RAM authorization - Tair (Redis® OSS-Compatible) - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by Redis. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Redis is kvstore. You can grant permissions on Redis at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

Redis defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation
kvstore:ModifyInstanceSpec	ModifyInstanceSpec	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ListTagResources	ListTagResources	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/*	None	None
kvstore:ModifySecurityIps	ModifySecurityIps	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyBackupPolicy	ModifyBackupPolicy	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	kvstore:EnableBackupLog	None
kvstore:DescribeEngineVersion	DescribeEngineVersion	get	All Resources *	None	None
kvstore:DescribeAvailableResource	DescribeAvailableResource	get	All Resources *	None	None
kvstore:DescribeBackups	DescribeBackups	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:CheckCloudResourceAuthorized	CheckCloudResourceAuthorized	get	All Resources *	None	None
kvstore:CreateInstance	CreateInstance	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/*	kvstore:InstanceClass kvstore:Appendonly kvstore:InstanceType	None
kvstore:ModifyInstanceTDE	ModifyInstanceTDE	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	kvstore:TDEStatus	None
kvstore:ModifyInstanceVpcAuthMode	ModifyInstanceVpcAuthMode	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	kvstore:VpcAuthMode	None
kvstore:CreateAccount	CreateAccount	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeDBInstanceNetInfo	DescribeDBInstanceNetInfo	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyInstanceMaintainTime	ModifyInstanceMaintainTime	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:SyncDtsStatus	SyncDtsStatus	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeHistoryMonitorValues	DescribeHistoryMonitorValues	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	kvstore:ResourceTag kvstore:ResourceTag kvstore:ResourceTag kvstore:ResourceTag	None
kvstore:CreateTairInstance	CreateTairInstance	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/*	kvstore:InstanceClass kvstore:InstanceType	None
kvstore:DescribeClusterMemberInfo	DescribeClusterMemberInfo	get	All Resources *	None	None
kvstore:ModifyAuditLogConfig	ModifyAuditLogConfig	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId}	kvstore:DbAudit	None
kvstore:CreateCacheAnalysisTask	CreateCacheAnalysisTask	create	All Resources *	None	None
kvstore:TransformInstanceChargeType	TransformInstanceChargeType	update	All Resources *	None	None
kvstore:DescribeEncryptionKey	DescribeEncryptionKey	get	All Resources *	None	None
kvstore:DescribeParameterGroupSupportParam	DescribeParameterGroupSupportParam	get	All Resources *	None	None
kvstore:ModifyInstanceSSL	ModifyInstanceSSL	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	kvstore:SSLEnabled	None
kvstore:DescribeParameterGroup	DescribeParameterGroup	get	All Resources *	None	None
kvstore:DescribeParameterTemplates	DescribeParameterTemplates	get	All Resources *	None	None
kvstore:ModifyInstanceMajorVersion	ModifyInstanceMajorVersion	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeCacheAnalysisReport	DescribeCacheAnalysisReport	get	dbinstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}	None	None
kvstore:AllocateDirectConnection	AllocateDirectConnection	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:SwitchInstanceProxy	SwitchInstanceProxy	update	All Resources *	None	None
kvstore:FlushInstance	FlushInstance	delete	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeLogicInstanceTopology	DescribeLogicInstanceTopology	get	All Resources *	None	None
kvstore:RemoveSubInstance	RemoveSubInstance	update	All Resources *	None	None
kvstore:DescribeParameterModificationHistory	DescribeParameterModificationHistory	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
kvstore:ModifyActiveOperationTask	ModifyActiveOperationTask	update	All Resources *	None	None
kvstore:DescribeInstanceAttribute	DescribeInstanceAttribute	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:CreateInstances	CreateInstances	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/*	kvstore:InstanceClass kvstore:InstanceType kvstore:Appendonly	None
kvstore:SwitchNetwork	SwitchNetwork	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyInstanceConfig	ModifyInstanceConfig	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	kvstore:InstanceAofConfig kvstore:TLSVersion	None
kvstore:DescribeAuditLogConfig	DescribeAuditLogConfig	get	All Resources *	None	None
kvstore:AddShardingNode	AddShardingNode	create	All Resources *	None	None
kvstore:ModifyAccountPassword	ModifyAccountPassword	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeSlowLogRecords	DescribeSlowLogRecords	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}	None	None
kvstore:ModifyDBInstanceConnectionString	ModifyDBInstanceConnectionString	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeInstanceTDEStatus	DescribeInstanceTDEStatus	get	All Resources *	None	None
kvstore:CreateGlobalDistributeCache	CreateGlobalDistributeCache	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeTasks	DescribeTasks	get	All Resources *	None	None
kvstore:DescribeBackupTasks	DescribeBackupTasks	get	All Resources *	None	None
kvstore:DescribeInstanceConfig	DescribeInstanceConfig	get	All Resources *	None	None
kvstore:DeleteAccount	DeleteAccount	delete	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeInstanceSSL	DescribeInstanceSSL	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyParameterGroup	ModifyParameterGroup	update	All Resources *	None	None
kvstore:ResetAccountPassword	ResetAccountPassword	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ReleaseInstancePublicConnection	ReleaseInstancePublicConnection	delete	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeSecurityIps	DescribeSecurityIps	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DeleteInstance	DeleteInstance	delete	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyGlobalSecurityIPGroup	ModifyGlobalSecurityIPGroup		All Resources *	None	None
kvstore:SwitchInstanceHA	SwitchInstanceHA	update	All Resources *	None	None
kvstore:ModifyIntranetAttribute	ModifyIntranetAttribute	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeAuditRecords	DescribeAuditRecords	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:CreateGlobalSecurityIPGroup	CreateGlobalSecurityIPGroup		All Resources *	None	None
kvstore:AllocateInstancePublicConnection	AllocateInstancePublicConnection	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeGlobalDistributeCache	DescribeGlobalDistributeCache	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeAccounts	DescribeAccounts	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyInstanceBandwidth	ModifyInstanceBandwidth	update	All Resources *	None	None
kvstore:ModifySecurityGroupConfiguration	ModifySecurityGroupConfiguration	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}	None	None
kvstore:DescribeRoleZoneInfo	DescribeRoleZoneInfo	get	All Resources *	None	None
kvstore:DescribeParameterGroups	DescribeParameterGroups	list	All Resources *	None	None
kvstore:DescribeParameters	DescribeParameters	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	None	None
kvstore:EnableAdditionalBandwidth	EnableAdditionalBandwidth	update	All Resources *	None	None
kvstore:DescribeIntranetAttribute	DescribeIntranetAttribute	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:CreateBackup	CreateBackup	create	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyGlobalSecurityIPGroupName	ModifyGlobalSecurityIPGroupName		All Resources *	None	None
kvstore:UnlockDBInstanceWrite	UnlockDBInstanceWrite	update	All Resources *	None	None
kvstore:DescribeGlobalSecurityIPGroup	DescribeGlobalSecurityIPGroup	get	All Resources *	None	None
kvstore:DescribeSecurityGroupConfiguration	DescribeSecurityGroupConfiguration	get	dbinstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}	None	None
kvstore:InitializeKvstorePermission	InitializeKvstorePermission	create	All Resources *	None	None
kvstore:DescribePrice	DescribePrice	get	All Resources *	None	None
kvstore:RenewInstance	RenewInstance	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyInstanceAttribute	ModifyInstanceAttribute	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeMonitorItems	DescribeMonitorItems	get	All Resources *	None	None
kvstore:DescribeInstances	DescribeInstances	list	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/* DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ReleaseDirectConnection	ReleaseDirectConnection	delete	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeInstancesOverview	DescribeInstancesOverview	get	All Resources *	None	None
kvstore:DescribeHistoryTasks	DescribeHistoryTasks	get	All Resources *	None	None
kvstore:ModifyGlobalSecurityIPGroupRelation	ModifyGlobalSecurityIPGroupRelation		All Resources *	None	None
kvstore:MigrateToOtherZone	MigrateToOtherZone	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DeleteShardingNode	DeleteShardingNode	delete	All Resources *	None	None
kvstore:UntagResources	UntagResources	delete	All Resources *	None	None
kvstore:DescribeDedicatedClusterInstanceList	DescribeDedicatedClusterInstanceList	get	All Resources *	None	None
kvstore:ModifyResourceGroup	ModifyResourceGroup	update	All Resources *	None	None
kvstore:DeleteGlobalSecurityIPGroup	DeleteGlobalSecurityIPGroup		All Resources *	None	None
kvstore:DescribeEncryptionKeyList	DescribeEncryptionKeyList	get	All Resources *	None	None
kvstore:ModifyInstanceNetExpireTime	ModifyInstanceNetExpireTime	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:ModifyDBInstanceAutoUpgrade	ModifyDBInstanceAutoUpgrade	update	All Resources *	None	None
kvstore:GrantAccountPrivilege	GrantAccountPrivilege	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeCacheAnalysisReportList	DescribeCacheAnalysisReportList	get	All Resources *	None	None
kvstore:LockDBInstanceWrite	LockDBInstanceWrite	update	All Resources *	None	None
kvstore:DescribeParameterGroupTemplateList	DescribeParameterGroupTemplateList	list	All Resources *	None	None
kvstore:RenewAdditionalBandwidth	RenewAdditionalBandwidth	update	All Resources *	None	None
kvstore:DescribeClusterBackupList	DescribeClusterBackupList	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeInstanceAutoRenewalAttribute	DescribeInstanceAutoRenewalAttribute	get	All Resources *	None	None
kvstore:TagResources	TagResources	create	All Resources *	None	None
kvstore:RestoreInstance	RestoreInstance	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DeleteParameterGroup	DeleteParameterGroup	delete	All Resources *	None	None
kvstore:ModifyInstanceMinorVersion	ModifyInstanceMinorVersion	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeRunningLogRecords	DescribeRunningLogRecords	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeBackupPolicy	DescribeBackupPolicy	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:DescribeActiveOperationTask	DescribeActiveOperationTask	get	All Resources *	None	None
kvstore:DescribeGlobalSecurityIPGroupRelation	DescribeGlobalSecurityIPGroupRelation		All Resources *	None	None
kvstore:FlushInstanceForDB	FlushInstanceForDB	delete	All Resources *	None	None
kvstore:TransformToPrePaid	TransformToPrePaid	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:RestartInstance	RestartInstance	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}	None	None
kvstore:DescribeDBNodeDirectVipInfo	DescribeDBNodeDirectVipInfo	get	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None
kvstore:FlushExpireKeys	FlushExpireKeys	delete	DBInstance acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}	None	None
kvstore:ModifyAccountDescription	ModifyAccountDescription	update	DBInstance acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}	None	None

Resource

Redis defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN
DBInstance	acs:kvstore:{#regionId}:{#accountId}:instance/{#instanceId}
DBInstance	acs:kvstore:{#regionId}:{#accountId}:instance/*
DBInstance	acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}
DBInstance	acs:kvstore:{#regionId}:{#accountId}:instance/{#InstanceId}
dbinstance	acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
DBInstance	acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
DBInstance	acs:kvstore:{#regionId}:{#accountId}:dbinstance/{#dbInstanceId}
TairInstance	acs:redis:{#regionId}:{#accountId}:tairinstance/{#TairInstanceId}

Condition

Redis defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Redis. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type
kvstore:InstanceClass	The instance type. Example: redis.master.small.default. Value Source: the value of the request parameter InstanceClass.	String
kvstore:InstanceType	The instance type. When creating a Redis instance, the value is Redis or Memcache. When creating a Tair instance, the value is tair_rdb, tair_scm, or tair_essd.	String
kvstore:SSLEnabled	Whether to enable TLS (SSL) encryption	String
kvstore:DbAudit	Audit log enabled status	Boolean
kvstore:TDEStatus	Enable Transparent Data Encryption (TDE) for the instance	String
kvstore:VpcAuthMode	In the authentication mode of a private network, Open: Passed password authentication; Close: Disable password authentication, that is, enable password-free access.	String
kvstore:InstanceAofConfig	Instance AOF parameter configuration	String
kvstore:Appendonly	For instance AOF configuration, yes to enable AOF persistence; no to disable AOF persistence	String
kvstore:TLSVersion	TLS protocol version used	String
kvstore:EnableBackupLog	Enable data flashback feature, 1: Enable data flashback feature; 0: Disable data flashback feature	String
kvstore:ResourceTag	Redis tag information, it is used in combination with tag key, kvstore:ResourceTag/<tag-key>. Example: Assuming the tag is team:dev, the condition key and value are "kvstore:ResourceTag/team": "dev"	String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: