RAM authorization-AnalyticDB(AnalyticDB)-阿里云帮助中心

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by AnalyticDB for PostgreSQL for RAM permission policies. The RAM code (RamCode) for AnalyticDB for PostgreSQL is gpdb , and the supported authorization granularity is RESOURCE .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by AnalyticDB for PostgreSQL. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
gpdb:CreateSecret	CreateSecret	create	All Resource ``	None	None
gpdb:CreateExtensions	CreateExtensions	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ResetAccountPassword	ResetAccountPassword	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateModelService	CreateModelService	create	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyAccountDescription	ModifyAccountDescription	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeZonesPrivateRAGService	DescribeZonesPrivateRAGService	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateDBInstancePlan	CreateDBInstancePlan	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:InitVectorDatabase	InitVectorDatabase	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyJDBCDataSource	ModifyJDBCDataSource	update	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateBackup	CreateBackup	create	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateAccount	CreateAccount	create	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DownloadDiagnosisRecords	DownloadDiagnosisRecords	none	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListNamespaces	ListNamespaces	create	*Namespace `acs:gpdb:{#regionId}:{#accountId}:namespace/{#DBInstanceId}`	None	None
gpdb:ModifySecurityIps	ModifySecurityIps	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ReleaseInstancePublicConnection	ReleaseInstancePublicConnection	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListSlowSQLRecords	ListSlowSQLRecords	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteNamespace	DeleteNamespace	create	Namespace `acs:gpdb:{#regionId}:{#accountId}:namespace/{#DBInstanceId}`	None	None
gpdb:TextEmbedding	TextEmbedding	none	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceSupportMaxPerformance	DescribeDBInstanceSupportMaxPerformance	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceResourceGroup	ModifyDBInstanceResourceGroup	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyMasterSpec	ModifyMasterSpec	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListIndices	ListIndices	get	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeAccounts	DescribeAccounts	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DownloadSlowSQLRecords	DownloadSlowSQLRecords	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstancePerformance	DescribeDBInstancePerformance	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeCreateIndexJob	DescribeCreateIndexJob	get	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:CreateServiceLinkedRole	CreateServiceLinkedRole	create	All Resource ``	None	None
gpdb:CancelCreateIndexJob	CancelCreateIndexJob	update	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:UpdateCollectionDataMetadata	UpdateCollectionDataMetadata	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:CreateAIService	CreateAIService	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateVectorIndex	CreateVectorIndex	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceConnectionString	ModifyDBInstanceConnectionString	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UpsertCollectionData	UpsertCollectionData	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeDBClusterNode	DescribeDBClusterNode	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyCollection	ModifyCollection	update	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DeleteCollection	DeleteCollection	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstances	DescribeDBInstances	get	DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/`	None	None
gpdb:CreateSupabaseProject	CreateSupabaseProject	create	SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/`	None	None
gpdb:DescribeWaitingSQLRecords	DescribeWaitingSQLRecords	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ResumeDataRedistribute	ResumeDataRedistribute	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeActiveSQLRecords	DescribeActiveSQLRecords	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteJDBCDataSource	DeleteJDBCDataSource	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeRoles	DescribeRoles	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:QueryContent	QueryContent	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:ListInstanceDatabases	ListInstanceDatabases	list	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeHadoopDataSource	DescribeHadoopDataSource	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyParameters	ModifyParameters	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateJDBCDataSource	CreateJDBCDataSource	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyAIServiceSecurityIps	ModifyAIServiceSecurityIps	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyHadoopDataSource	ModifyHadoopDataSource	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceNetInfo	DescribeDBInstanceNetInfo	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyVectorConfiguration	ModifyVectorConfiguration	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:DeleteRemoteADBDataSource	DeleteRemoteADBDataSource	delete	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeExtension	DescribeExtension	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceDiagnosisSummary	DescribeDBInstanceDiagnosisSummary	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:BindDBResourceGroupWithRole	BindDBResourceGroupWithRole	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateDBInstanceIPArray	CreateDBInstanceIPArray	create	All Resource ``	None	None
gpdb:DescribeDBResourceGroup	DescribeDBResourceGroup	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateDatabase	CreateDatabase	create	All Resource ``	None	None
gpdb:ListStreamingDataServices	ListStreamingDataServices	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UnloadSampleData	UnloadSampleData	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ResetIMVMonitorData	ResetIMVMonitorData	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeHadoopClustersInSameNet	DescribeHadoopClustersInSameNet	list	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeSQLLogsV2	DescribeSQLLogsV2	get	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteDBResourceGroup	DeleteDBResourceGroup	delete	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeStreamingJob	DescribeStreamingJob	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListCollections	ListCollections	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:CreateSampleData	CreateSampleData	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteStreamingJob	DeleteStreamingJob	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeTags	DescribeTags	get	DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/`	None	None
gpdb:DescribeDiagnosisDimensions	DescribeDiagnosisDimensions	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyStreamingDataSource	ModifyStreamingDataSource	update	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeExternalDataService	DescribeExternalDataService	get	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListSupportModels	ListSupportModels	get	All Resource ``	None	None
gpdb:DescribeStreamingDataService	DescribeStreamingDataService	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstancePayType	ModifyDBInstancePayType	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeNamespace	DescribeNamespace	create	*Namespace `acs:gpdb:{#regionId}:{#accountId}:namespace/{#DBInstanceId}`	None	None
gpdb:ListStreamingJobs	ListStreamingJobs	delete	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CheckHadoopNetConnection	CheckHadoopNetConnection	none	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListSecrets	ListSecrets	list	All Resource ``	None	None
gpdb:CreateRemoteADBDataSource	CreateRemoteADBDataSource	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceIPArrayList	DescribeDBInstanceIPArrayList	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifySQLCollectorPolicy	ModifySQLCollectorPolicy	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeployPrivateRAGService	DeployPrivateRAGService	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ExecuteStatement	ExecuteStatement	create	All Resource ``	None	None
gpdb:CloneDBInstance	CloneDBInstance	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateStreamingDataSource	CreateStreamingDataSource	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListSchemas	ListSchemas	list	All Resource ``	None	None
gpdb:ResumeInstance	ResumeInstance	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UpsertChunks	UpsertChunks	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:Rerank	Rerank	list	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UpdateDBInstancePlan	UpdateDBInstancePlan	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:ModifySupabaseProjectResource	ModifySupabaseProjectResource	update	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:ListSupabaseProjects	ListSupabaseProjects	list	SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/`	None	None
gpdb:DescribeDatabase	DescribeDatabase	get	All Resource ``	None	None
gpdb:DescribeDataShareInstances	DescribeDataShareInstances	get	All Resource ``	None	None
gpdb:DescribeDiagnosisMonitorPerformance	DescribeDiagnosisMonitorPerformance	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListAINodePools	ListAINodePools	get	All Resource ``	None	None
gpdb:DescribeRebalanceStatus	DescribeRebalanceStatus	get	All Resource ``	None	None
gpdb:EnableDBResourceGroup	EnableDBResourceGroup	create	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeSampleData	DescribeSampleData	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeCollection	DescribeCollection	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DeleteHadoopDataSource	DeleteHadoopDataSource	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetSupabaseProject	GetSupabaseProject	get	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:DeleteAccount	DeleteAccount	none	All Resource ``	None	None
gpdb:DeleteDBInstance	DeleteDBInstance	delete	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceIndexUsage	DescribeDBInstanceIndexUsage	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListExternalDataSources	ListExternalDataSources	list	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetSupabaseProjectApiKeys	GetSupabaseProjectApiKeys	get	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:DownloadSQLLogsRecords	DownloadSQLLogsRecords	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:CreateExternalDataService	CreateExternalDataService	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UpsertCollectionDataAsync	UpsertCollectionDataAsync	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:TagResources	TagResources	update	All Resource ``	None	None
gpdb:DescribeIMVInfos	DescribeIMVInfos	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:PauseInstance	PauseInstance	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteDocument	DeleteDocument	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:ListInstanceExtensions	ListInstanceExtensions	list	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBClusterPerformance	DescribeDBClusterPerformance	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListExternalDataServices	ListExternalDataServices	list	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteStreamingDataSource	DeleteStreamingDataSource	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListBackupJobs	ListBackupJobs	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateHadoopDataSource	CreateHadoopDataSource	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteDocumentCollection	DeleteDocumentCollection	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:CheckJDBCSourceNetConnection	CheckJDBCSourceNetConnection	none	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteSupabaseProject	DeleteSupabaseProject	delete	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:GetGraphRAGJob	GetGraphRAGJob	get	All Resource ``	None	None
gpdb:RestartDBInstance	RestartDBInstance	none	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeUserEncryptionKeyList	DescribeUserEncryptionKeyList	get	All Resource ``	None	None
gpdb:SetDataShareInstance	SetDataShareInstance	update	All Resource ``	None	None
gpdb:DescribeDBInstanceSSL	DescribeDBInstanceSSL	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UpgradeDBVersion	UpgradeDBVersion	update	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetAccount	GetAccount	get	All Resource ``	None	None
gpdb:ListDocumentCollections	ListDocumentCollections	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:CreateDocumentCollection	CreateDocumentCollection	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:ModifyStreamingJob	ModifyStreamingJob	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListStreamingDataSources	ListStreamingDataSources	list	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeHealthStatus	DescribeHealthStatus	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListRemoteADBDataSources	ListRemoteADBDataSources	list	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListTagResources	ListTagResources	get	DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/`	None	None
gpdb:ChatWithKnowledgeBaseStream	ChatWithKnowledgeBaseStream	get	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ChatWithKnowledgeBase	ChatWithKnowledgeBase	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteAINode	DeleteAINode	update	All Resource ``	None	None
gpdb:ResetSupabaseProjectPassword	ResetSupabaseProjectPassword	update	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:DeleteDatabase	DeleteDatabase	delete	All Resource ``	None	None
gpdb:ListDocuments	ListDocuments	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:DescribeSQLLogs	DescribeSQLLogs	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDownloadSQLLogs	DescribeDownloadSQLLogs	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:DescribeDBInstanceAttribute	DescribeDBInstanceAttribute	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBResourceManagementMode	DescribeDBResourceManagementMode	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteBackup	DeleteBackup	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListDatabases	ListDatabases	list	All Resource ``	None	None
gpdb:DescribeBackupJob	DescribeBackupJob	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeStreamingDataSource	DescribeStreamingDataSource	get	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceSSL	ModifyDBInstanceSSL	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteVectorIndex	DeleteVectorIndex	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeAvailableResources	DescribeAvailableResources	get	All Resource ``	None	None
gpdb:ModifyDBInstanceDescription	ModifyDBInstanceDescription	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteStreamingDataService	DeleteStreamingDataService	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:HandleActiveSQLRecord	HandleActiveSQLRecord	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CancelUploadDocumentJob	CancelUploadDocumentJob	update	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:DeleteModelService	DeleteModelService	delete	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDataBackups	DescribeDataBackups	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:QueryCollectionData	QueryCollectionData	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeModelService	DescribeModelService	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateNamespace	CreateNamespace	create	*Namespace `acs:gpdb:{#regionId}:{#accountId}:namespace/{#DBInstanceId}`	None	None
gpdb:DescribeDataReDistributeInfo	DescribeDataReDistributeInfo	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:PauseSupabaseProject	PauseSupabaseProject	update	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:DeleteSecret	DeleteSecret	delete	All Resource ``	None	None
gpdb:DescribeDBInstanceDataSkew	DescribeDBInstanceDataSkew	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeletePrivateRAGService	DeletePrivateRAGService	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteDBInstancePlan	DeleteDBInstancePlan	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:RebalanceDBInstance	RebalanceDBInstance	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:CreateIndex	CreateIndex	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:UploadDocumentAsync	UploadDocumentAsync	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:ModifyStreamingDataService	ModifyStreamingDataService	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeModifyParameterLog	DescribeModifyParameterLog	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceNetworkType	ModifyDBInstanceNetworkType	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteCollectionData	DeleteCollectionData	delete	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:ModifyDBResourceGroup	ModifyDBResourceGroup	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeJDBCDataSource	DescribeJDBCDataSource	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateStreamingJob	CreateStreamingJob	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDownloadRecords	DescribeDownloadRecords	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GrantCollection	GrantCollection	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceMaintainTime	ModifyDBInstanceMaintainTime	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeHadoopConfigs	DescribeHadoopConfigs	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteExternalDataService	DeleteExternalDataService	delete	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CheckServiceLinkedRole	CheckServiceLinkedRole	get	All Resource ``	None	None
gpdb:GetSupabaseProjectDashboardAccount	GetSupabaseProjectDashboardAccount	get	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:UntagResources	UntagResources	update	All Resource ``	None	None
gpdb:ListDatabaseExtensions	ListDatabaseExtensions	list	All Resource ``	None	None
gpdb:DescribeWaitingSQLInfo	DescribeWaitingSQLInfo	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDocument	DescribeDocument	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:AllocateInstancePublicConnection	AllocateInstancePublicConnection	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeIndex	DescribeIndex	get	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceErrorLog	DescribeDBInstanceErrorLog	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeTable	DescribeTable	get	All Resource ``	None	None
gpdb:ListAIServices	ListAIServices	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyBackupPolicy	ModifyBackupPolicy	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:PauseDataRedistribute	PauseDataRedistribute	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyExternalDataService	ModifyExternalDataService	update	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeRdsVpcs	DescribeRdsVpcs	get	All Resource ``	None	None
gpdb:ModifySupabaseProjectSecurityIps	ModifySupabaseProjectSecurityIps	update	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:ListTables	ListTables	list	All Resource ``	None	None
gpdb:DescribeParameters	DescribeParameters	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceConfig	ModifyDBInstanceConfig	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:DescribeSupportFeatures	DescribeSupportFeatures	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDataSharePerformance	DescribeDataSharePerformance	get	All Resource ``	None	None
gpdb:DeleteDBInstanceIPArray	DeleteDBInstanceIPArray	delete	All Resource ``	None	None
gpdb:CreateCollection	CreateCollection	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:ModifyDBInstanceDeploymentMode	ModifyDBInstanceDeploymentMode	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeBackupPolicy	DescribeBackupPolicy	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:SwitchDBInstanceNetType	SwitchDBInstanceNetType	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteAIService	DeleteAIService	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateDBResourceGroup	CreateDBResourceGroup	create	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UnbindDBResourceGroupWithRole	UnbindDBResourceGroupWithRole	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetStatementResult	GetStatementResult	get	All Resource ``	None	None
gpdb:DescribeDiagnosisRecords	DescribeDiagnosisRecords	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:AddAINode	AddAINode	update	All Resource ``	None	None
gpdb:DescribeSQLLogCount	DescribeSQLLogCount	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:QueryKnowledgeBasesContent	QueryKnowledgeBasesContent	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:DescribeRdsVSwitchs	DescribeRdsVSwitchs	get	All Resource ``	None	None
gpdb:SetDBInstancePlanStatus	SetDBInstancePlanStatus	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:CreateStreamingDataService	CreateStreamingDataService	create	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteIndex	DeleteIndex	delete	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:UpgradeExtensions	UpgradeExtensions	update	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstanceDataBloat	DescribeDBInstanceDataBloat	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetSecretValue	GetSecretValue	get	All Resource ``	None	None
gpdb:CancelUpsertCollectionDataJob	CancelUpsertCollectionDataJob	create	*Document `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeDiagnosisSQLInfo	DescribeDiagnosisSQLInfo	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribePrivateRAGService	DescribePrivateRAGService	get	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DescribeLogBackups	DescribeLogBackups	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DeleteExtension	DeleteExtension	delete	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:CreateDBInstance	CreateDBInstance	create	DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/`	gpdb:EncryptionType gpdb:SSLEnabled	None
gpdb:DescribeAIService	DescribeAIService	update	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetUpsertCollectionDataJob	GetUpsertCollectionDataJob	create	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:DescribeDBInstancePlans	DescribeDBInstancePlans	get	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#dbinstanceId}`	None	None
gpdb:ModifySupabaseAutoScalePolicy	ModifySupabaseAutoScalePolicy	update	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:ModifyRemoteADBDataSource	ModifyRemoteADBDataSource	update	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:DisableDBResourceGroup	DisableDBResourceGroup	delete	DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:UpgradeDBInstance	UpgradeDBInstance	update	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:GetUploadDocumentJob	GetUploadDocumentJob	create	*Document `acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId}`	None	None
gpdb:DescribeDBVersionInfos	DescribeDBVersionInfos	get	All Resource ``	None	None
gpdb:EnableCollectionGraphRAG	EnableCollectionGraphRAG	update	*Collection `acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}`	None	None
gpdb:ResumeSupabaseProject	ResumeSupabaseProject	update	*SupabaseProject `acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}`	None	None
gpdb:CheckHadoopDataSource	CheckHadoopDataSource	none	*DBInstance `acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId}`	None	None
gpdb:ListModelServices	ListModelServices	get	*DBInstance `acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId}`	None	None

Resource

The following table lists the resources defined by AnalyticDB for PostgreSQL. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type	ARN
Secret	acs:gpdb:{#regionId}:{#accountId}:secret/*
DBInstance	acs:gpdb:{#regionId}:{#accountId}:dbinstance/{#DBInstanceId} acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId} acs:gpdb::{#accountId}:dbinstance/{#DBInstanceId} acs:gpdb:{#regionId}:{#accountId}:dbinstance/
Namespace	acs:gpdb:{#regionId}:{#accountId}:namespace/{#DBInstanceId}
Collection	acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}
SupabaseProject	acs:gpdb:{#regionId}:{#accountId}:supabaseproject/* acs:gpdb:{#regionId}:{#accountId}:supabaseproject/{#ProjectId}
Document	acs:gpdb:{#regionId}:{#accountId}:document/{#DBInstanceId} acs:gpdb:{#regionId}:{#accountId}:instance/{#DBInstanceId}/document/{#Document} acs:gpdb:{#regionId}:{#accountId}:collection/{#DBInstanceId}
DataAPI	acs:gpdb:{#regionId}:{#accountId}:dataapi/*
dbInstance	acs:gpdb:{#regionId}:{#accountId}:dbInstance/*

Condition

The following table lists the product-level condition keys defined by AnalyticDB for PostgreSQL. You can also use Alibaba Cloud's Common condition keys. Specify these keys in the Condition element of RAM policy statements to define granular authorization rules. In the condition key, specify the condition values in the Condition_value element of the policy.

Each condition key has a specific data type, such as string, number, Boolean, or IP address. The data type determines which conditional operators can be used to compare the request values against policy values. You must specify the conditional operators compatible with the data type of the condition key. Mismatched operators will invalidate the policy. See Condition operator for valid combinations.

Condition key	Description	Data type
gpdb:EncryptionType	The encryption type. Off: Do not enable encryption; CloudDisk: Enable cloud disk encryption and specify the key through the EncryptionKey parameter	String
gpdb:SSLEnabled	SSL Encryption Status	String
gpdb:EnableSSL	Whether to enable SSL	Boolean

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: