Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by Redis. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Redis is kvstore. You can grant permissions on Redis at the RESOURCE.
General structure of a policy
Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
}
- Effect: specifies the authorization effect. Valid values: Allow, Deny.
- Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
- Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
- Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.
Action
Redis defines the values that you can use in theAction
element of a policy statement. The following table describes the values.- Operation: the value that you can use in the Action element to specify the operation on a resource.
- API operation: the API operation that you can call to perform the operation.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Actions | API operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|---|
kvstore:DescribeAvailableResource | DescribeAvailableResource | get | All Resources * | None | None |
kvstore:DescribeInstances | DescribeInstances | list | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/*DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyInstanceSSL | ModifyInstanceSSL | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | kvstore:SSLEnabled | None |
kvstore:ReleaseDirectConnection | ReleaseDirectConnection | delete | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeInstanceAttribute | DescribeInstanceAttribute | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribePrice | DescribePrice | get | All Resources * | None | None |
kvstore:InitializeKvstorePermission | InitializeKvstorePermission | create | All Resources * | None | None |
kvstore:CheckCloudResourceAuthorized | CheckCloudResourceAuthorized | get | All Resources * | None | None |
kvstore:DescribeInstanceConfig | DescribeInstanceConfig | get | All Resources * | None | None |
kvstore:CreateCacheAnalysisTask | CreateCacheAnalysisTask | create | All Resources * | None | None |
kvstore:ModifyGlobalSecurityIPGroupRelation | ModifyGlobalSecurityIPGroupRelation | All Resources * | None | None | |
kvstore:ModifyResourceGroup | ModifyResourceGroup | update | All Resources * | None | None |
kvstore:EnableAdditionalBandwidth | EnableAdditionalBandwidth | update | All Resources * | None | None |
kvstore:RestoreInstance | RestoreInstance | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyInstanceTDE | ModifyInstanceTDE | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | kvstore:TDEStatus | None |
kvstore:DescribeParameterTemplates | DescribeParameterTemplates | get | All Resources * | None | None |
kvstore:ModifyInstanceNetExpireTime | ModifyInstanceNetExpireTime | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeEncryptionKey | DescribeEncryptionKey | get | All Resources * | None | None |
kvstore:TagResources | TagResources | create | All Resources * | None | None |
kvstore:TransformToPrePaid | TransformToPrePaid | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeParameterGroup | DescribeParameterGroup | get | All Resources * | None | None |
kvstore:ModifySecurityIps | ModifySecurityIps | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:UntagResources | UntagResources | delete | All Resources * | None | None |
kvstore:UnlockDBInstanceWrite | UnlockDBInstanceWrite | update | All Resources * | None | None |
kvstore:DescribeHistoryMonitorValues | DescribeHistoryMonitorValues | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | kvstore:ResourceTag kvstore:ResourceTag kvstore:ResourceTag kvstore:ResourceTag | None |
kvstore:ModifyAccountPassword | ModifyAccountPassword | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyIntranetAttribute | ModifyIntranetAttribute | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeParameterModificationHistory | DescribeParameterModificationHistory | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} | None | None |
kvstore:DescribeParameters | DescribeParameters | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} | None | None |
kvstore:ModifyInstanceBandwidth | ModifyInstanceBandwidth | update | All Resources * | None | None |
kvstore:AllocateInstancePublicConnection | AllocateInstancePublicConnection | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeLogicInstanceTopology | DescribeLogicInstanceTopology | get | All Resources * | None | None |
kvstore:DescribeDBNodeDirectVipInfo | DescribeDBNodeDirectVipInfo | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:AddShardingNode | AddShardingNode | create | All Resources * | None | None |
kvstore:DescribeSecurityIps | DescribeSecurityIps | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeInstanceTDEStatus | DescribeInstanceTDEStatus | get | All Resources * | None | None |
kvstore:ModifyActiveOperationTask | ModifyActiveOperationTask | update | All Resources * | None | None |
kvstore:DescribeDBInstanceNetInfo | DescribeDBInstanceNetInfo | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeCacheAnalysisReport | DescribeCacheAnalysisReport | get | dbinstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} | None | None |
kvstore:DescribeClusterMemberInfo | DescribeClusterMemberInfo | get | All Resources * | None | None |
kvstore:DescribeTasks | DescribeTasks | get | All Resources * | None | None |
kvstore:CreateInstances | CreateInstances | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/* | kvstore:InstanceClass kvstore:InstanceType kvstore:Appendonly | None |
kvstore:DescribeMonitorItems | DescribeMonitorItems | get | All Resources * | None | None |
kvstore:TransformInstanceChargeType | TransformInstanceChargeType | update | All Resources * | None | None |
kvstore:CreateAccount | CreateAccount | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeEncryptionKeyList | DescribeEncryptionKeyList | get | All Resources * | None | None |
kvstore:DescribeInstanceAutoRenewalAttribute | DescribeInstanceAutoRenewalAttribute | get | All Resources * | None | None |
kvstore:SwitchInstanceHA | SwitchInstanceHA | update | All Resources * | None | None |
kvstore:CreateTairInstance | CreateTairInstance | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/* | kvstore:InstanceClass kvstore:InstanceType | None |
kvstore:ModifyInstanceMinorVersion | ModifyInstanceMinorVersion | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeEngineVersion | DescribeEngineVersion | get | All Resources * | None | None |
kvstore:ModifyBackupPolicy | ModifyBackupPolicy | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | kvstore:EnableBackupLog | None |
kvstore:SwitchNetwork | SwitchNetwork | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:RemoveSubInstance | RemoveSubInstance | update | All Resources * | None | None |
kvstore:CreateGlobalSecurityIPGroup | CreateGlobalSecurityIPGroup | All Resources * | None | None | |
kvstore:ResetAccountPassword | ResetAccountPassword | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ListTagResources | ListTagResources | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/* | None | None |
kvstore:MigrateToOtherZone | MigrateToOtherZone | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyInstanceAttribute | ModifyInstanceAttribute | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeParameterGroupTemplateList | DescribeParameterGroupTemplateList | list | All Resources * | None | None |
kvstore:RestartInstance | RestartInstance | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} | None | None |
kvstore:AllocateDirectConnection | AllocateDirectConnection | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:RenewAdditionalBandwidth | RenewAdditionalBandwidth | update | All Resources * | None | None |
kvstore:DescribeGlobalSecurityIPGroup | DescribeGlobalSecurityIPGroup | get | All Resources * | None | None |
kvstore:FlushInstance | FlushInstance | delete | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeSecurityGroupConfiguration | DescribeSecurityGroupConfiguration | get | dbinstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} | None | None |
kvstore:SwitchInstanceProxy | SwitchInstanceProxy | update | All Resources * | None | None |
kvstore:ModifyInstanceSpec | ModifyInstanceSpec | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:LockDBInstanceWrite | LockDBInstanceWrite | update | All Resources * | None | None |
kvstore:DescribeParameterGroupSupportParam | DescribeParameterGroupSupportParam | get | All Resources * | None | None |
kvstore:DescribeActiveOperationTask | DescribeActiveOperationTask | get | All Resources * | None | None |
kvstore:DescribeCacheAnalysisReportList | DescribeCacheAnalysisReportList | get | All Resources * | None | None |
kvstore:ModifyAuditLogConfig | ModifyAuditLogConfig | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId} | kvstore:DbAudit | None |
kvstore:ReleaseInstancePublicConnection | ReleaseInstancePublicConnection | delete | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DeleteParameterGroup | DeleteParameterGroup | delete | All Resources * | None | None |
kvstore:ModifyInstanceMaintainTime | ModifyInstanceMaintainTime | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeBackups | DescribeBackups | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeIntranetAttribute | DescribeIntranetAttribute | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:RenewInstance | RenewInstance | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeRoleZoneInfo | DescribeRoleZoneInfo | get | All Resources * | None | None |
kvstore:GrantAccountPrivilege | GrantAccountPrivilege | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:CreateInstance | CreateInstance | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/* | kvstore:InstanceClass kvstore:Appendonly kvstore:InstanceType | None |
kvstore:ModifyGlobalSecurityIPGroup | ModifyGlobalSecurityIPGroup | All Resources * | None | None | |
kvstore:DescribeInstancesOverview | DescribeInstancesOverview | get | All Resources * | None | None |
kvstore:DeleteAccount | DeleteAccount | delete | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DeleteGlobalSecurityIPGroup | DeleteGlobalSecurityIPGroup | All Resources * | None | None | |
kvstore:DescribeDedicatedClusterInstanceList | DescribeDedicatedClusterInstanceList | get | All Resources * | None | None |
kvstore:DescribeBackupTasks | DescribeBackupTasks | get | All Resources * | None | None |
kvstore:DeleteShardingNode | DeleteShardingNode | delete | All Resources * | None | None |
kvstore:ModifyAccountDescription | ModifyAccountDescription | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:SyncDtsStatus | SyncDtsStatus | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyInstanceVpcAuthMode | ModifyInstanceVpcAuthMode | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | kvstore:VpcAuthMode | None |
kvstore:DescribeBackupPolicy | DescribeBackupPolicy | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyDBInstanceAutoUpgrade | ModifyDBInstanceAutoUpgrade | update | All Resources * | None | None |
kvstore:DescribeGlobalDistributeCache | DescribeGlobalDistributeCache | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeSlowLogRecords | DescribeSlowLogRecords | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} | None | None |
kvstore:ModifyInstanceConfig | ModifyInstanceConfig | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | kvstore:InstanceAofConfig kvstore:TLSVersion | None |
kvstore:FlushExpireKeys | FlushExpireKeys | delete | DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} | None | None |
kvstore:DescribeRunningLogRecords | DescribeRunningLogRecords | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeAccounts | DescribeAccounts | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DeleteInstance | DeleteInstance | delete | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyInstanceMajorVersion | ModifyInstanceMajorVersion | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:FlushInstanceForDB | FlushInstanceForDB | delete | All Resources * | None | None |
kvstore:DescribeGlobalSecurityIPGroupRelation | DescribeGlobalSecurityIPGroupRelation | All Resources * | None | None | |
kvstore:DescribeInstanceSSL | DescribeInstanceSSL | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeAuditRecords | DescribeAuditRecords | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeAuditLogConfig | DescribeAuditLogConfig | get | All Resources * | None | None |
kvstore:DescribeClusterBackupList | DescribeClusterBackupList | get | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyGlobalSecurityIPGroupName | ModifyGlobalSecurityIPGroupName | All Resources * | None | None | |
kvstore:ModifySecurityGroupConfiguration | ModifySecurityGroupConfiguration | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} | None | None |
kvstore:DescribeParameterGroups | DescribeParameterGroups | list | All Resources * | None | None |
kvstore:CreateGlobalDistributeCache | CreateGlobalDistributeCache | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:DescribeHistoryTasks | DescribeHistoryTasks | get | All Resources * | None | None |
kvstore:ModifyDBInstanceConnectionString | ModifyDBInstanceConnectionString | update | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
kvstore:ModifyParameterGroup | ModifyParameterGroup | update | All Resources * | None | None |
kvstore:CreateBackup | CreateBackup | create | DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} | None | None |
Resource
Redis defines the values that you can use in theResource
. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource.
The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:{#}
indicates a variable. {#} must be replaced with an actual value. For example,{#ramcode}
must be replaced with the actual code of an Alibaba Cloud service in RAM.- An asterisk (
*
) is used as a wildcard. Examples:{#resourceType}
is set to*
, all resources are specified.{#regionId}
is set to*
, all regions are specified.{#accountId}
is set to*
, all Alibaba Cloud accounts are specified.
Resource type | ARN |
---|---|
DBInstance | acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId} |
DBInstance | acs:kvstore:{#regionId}:{#accountId}:instance/* |
DBInstance | acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId} |
DBInstance | acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId} |
dbinstance | acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} |
DBInstance | acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId} |
TairInstance | acs:redis:{#regionId}:{#accountId}:tairinstance/{#TairInstanceId} |
DBInstance | acs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId} |
Condition
Redis defines the values that you can use in the
Condition
element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Redis. For more information about the common condition keys, see Generic Condition Keyword.The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
Condition key | Description | Data type |
---|---|---|
kvstore:InstanceClass | The instance type. Example: redis.master.small.default. Value Source: the value of the request parameter InstanceClass. | String |
kvstore:InstanceType | The instance type. When creating a Redis instance, the value is Redis or Memcache. When creating a Tair instance, the value is tair_rdb, tair_scm, or tair_essd. | String |
kvstore:SSLEnabled | Whether to enable TLS (SSL) encryption | String |
kvstore:DbAudit | Audit log enabled status | Boolean |
kvstore:TDEStatus | Enable Transparent Data Encryption (TDE) for the instance | String |
kvstore:VpcAuthMode | In the authentication mode of a private network, Open: Passed password authentication; Close: Disable password authentication, that is, enable password-free access. | String |
kvstore:InstanceAofConfig | Instance AOF parameter configuration | String |
kvstore:Appendonly | For instance AOF configuration, yes to enable AOF persistence; no to disable AOF persistence | String |
kvstore:TLSVersion | TLS protocol version used | String |
kvstore:EnableBackupLog | Enable data flashback feature, 1: Enable data flashback feature; 0: Disable data flashback feature | String |
kvstore:ResourceTag | Redis tag information, it is used in combination with tag key, kvstore:ResourceTag/<tag-key>. Example: Assuming the tag is team:dev, the condition key and value are "kvstore:ResourceTag/team": "dev" | String |