All Products
Search

This Product

    ApsaraDB RDS:Authorize a RAM user to manage ApsaraDB RDS instances

    Document Center

    ApsaraDB RDS:Authorize a RAM user to manage ApsaraDB RDS instances

    Last Updated:Jul 08, 2025

    This topic describes how to authorize a RAM user to manage ApsaraDB RDS instances by using Resource Access Management (RAM).

    Prerequisites

    A RAM user is created. For more information, see Create a RAM user.

    Note

    If you want to use features related to performance optimization and diagnosis as a RAM user, you must grant the RAM user the AliyunHDMFullAccess permission in advance.

    Background information

    You can grant permissions to call API operations to RAM users. For example, if you grant a RAM user the permission to call the CreateDBInstance operation, the RAM user can create an RDS instance in the ApsaraDB RDS console.

    The following procedure shows how to grant a RAM user the permission to check information about RDS instances. The procedures to grant other permissions to a RAM user are similar.

    Procedure

    1. Create a policy.

      1. Log on to the RAM console.

      2. In the left-side navigation pane, choose Permission Management > Policies.

      3. Click Create Policy.

      4. Select Visual Editor or JSON.

        Visual editor

        Parameter

        Description

        Effect

        Specify whether to grant the RAM user the permissions on an Alibaba Cloud service. Example: Allow.

        Service

        Select the Alibaba Cloud service on which you want to grant permissions to the RAM user. Example: ApsaraDB RDS.

        Action

        Select the actions on which you want to grant permissions to the RAM user. Valid values: All Action(s) or Select Action(s). If you select Select Action(s), you need to select the actions in the All Action(s) section and add them to the Selected Action(s) section.

        We recommend that you select Read Actions in DescribeDBInstances. Otherwise, you cannot view the instance list.

        Important

        If the length of the policy document exceeds the limit because many actions are selected, submit a ticket to modify the length limit of the policy document.

        For example, you can select all Read Actions.

        选择操作

        Resource

        Select the resources on which you want to grant permissions to the RAM user. Valid values: All Resource(s) or Specified Resource(s).

        If you select Specified Resource(s), you need to add a resource based on the Alibaba Cloud Resource Name (ARN) format of the resource. To add a resource, click Add Source on the right of the ARN format. The following methods are available:

        Important

        The resource ARNs that are required for an action are tagged with Required. To ensure that the policy takes effect as expected, we recommend that you configure the resource ARNs that are tagged with Required.

        For example, acs:rds:*:{#accountId}:dbinstance/* is tagged with Required. If you do not configure this resource ARN, the RAM user cannot view instances in the instance list.

        • acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} (Required): matches resources by region, account, and instance ID.

        • acs:rds:{#regionId}:{#accountId}:dbinstance/*: matches resources by region and account.

        • acs:rds:*:{#accountId}:dbinstance/* (Required): matches resources by account.

        • acs:rds:*:{#accountId}:dbinstance/{#dbinstanceId} (Required): matches resources by account and instance ID.

        Note

        RAM authorization supports multiple methods, such as ARN, resource group-based authorization, and tag-based authorization, to implement fine-grained management. For example, you can grant a RAM user the read-only permissions on a specified RDS instance. For more information, see Grant a RAM user the read-only permissions on an ApsaraDB RDS instance.

        Condition

        Specify the limits on the permissions that you want to grant to the RAM user. For example, you can limit the source IP addresses from which the RAM user can log on. For more information, see Basic elements of policies.

        Script editor

        Enter the following code snippet in the code editor:

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds:Describe*",
            "Resource": "*"
        }
    ]
}
        Note

        The JSON mode is more efficient than the Visual Editor mode. For example, in JSON mode, you can enter Describe* in the code editor to specify all API operations whose names start with Describe.

      5. Click OK. In the Create Policy dialog box, enter Policy Name and Description. After you confirm that the policy content is correct, click OK again.

    2. Attach the custom policy to a RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. Find the RAM user. Then, click Actions in the Add Permissions column.

      3. In the Policy section, click Custom Policy. Find and select the policy that you created.

      4. Click Grant Permissions.

    After completing these steps, you can log on to the ApsaraDB RDS console and check information about RDS instances using the credentials of the RAM user. You can also grant other permissions to a RAM user within your Alibaba Cloud account based on your business requirements.