All Products
Search
Document Center

Tair (Redis® OSS-Compatible):RAM authorization

Last Updated:Nov 11, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by Redis. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Redis is kvstore. You can grant permissions on Redis at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

Redis defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
kvstore:DescribeAvailableResourceDescribeAvailableResourceget
All Resources
*
NoneNone
kvstore:DescribeInstancesDescribeInstanceslist
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceSSLModifyInstanceSSLupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:SSLEnabled
None
kvstore:ReleaseDirectConnectionReleaseDirectConnectiondelete
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeInstanceAttributeDescribeInstanceAttributeget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribePriceDescribePriceget
All Resources
*
NoneNone
kvstore:InitializeKvstorePermissionInitializeKvstorePermissioncreate
All Resources
*
NoneNone
kvstore:CheckCloudResourceAuthorizedCheckCloudResourceAuthorizedget
All Resources
*
NoneNone
kvstore:DescribeInstanceConfigDescribeInstanceConfigget
All Resources
*
NoneNone
kvstore:CreateCacheAnalysisTaskCreateCacheAnalysisTaskcreate
All Resources
*
NoneNone
kvstore:ModifyGlobalSecurityIPGroupRelationModifyGlobalSecurityIPGroupRelation
All Resources
*
NoneNone
kvstore:ModifyResourceGroupModifyResourceGroupupdate
All Resources
*
NoneNone
kvstore:EnableAdditionalBandwidthEnableAdditionalBandwidthupdate
All Resources
*
NoneNone
kvstore:RestoreInstanceRestoreInstanceupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceTDEModifyInstanceTDEupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:TDEStatus
None
kvstore:DescribeParameterTemplatesDescribeParameterTemplatesget
All Resources
*
NoneNone
kvstore:ModifyInstanceNetExpireTimeModifyInstanceNetExpireTimeupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeEncryptionKeyDescribeEncryptionKeyget
All Resources
*
NoneNone
kvstore:TagResourcesTagResourcescreate
All Resources
*
NoneNone
kvstore:TransformToPrePaidTransformToPrePaidupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeParameterGroupDescribeParameterGroupget
All Resources
*
NoneNone
kvstore:ModifySecurityIpsModifySecurityIpsupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:UntagResourcesUntagResourcesdelete
All Resources
*
NoneNone
kvstore:UnlockDBInstanceWriteUnlockDBInstanceWriteupdate
All Resources
*
NoneNone
kvstore:DescribeHistoryMonitorValuesDescribeHistoryMonitorValuesget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:ResourceTag
kvstore:ResourceTag
kvstore:ResourceTag
kvstore:ResourceTag
None
kvstore:ModifyAccountPasswordModifyAccountPasswordupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyIntranetAttributeModifyIntranetAttributeupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeParameterModificationHistoryDescribeParameterModificationHistoryget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
NoneNone
kvstore:DescribeParametersDescribeParametersget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
NoneNone
kvstore:ModifyInstanceBandwidthModifyInstanceBandwidthupdate
All Resources
*
NoneNone
kvstore:AllocateInstancePublicConnectionAllocateInstancePublicConnectioncreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeLogicInstanceTopologyDescribeLogicInstanceTopologyget
All Resources
*
NoneNone
kvstore:DescribeDBNodeDirectVipInfoDescribeDBNodeDirectVipInfoget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:AddShardingNodeAddShardingNodecreate
All Resources
*
NoneNone
kvstore:DescribeSecurityIpsDescribeSecurityIpsget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeInstanceTDEStatusDescribeInstanceTDEStatusget
All Resources
*
NoneNone
kvstore:ModifyActiveOperationTaskModifyActiveOperationTaskupdate
All Resources
*
NoneNone
kvstore:DescribeDBInstanceNetInfoDescribeDBInstanceNetInfoget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeCacheAnalysisReportDescribeCacheAnalysisReportget
dbinstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:DescribeClusterMemberInfoDescribeClusterMemberInfoget
All Resources
*
NoneNone
kvstore:DescribeTasksDescribeTasksget
All Resources
*
NoneNone
kvstore:CreateInstancesCreateInstancescreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
kvstore:InstanceClass
kvstore:InstanceType
kvstore:Appendonly
None
kvstore:DescribeMonitorItemsDescribeMonitorItemsget
All Resources
*
NoneNone
kvstore:TransformInstanceChargeTypeTransformInstanceChargeTypeupdate
All Resources
*
NoneNone
kvstore:CreateAccountCreateAccountcreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeEncryptionKeyListDescribeEncryptionKeyListget
All Resources
*
NoneNone
kvstore:DescribeInstanceAutoRenewalAttributeDescribeInstanceAutoRenewalAttributeget
All Resources
*
NoneNone
kvstore:SwitchInstanceHASwitchInstanceHAupdate
All Resources
*
NoneNone
kvstore:CreateTairInstanceCreateTairInstancecreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
kvstore:InstanceClass
kvstore:InstanceType
None
kvstore:ModifyInstanceMinorVersionModifyInstanceMinorVersionupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeEngineVersionDescribeEngineVersionget
All Resources
*
NoneNone
kvstore:ModifyBackupPolicyModifyBackupPolicyupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:EnableBackupLog
None
kvstore:SwitchNetworkSwitchNetworkupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:RemoveSubInstanceRemoveSubInstanceupdate
All Resources
*
NoneNone
kvstore:CreateGlobalSecurityIPGroupCreateGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:ResetAccountPasswordResetAccountPasswordupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ListTagResourcesListTagResourcesget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
NoneNone
kvstore:MigrateToOtherZoneMigrateToOtherZoneupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceAttributeModifyInstanceAttributeupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeParameterGroupTemplateListDescribeParameterGroupTemplateListlist
All Resources
*
NoneNone
kvstore:RestartInstanceRestartInstanceupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:AllocateDirectConnectionAllocateDirectConnectioncreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:RenewAdditionalBandwidthRenewAdditionalBandwidthupdate
All Resources
*
NoneNone
kvstore:DescribeGlobalSecurityIPGroupDescribeGlobalSecurityIPGroupget
All Resources
*
NoneNone
kvstore:FlushInstanceFlushInstancedelete
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeSecurityGroupConfigurationDescribeSecurityGroupConfigurationget
dbinstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:SwitchInstanceProxySwitchInstanceProxyupdate
All Resources
*
NoneNone
kvstore:ModifyInstanceSpecModifyInstanceSpecupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:LockDBInstanceWriteLockDBInstanceWriteupdate
All Resources
*
NoneNone
kvstore:DescribeParameterGroupSupportParamDescribeParameterGroupSupportParamget
All Resources
*
NoneNone
kvstore:DescribeActiveOperationTaskDescribeActiveOperationTaskget
All Resources
*
NoneNone
kvstore:DescribeCacheAnalysisReportListDescribeCacheAnalysisReportListget
All Resources
*
NoneNone
kvstore:ModifyAuditLogConfigModifyAuditLogConfigupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId}
kvstore:DbAudit
None
kvstore:ReleaseInstancePublicConnectionReleaseInstancePublicConnectiondelete
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DeleteParameterGroupDeleteParameterGroupdelete
All Resources
*
NoneNone
kvstore:ModifyInstanceMaintainTimeModifyInstanceMaintainTimeupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeBackupsDescribeBackupsget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeIntranetAttributeDescribeIntranetAttributeget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:RenewInstanceRenewInstanceupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeRoleZoneInfoDescribeRoleZoneInfoget
All Resources
*
NoneNone
kvstore:GrantAccountPrivilegeGrantAccountPrivilegeupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:CreateInstanceCreateInstancecreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/*
kvstore:InstanceClass
kvstore:Appendonly
kvstore:InstanceType
None
kvstore:ModifyGlobalSecurityIPGroupModifyGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:DescribeInstancesOverviewDescribeInstancesOverviewget
All Resources
*
NoneNone
kvstore:DeleteAccountDeleteAccountdelete
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DeleteGlobalSecurityIPGroupDeleteGlobalSecurityIPGroup
All Resources
*
NoneNone
kvstore:DescribeDedicatedClusterInstanceListDescribeDedicatedClusterInstanceListget
All Resources
*
NoneNone
kvstore:DescribeBackupTasksDescribeBackupTasksget
All Resources
*
NoneNone
kvstore:DeleteShardingNodeDeleteShardingNodedelete
All Resources
*
NoneNone
kvstore:ModifyAccountDescriptionModifyAccountDescriptionupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:SyncDtsStatusSyncDtsStatusupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceVpcAuthModeModifyInstanceVpcAuthModeupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:VpcAuthMode
None
kvstore:DescribeBackupPolicyDescribeBackupPolicyget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyDBInstanceAutoUpgradeModifyDBInstanceAutoUpgradeupdate
All Resources
*
NoneNone
kvstore:DescribeGlobalDistributeCacheDescribeGlobalDistributeCacheget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeSlowLogRecordsDescribeSlowLogRecordsget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:ModifyInstanceConfigModifyInstanceConfigupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
kvstore:InstanceAofConfig
kvstore:TLSVersion
None
kvstore:FlushExpireKeysFlushExpireKeysdelete
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:DescribeRunningLogRecordsDescribeRunningLogRecordsget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeAccountsDescribeAccountsget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DeleteInstanceDeleteInstancedelete
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyInstanceMajorVersionModifyInstanceMajorVersionupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:FlushInstanceForDBFlushInstanceForDBdelete
All Resources
*
NoneNone
kvstore:DescribeGlobalSecurityIPGroupRelationDescribeGlobalSecurityIPGroupRelation
All Resources
*
NoneNone
kvstore:DescribeInstanceSSLDescribeInstanceSSLget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeAuditRecordsDescribeAuditRecordsget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeAuditLogConfigDescribeAuditLogConfigget
All Resources
*
NoneNone
kvstore:DescribeClusterBackupListDescribeClusterBackupListget
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyGlobalSecurityIPGroupNameModifyGlobalSecurityIPGroupName
All Resources
*
NoneNone
kvstore:ModifySecurityGroupConfigurationModifySecurityGroupConfigurationupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
NoneNone
kvstore:DescribeParameterGroupsDescribeParameterGroupslist
All Resources
*
NoneNone
kvstore:CreateGlobalDistributeCacheCreateGlobalDistributeCacheupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:DescribeHistoryTasksDescribeHistoryTasksget
All Resources
*
NoneNone
kvstore:ModifyDBInstanceConnectionStringModifyDBInstanceConnectionStringupdate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone
kvstore:ModifyParameterGroupModifyParameterGroupupdate
All Resources
*
NoneNone
kvstore:CreateBackupCreateBackupcreate
DBInstance
acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
NoneNone

Resource

Redis defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
DBInstanceacs:kvstore:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}
DBInstanceacs:kvstore:{#regionId}:{#accountId}:instance/*
DBInstanceacs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
DBInstanceacs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
dbinstanceacs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
DBInstanceacs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
TairInstanceacs:redis:{#regionId}:{#accountId}:tairinstance/{#TairInstanceId}
DBInstanceacs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId}

Condition

Redis defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Redis. For more information about the common condition keys, see Generic Condition Keyword.
The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
Condition keyDescriptionData type
kvstore:InstanceClassThe instance type. Example: redis.master.small.default. Value Source: the value of the request parameter InstanceClass.String
kvstore:InstanceTypeThe instance type. When creating a Redis instance, the value is Redis or Memcache. When creating a Tair instance, the value is tair_rdb, tair_scm, or tair_essd.String
kvstore:SSLEnabledWhether to enable TLS (SSL) encryptionString
kvstore:DbAuditAudit log enabled statusBoolean
kvstore:TDEStatusEnable Transparent Data Encryption (TDE) for the instanceString
kvstore:VpcAuthModeIn the authentication mode of a private network, Open: Passed password authentication; Close: Disable password authentication, that is, enable password-free access.String
kvstore:InstanceAofConfigInstance AOF parameter configurationString
kvstore:AppendonlyFor instance AOF configuration, yes to enable AOF persistence; no to disable AOF persistenceString
kvstore:TLSVersionTLS protocol version usedString
kvstore:EnableBackupLogEnable data flashback feature, 1: Enable data flashback feature; 0: Disable data flashback featureString
kvstore:ResourceTagRedis tag information, it is used in combination with tag key, kvstore:ResourceTag/&lt;tag-key&gt;. Example: Assuming the tag is team:dev, the condition key and value are &quot;kvstore:ResourceTag/team&quot;: &quot;dev&quot;String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: