All Products
Search

This Product

    ApsaraDB RDS:Authorize a RAM user with read-only permissions to download backup files

    Document Center

    ApsaraDB RDS:Authorize a RAM user with read-only permissions to download backup files

    Last Updated:Feb 19, 2025

    This topic describes how to authorize a Resource Access Management (RAM) user with read-only permissions to download backup files. For security purposes, a RAM user with read-only permissions cannot download backup files.

    RAM user permissions

    The authentication capability of the advanced download feature is provided based on the policy management feature of RAM. You can attach a policy to the RAM user to allow the RAM user to obtain the download URLs.

    • If you cannot use the advanced download feature, such as creating and querying advanced download tasks, check whether the AliyunDBSFullAccess policy is attached to the RAM user that you use. For more information, see Grant permissions to a RAM user.

    • If you want the RAM user to use Data Disaster Recovery but want to prohibit the user from obtaining URLs for advanced downloads, you can create a custom policy to prohibit the RAM user from calling the operation to obtain URLs for advanced downloads. For more information, see Create custom policies. Sample script:

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "dbs:DescribeDownloadBackupsetStorageInfo",
            "Resource": "*"
        }
    ]
}

      After you create the custom policy, you must attach the policy to the RAM user. For more information, see Grant permissions to a RAM user. This way, the RAM user cannot obtain the URLs for advanced downloads.

    Procedure

    1. Log on to the Resource Access Management (RAM) console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy. On the page that appears, click the JSON tab and enter the following policy content. Then, click OK. 

      {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:ModifyBackupPolicy",
                "rds:CheckRegionSupportBackupEncryption"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dbs:CreateDownload",
                "dbs:DescribeDBInstanceDownloadSize"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

    4. On the Create Policy dialog box, configure Name and Description for the policy and then click OK.

    5. In the left-side navigation pane, choose Permissions > Grants.

    6. Click Grant Permission to attach the new policy to the RAM user. For more information, see Method 2: Grant permissions to a RAM user on the Grants page.

    7. Click Grant permissions.