All Products
Search

This Product

    ApsaraDB RDS:Grant a RAM user the read-only permissions on an ApsaraDB RDS instance

    Document Center

    ApsaraDB RDS:Grant a RAM user the read-only permissions on an ApsaraDB RDS instance

    Last Updated:Dec 11, 2024

    RAM authorization supports multiple methods, such as Alibaba Cloud Resource Name (ARN)-based authorization, resource group-based authorization, and tag-based authorization, to implement fine-grained management. This topic describes how to grant a RAM user the read-only permissions on a specified RDS instance.

    Prerequisites

    A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

    Procedure

    Note

    You must perform the following operations by using your Alibaba Cloud account.

    Method 1: ARN-based authorization

    ARN-based authorization indicates that a resource ARN is used to specify one or more objects to be authorized when you create a policy. This helps implement precise access control on specific resources. For more information about resource ARNs, see Policy elements.

    1. Create a policy.

      1. Log on to the Resource Access Management (RAM) console.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the page that appears, click Create Policy.

      4. On the page that appears, click Visual editor or JSON.

        • Visual editor

          1. Set the Effect parameter to Allow.

          2. Set the Service parameter to ApsaraDB RDS.

          3. Set the Action parameter to Select action(s). Then, add the Describe-related read actions.

            Note

            You can search for Describe and then select related actions.

          4. Set the Resource parameter to Specified resource(s). The ARN is in the format of acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}. You need to set the Resource parameter in the Add resource dialog box to the RDS instance to which you want to apply the policy.image.png

          5. Leave the Condition parameter empty.

          6. Click Add statement.image.png

          7. Set the Effect parameter to Allow and the Service parameter to ApsaraDB RDS.

          8. Set the Action parameter to DescribeDBInstances-related read actions.

          9. Set the Resource parameter to All resources and leave the Condition parameter empty.

        • JSON

          Enter the following code snippet in the code editor:

          {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:Describe*",
      "Resource": "acs:rds:*:*:dbinstance/ID of the RDS instance"
    },
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

      5. Click OK. In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the information and click OK.

    2. Attach the custom policy to a RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.

      3. Set the Resource Scope parameter to the resource group that you created. In the Policy section, select Custom Policy from the drop-down list, search for the policy that you created, and select the policy.

      4. Click Grant permissions.

    3. Log on to the ApsaraDB RDS console as a RAM user and view the RDS instance.

      1. Go to the Instances page. In the top navigation bar, select the region and view the RDS instances in the region.

      2. Click the ID of the authorized RDS instance to view the information about the instance.

        Note

        When you use this authorization method, the RAM user can view all RDS instances on the Instances page, but can only view the information about the authorized instance. If you view other unauthorized instances, a message appears, indicating that the RAM user has insufficient permissions.

    The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.

    Method 2: Resource group-based authorization

    Resource group-based authorization indicates that the resources to be authorized are added to a resource group. When you grant permissions to a RAM user, you can specify the resource group to which the authorized resources belong to implement precise access control for all resources in the specified resource group.

    1. Create a resource group.

      1. Log on to the Resource Management console. In the left-side navigation pane, click Resource Group.

      2. Click Create Resource Group. In the dialog box that appears, configure the Resource Group Identifier and Resource Group Name parameters and click OK.

    2. Add the required RDS instance to the new resource group.

      1. Find the resource group to which the required RDS instance is added. Then, click Manage Resource in the Actions column of the resource group. In this example, the required RDS instance is added to Default Resource Group.

      2. Find the required RDS instance by instance ID, select the instance, and then click Transfer resource group. image

      3. In the Select Destination Resource Group panel, select the resource group that you created in Step 1, and then click OK. image

      4. In the panel that appears, click OK.

        If you find the required RDS instance in the created resource group, the resource group of the instance is transferred.

    3. Create a policy.

      1. Log on to the RAM console.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the page that appears, click Create Policy.

      4. On the page that appears, click Visual editor or JSON.

        • Visual editor

          1. Set the Effect parameter to Allow.

          2. Set the Service parameter to ApsaraDB RDS.

          3. Set the Action parameter to Select action(s). Then, add the Describe-related read actions.

            Note

            You can search for Describe and then select related actions.

          4. Set the Resource parameter to All resource(s).

          5. Leave the Condition parameter empty.

        • JSON

          Enter the following code snippet in the code editor:

          {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

      5. Click OK. In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the information and click OK.

    4. Attach the custom policy to a RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.

      3. Set the Resource Scope parameter to the resource group that you created. In the Policy section, select Custom Policy from the drop-down list, search for the policy that you created, and select the policy.

      4. Click Grant permissions.

    5. Log on to the ApsaraDB RDS console by using a RAM user and view the RDS instance.

      1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides.

      2. Select the resource group created in Step 1 to view the required RDS instance. image

    The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.

    Method 3: Tag-based authorization

    Tag-based authorization indicates that a tag is added to the resources that need to be authorized. When you create a policy, the policy is applied only to the resources to which the tag is added. This way, you can implement precise access control on the resources.

    1. Add custom tags to an RDS instance.

      1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance.

      2. In the Tags column, click the image icon. Then, click Edit.image

      3. Configure the Tag Key and Tag Value parameters. Then, click OK.

        In this example, the Tag Key parameter is set to test-ram and the Tag Value parameter is set to rds-mysql. We recommend that you set these parameters to meaningful values.

        If the following information is displayed in the Tags column, the custom tag is added to the RDS instance.image

    2. Create a policy.

      1. Log on to the RAM console.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the page that appears, click Create Policy.

      4. On the page that appears, click Visual editor or JSON.

        • Visual editor

          1. Set the Effect parameter to Allow.

          2. Set the Service parameter to ApsaraDB RDS.

          3. Set the Action parameter to Select action(s). Then, add the Describe-related read actions.

            Note

            You can search for Describe and then select related actions.

          4. Set the Resource parameter to All resource(s).

          5. In the Condition section, click Add condition. In the dialog box that appears, configure the Key, Tag Key, Operator, and Value parameters.

            Note

            The value of the Key parameter is fixed as rds:ResourceTag. The value of the Operator parameter is fixed as StringEquals. The values of the Tag Key and Value parameters must be the same as the values of the Tag Key and Tag Value parameters of the tag that is added to the RDS instance in Step 1.

            image

        • JSON

          Enter the following code snippet in the code editor:

          Note

          In the code snippet, test-ram and rds-mysql are used only for reference. You must replace these values with the values of the Tag Key and Tag Value parameters of the tag that is added to the RDS instance in Step 1. 

          {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "rds:ResourceTag/test-ram": [
            "rds-mysql"
          ]
        }
      }
    }
  ]
}

      5. Click OK. In the Create Policy dialog box, configure the Name and Description parameters. Then, confirm the information and click OK.

    3. Attach the custom policy to a RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. Find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.

      3. Set the Resource Scope parameter to the resource group that you created. In the Policy section, select Custom Policy from the drop-down list, search for the policy that you created, and select the policy.

      4. Click Grant permissions.

    4. Log on to the ApsaraDB RDS console as the RAM user and view the RDS instance.

      1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides.

      2. Use the Filter by Tag feature to search for the tag that is added to the RDS instance in Step 1 and view the RDS instance.image

    The RAM user is granted the read-only permissions on the RDS instance. You can also grant other permissions to the RAM user based on your business requirements.