { // Grant a RAM user the permission to access HoloWeb. "Effect": "Allow", "Action": "hologram:HoloWebAccess", "Resource": "*" } ], "Version": "1" }
The following table describes the parameters in the syntax.
Parameter
Description
<region>
The region in which the Hologres instance resides. Example: beijing.
<Alibaba Cloud account ID>
The ID of your Alibaba Cloud account.
*
The IDs of all Hologres instances within your Alibaba Cloud account. You can also replace the asterisk (*) with the ID of a specific Hologres instance.
Sample statement:
acs:hologram:cn-beijing:4322xxxxx:instance/hhhgggxxxx
ImportantThe asterisk (
*
) ininstance/*
in the following configurations cannot be replaced with a specific instance ID:{ "Statement": [ { // Grant a RAM user the permissions to perform all operations. If you enter this configuration, you do not need to enter the following configurations. "Effect": "Allow", "Action": "hologram:*",// The permissions to perform all operations. "Resource": "acs:hologram:*:<Alibaba Cloud account ID>:instance/*"// The permissions apply to all instances in all regions. }, { // Grant a RAM user the permissions to purchase or renew instances. "Effect": "Allow", "Action": "hologram:*", "Resource": "acs:hologram:cn-<region >:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to delete instances. "Effect": "Allow", "Action": "hologram:DeleteInstance", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to purchase instances. This permission must be granted if you want to purchase instances by using the RAM user. "Effect": "Allow", "Action": "bss:PayOrder", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to view the instance list. "Effect": "Allow", "Action": "hologram:ListInstances", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to suspend instances. "Effect": "Allow", "Action": "hologram:StopInstance", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to resume instances. "Effect": "Allow", "Action": "hologram:ResumeInstance", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to view the metrics of instances. "Effect": "Allow", "Action": "cms:DescribeMetricList", "cms:QueryMetricList" "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" }, { // Grant a RAM user the permission to change the network types of instances. "Effect": "Allow", "Action": "hologram:UpdateInstanceNetworkType", "Resource": "acs:hologram:cn-<region>:<Alibaba Cloud account ID>:instance/*" } ], "Version": "1" }
Click Next to edit policy information. In the dialog box that appears, configure the Name and Description parameters.
Click Grant permissions and click Close.
FAQ about RAM user permissions related to operations in the Hologres console
Permissions related to operations in the Hologres console consist of permissions that are granted in the RAM console and part of development permissions on instances. This section provides answers to frequently asked questions about permissions related to operations in the Hologres console.
Why am I unable to view the instance list and instance IDs as a RAM user?
Problem description
When a RAM user is used to log on to the Hologres console and a valid region is selected, the instances that are purchased cannot be viewed. The following error message is returned: You are not authorized to view the purchased instances. Contact the relevant Alibaba Cloud account to grant the hologram:ListInstances permission on xxx/* to you in the RAM console.
Cause
The current RAM user does not have permissions to view the instance list in the Hologres console.
Solution
Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresReadOnlyAccess policy to the RAM user. Then, the RAM user can view the instance list.
Why am I unable to manage instances as a RAM user that is assigned the superuser role?
Problem description
When you log on to the Hologres console as a RAM user that is assigned the superuser role, you cannot purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance from pay-as-you-go to subscription. The following error message is returned: Failed to authenticate the RAM user.
Cause
The current RAM user does not have permissions to purchase an instance, upgrade or downgrade instance specifications, or change the billing method of an instance. You can perform these operations by using your Alibaba Cloud account.
Solution
Log on to the RAM console by using your Alibaba Cloud account. Attach the AliyunHologresFullAccess and AliyunBSSOrderAccess policies to the RAM user. Then, the RAM user can manage instances.
FAQ about RAM user permissions on the use of instances
Why am I unable to connect to and use Hologres instances as a RAM user?
Problem description
The following error message is returned:
role "<role_name>" does not exist
.Cause
After Hologres instances are created, only the Alibaba Cloud account and the RAM user that is used to purchase Hologres instances are superusers of the instances by default. Other RAM users must be granted the permissions on the Hologres instances by superusers before the RAM users can connect to and use the Hologres instances.
Solution
NoteYou can execute the
select * from pg_user;
statement to view the superusers of the current instance.On the User Management page in the HoloWeb console, add users and grant the required permissions to the users. For more information, see Manager users.
Connect to the instance and execute the
create user "<role_name>"
statement. For more information, see Overview.
Why am I unable to view the information on the User Management page and the Database Authorization page?
Problem description
When a RAM user is used to log on to the Hologres console, information on the User Management page and the Database Authorization page cannot be viewed, and an error message is displayed, indicating that
you do not have the permissions and need to ask the superuser to grant permissions on the instance to your account
.Cause
The current RAM user does not have the development permissions on the instance. To view related information, you must be granted the development permissions on the instance.
Solution
Grant the RAM user the development permissions on the instance by using your Alibaba Cloud account or as a superuser. For more information, see Grant the development permissions on a Hologres instance to RAM users.
What do I do if I incorrectly delete superusers?
Problem description
All superusers in an instance are incorrectly changed to common users.
NoteIf you incorrectly change all superusers in an instance to common users, you cannot perform user management and most operations related to instances.
Solution
Join the Hologres DingTalk group for technical support. For more information, see Obtain online support for Hologres.