You can use resource groups with RAM to implement resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic explains how RDS supports resource groups and describes how to configure resource group-level authorization.
-
Resource group-level authorization applies only to resource types that support resource groups and actions that allow for resource group-level authorization.
-
For resource types that do not support resource groups, permissions granted at the resource group scope are ineffective. Instead, you must select Account as the resource scope to grant account-level authorization. For more information, see Actions that do not support resource group-level authorization.
Resource group authorization
You can use resource groups to organize resources within your Alibaba Cloud account. For example, you can create a dedicated resource group for each project and move resources into it for centralized management. For more information, see What is a resource group?.
After you group your resources, you can grant permissions to different RAM principals, such as RAM users, RAM user groups, or RAM roles, that are scoped to a specific resource group. This restricts the principal to managing only the resources within that resource group. For more information, see Resource grouping and authorization.
This authorization approach provides the following advantages:
-
Fine-grained permissions: Ensures that each identity is granted only the specific resource access permissions it needs. This isolates resource management for different projects within the same account.
-
Scalability: When you add new resources, you only need to add them to the resource group. RAM principals automatically gain the necessary permissions for these new resources, eliminating the need to grant permissions again.
Grant resource group permissions to a RAM user
This topic shows you how to grant a RAM user permissions on RDS resources in a specified resource group.
1. Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and transfer existing resources to it. For more information, see Create a resource group, automatic resource transfer, and manual resource transfer.
2. Grant resource group-level permissions
Use either of the following methods to grant permissions at the resource group level.
Method 1: Resource Management console
Use the permission management feature of a resource group to grant permissions to a RAM user. For detailed instructions, see Grant permissions to a RAM identity on resources in a resource group.
-
Log on to the Resource Management console.
-
On the Resource Groups page, find the target resource group, and in the actions column, click permission management.
-
On the permission management tab, click add permission.
-
In the add permission panel, configure the principal and permission policy.
-
principal: Select an existing RAM user.
-
permission policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Method 2: RAM console
Use the RAM console to grant resource group-level permissions to a specified RAM user. For detailed instructions, see Manage permissions for a RAM user.
-
Log on to the RAM console with your Alibaba Cloud account (root account) or as a RAM administrator.
-
In the left-side navigation pane, choose . On the user page, find the target RAM user, and in the actions column, click add permission.
-
In the add permission panel, grant permissions to the RAM user.
-
resource scope: Select resource group level.
-
principal: Select an existing RAM user or the RAM user you created earlier.
-
permission policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.
-
-
Click OK.
Supported resource types
ApsaraDB RDS supports resource groups for the following resource types:
|
Cloud service |
Cloud service code |
Resource type |
|
ApsaraDB RDS |
rds |
instance |
For resource types that are not supported by resource groups, you can submit feedback in the Resource Group Console.
Actions without resource group-level authorization
The following ApsaraDB RDS actions do not support resource group-level authorization:
|
Action |
Description |
|
rds:AcceptRCInquiredSystemEvent |
- |
|
rds:AssociateEipAddressWithRCInstance |
Associates an Elastic IP Address (EIP) with an RDS Custom instance. |
|
rds:AttachRCDisk |
Attaches a pay-as-you-go data disk or a system disk to an RDS Custom instance. The instance and the disk must be in the same Availability Zone. |
|
rds:AttachRCInstances |
Adds an RDS Custom instance to an ACK cluster. |
|
rds:AttachRCInstancesToNodePool |
- |
|
rds:AuthorizeBackupEncryption |
- |
|
rds:AuthorizeRCSecurityGroupPermission |
Adds a rule to a specified security group. |
|
rds:BatchExecuteStatement |
- |
|
rds:BeginTransaction |
- |
|
rds:CancelActiveOperationTasks |
- |
|
rds:CheckBackupEncryptionAuthorized |
- |
|
rds:CheckCreateDdrDBInstance |
Checks if an RDS instance can be restored across regions by using a cross-region backup set. |
|
rds:CheckRdsCustomInit |
- |
|
rds:CheckUserIfAuthoriseMyBaseSystemRole |
- |
|
rds:CloneDBInstanceForSecurity |
- |
|
rds:CloneParameterGroup |
Copies an RDS parameter template to the current region or another region. |
|
rds:CommitTransaction |
- |
|
rds:ConfirmNotify |
Confirms a carousel message in the RDS console for the main account. |
|
rds:CreateDBInstances |
- |
|
rds:CreateDdrInstance |
Restores data to a new instance across regions. |
|
rds:CreateDedicatedHost |
- |
|
rds:CreateDedicatedHostAccount |
- |
|
rds:CreateDedicatedHostGroup |
- |
|
rds:CreateGADInstance |
Creates an RDS Global Active Database cluster. |
|
rds:CreateGadInstanceMember |
Adds a node to an RDS Global Active Database cluster. |
|
rds:CreateMigrationTask |
- |
|
rds:CreateMyBase |
- |
|
rds:CreateOrderForResourcePack |
- |
|
rds:CreateRCClusterNodePool |
- |
|
rds:CreateRCDeploymentSet |
- |
|
rds:CreateRCImage |
- |
|
rds:CreateRCNodePool |
Creates an edge node pool in an ACK Edge cluster for RDS Custom. |
|
rds:CreateRCVCluster |
- |
|
rds:CreateServiceLinkedRole |
Creates a service-linked role (SLR). |
|
rds:CreateYaoChiAgentSession |
- |
|
rds:CreateYouhuiForOrder |
Claims a coupon. |
|
rds:Delete |
- |
|
rds:DeleteDedicatedHostAccount |
- |
|
rds:DeleteDedicatedHostGroup |
- |
|
rds:DeleteGadInstance |
Deletes an RDS Global Active Database cluster. |
|
rds:DeleteParameterGroup |
Deletes an RDS parameter template. |
|
rds:DeleteRCClusterNodePool |
- |
|
rds:DeleteRCClusterNodes |
Deletes RDS Custom nodes from an ACK cluster. |
|
rds:DeleteRCDeploymentSet |
Deletes an RDS Custom deployment set. You can specify parameters such as |
|
rds:DeleteRCInstanceTimedScheduleTask |
- |
|
rds:DeleteRCNodePool |
- |
|
rds:DeleteRCVCluster |
- |
|
rds:DeleteSecret |
Deletes user credentials for the Data API. |
|
rds:DeleteUserBackupFile |
Deletes a specified user backup of an RDS for MySQL instance. |
|
rds:DescibeImportsFromDatabase |
Lists instance migration statuses. |
|
rds:DescribeAccountCompleteProgress |
- |
|
rds:DescribeActionEventPolicy |
Checks if the historical events feature is enabled for RDS. |
|
rds:DescribeActiveOperationMaintainConf |
- |
|
rds:DescribeActiveOperationTask |
- |
|
rds:DescribeActiveOperationTaskType |
- |
|
rds:DescribeActiveOperationTasks |
Retrieves details of scheduled O&M tasks for an RDS instance. |
|
rds:DescribeApplyResource |
- |
|
rds:DescribeAvailableCrossRegion |
Lists the destination regions available for cross-region backups. |
|
rds:DescribeAvailableDedicatedHostZones |
- |
|
rds:DescribeAvailableInstanceClass |
- |
|
rds:DescribeAvailableRecoveryTime |
Retrieves the time range within which you can restore data from a cross-region backup set. |
|
rds:DescribeAvailableResource |
- |
|
rds:DescribeBatchTask |
- |
|
rds:DescribeClassList |
- |
|
rds:DescribeControlEventConfig |
- |
|
rds:DescribeCrossBackupMetaList |
Retrieves database and table information from a cross-region backup of an RDS instance. |
|
rds:DescribeDBInstancePerformanceDup |
- |
|
rds:DescribeDBInstancePromoteActivity |
This API operation is deprecated. It can be called but is no longer maintained. |
|
rds:DescribeDBInstanceUpgradeActivity |
- |
|
rds:DescribeDBInstancesByExpireTime |
Lists subscription RDS instances based on their expiration date. |
|
rds:DescribeDbInstances |
- |
|
rds:DescribeDedicatedHostAttribute |
- |
|
rds:DescribeDedicatedHostByTags |
- |
|
rds:DescribeDedicatedHostDisks |
- |
|
rds:DescribeDedicatedHostDistribution |
- |
|
rds:DescribeDedicatedHostGroups |
Lists RDS dedicated host groups. |
|
rds:DescribeDedicatedHostMetric |
- |
|
rds:DescribeDedicatedHostTags |
- |
|
rds:DescribeDedicatedHosts |
Lists hosts in a dedicated host group. |
|
rds:DescribeDedicatedInstanceDistribution |
- |
|
rds:DescribeDtsJob |
- |
|
rds:DescribeEncryptionKeyList |
- |
|
rds:DescribeEvaluateDedicatedHosts |
- |
|
rds:DescribeEventMetaInfo |
- |
|
rds:DescribeEvents |
Lists RDS historical event records. |
|
rds:DescribeFCTrigger |
- |
|
rds:DescribeGetScene |
- |
|
rds:DescribeHistoryEventsStat |
Retrieves statistics on historical events from the event center. |
|
rds:DescribeHostAdInfo |
- |
|
rds:DescribeHostEcsLevelInfo |
- |
|
rds:DescribeHostGroupElasticStrategyParameters |
- |
|
rds:DescribeHostInstanceMonitorInfo |
- |
|
rds:DescribeInstanceKeywords |
Lists the reserved keywords for an RDS instance. You cannot use these keywords when you create databases or accounts. |
|
rds:DescribeKmsAssociateResources |
Checks if a specified KMS resource is associated with an RDS instance. |
|
rds:DescribeListUserBackupFileRecord |
- |
|
rds:DescribeMarketingActivity |
Retrieves information about instances that are pending an upgrade in an RDS marketing campaign. |
|
rds:DescribeMarketingActivityForInner |
- |
|
rds:DescribeMyBaseHostOverView |
- |
|
rds:DescribeMyBaseInstanceOverView |
- |
|
rds:DescribeParameterGroup |
Describes a specified RDS parameter template. |
|
rds:DescribeRCAvailableResource |
- |
|
rds:DescribeRCCloudAssistantStatus |
- |
|
rds:DescribeRCClusterConfig |
Retrieves the KubeConfig file for an RDS Custom ACK cluster. |
|
rds:DescribeRCClusterNodePoolDetail |
- |
|
rds:DescribeRCClusterNodePools |
- |
|
rds:DescribeRCClusterNodes |
Lists the nodes (RDS Custom instances) in an ACK cluster. |
|
rds:DescribeRCClusters |
- |
|
rds:DescribeRCDeploymentSets |
- |
|
rds:DescribeRCElasticScaling |
- |
|
rds:DescribeRCImageList |
Lists the custom images that you can use to create RDS Custom instances. You can specify parameters such as |
|
rds:DescribeRCInstanceDdosCount |
Retrieves the number of DDoS attacks on an RDS Custom for SQL Server instance to help you monitor its security status and assess potential risks. |
|
rds:DescribeRCInstanceHistoryEvents |
- |
|
rds:DescribeRCInstanceIpAddress |
Retrieves DDoS protection information for an RDS Custom for SQL Server instance, including details of its associated Anti-DDoS Origin instance. |
|
rds:DescribeRCInstanceTimedScheduleTask |
- |
|
rds:DescribeRCInstanceTypeFamilies |
- |
|
rds:DescribeRCInstanceTypes |
- |
|
rds:DescribeRCInstanceVncUrl |
Retrieves the VNC logon URL for an RDS Custom instance. |
|
rds:DescribeRCInvocationResults |
- |
|
rds:DescribeRCMetricList |
Retrieves data for specified monitoring metrics of an RDS Custom instance. |
|
rds:DescribeRCNodePool |
Describes an RDS Custom edge node pool. |
|
rds:DescribeRCResourcesModification |
- |
|
rds:DescribeRCSecurityGroupList |
- |
|
rds:DescribeRCSecurityGroupPermission |
- |
|
rds:DescribeRCVCluster |
- |
|
rds:DescribeRdsResourceSettings |
Retrieves the notification settings for instance resources. This API operation is deprecated. It can be called but is no longer maintained. |
|
rds:DescribeRdsVSwitchs |
- |
|
rds:DescribeRdsVpcs |
- |
|
rds:DescribeRegions |
- |
|
rds:DescribeReplicaInitializeProgress |
- |
|
rds:DescribeReplicas |
- |
|
rds:DescribeSqlLogInstances |
- |
|
rds:DescribeSqlLogTemplatesList |
- |
|
rds:DescribeSqlLogTemplatesTimeDistribution |
- |
|
rds:DescribeSqlLogTimeDistribution |
- |
|
rds:DescribeSqlTemplatesConsumeAndScanRows |
- |
|
rds:DescribeUserBackupFiles |
- |
|
rds:DescribeUserEncryptionKeyList |
- |
|
rds:DescribeUserInfo |
- |
|
rds:DescribeVSwitchList |
- |
|
rds:DescribeVpcZoneNos |
- |
|
rds:DescribeWhitelistTemplate |
Describes a specified whitelist template. |
|
rds:DescribeYaoChiAgentAuthorizationStatus |
- |
|
rds:DescribeYaoChiAgentTopQuestions |
- |
|
rds:DescribeYaoChiAgentUserSessions |
- |
|
rds:DetachGadInstanceMember |
Removes a member node from an RDS Global Active Database cluster. |
|
rds:DetachRCDisk |
Detaches a pay-as-you-go data disk or a system disk from an RDS Custom instance. |
|
rds:DiscountAuthenticate |
- |
|
rds:ExecuteStatement |
- |
|
rds:GetYaoChiAgent |
- |
|
rds:Insert |
- |
|
rds:InsertList |
- |
|
rds:InstallRCCloudAssistant |
- |
|
rds:ListRCVClusters |
- |
|
rds:ListUserBackupFiles |
Lists all user backups that have been imported to RDS. |
|
rds:ModifyActionEventPolicy |
Enables or disables the historical events feature for RDS. |
|
rds:ModifyActiveOperationMaintainConf |
- |
|
rds:ModifyActiveOperationTasks |
Modifies the switchover time for a scheduled O&M task of an RDS instance. |
|
rds:ModifyCustinsResource |
Modifies the resources of an RDS instance. |
|
rds:ModifyDedicatedHostAccount |
- |
|
rds:ModifyDedicatedHostAttribute |
- |
|
rds:ModifyDedicatedHostClass |
- |
|
rds:ModifyDedicatedHostGroupAttribute |
- |
|
rds:ModifyDynamicResource |
- |
|
rds:ModifyEventInfo |
Modifies event information in the event center. |
|
rds:ModifyRCClusterNodePool |
- |
|
rds:ModifyRCDiskAttribute |
- |
|
rds:ModifyRCDiskChargeType |
- |
|
rds:ModifyRCDiskSpec |
- |
|
rds:ModifyRCElasticScaling |
- |
|
rds:ModifyRCInstanceAttribute |
- |
|
rds:ModifyRCInstanceChargeType |
Modifies the billing method of an RDS Custom instance or a cloud disk. For example, you can switch between the pay-as-you-go and subscription billing methods. |
|
rds:ModifyRCInstanceDescription |
Modifies the name of an RDS Custom instance. |
|
rds:ModifyRCInstanceKeyPair |
- |
|
rds:ModifyRCInstanceNetworkSpec |
- |
|
rds:ModifyRCInstanceTimedScheduleTask |
- |
|
rds:ModifyRCInstanceVpcAttribute |
- |
|
rds:ModifyRCSecurityGroupPermission |
- |
|
rds:ModifyRCVCluster |
- |
|
rds:ModifyTaskInfo |
Modifies the information of a historical task in the task center. |
|
rds:QueryHostInstanceConsoleInfo |
- |
|
rds:QueryNotify |
Retrieves notifications for RDS. |
|
rds:QueryPriceForResourcePack |
- |
|
rds:QueryRecommendByCode |
Retrieves popular questions for the RDS chatbot. |
|
rds:RdsCustomInit |
- |
|
rds:RebootRCInstance |
- |
|
rds:RebootRCInstances |
- |
|
rds:RebuildDBInstance |
Rebuilds an RDS standby instance in a dedicated host group. |
|
rds:ReceiveDBInstance |
Performs a switchover between a primary RDS for MySQL instance and its disaster recovery instance. |
|
rds:RedeployRCInstance |
- |
|
rds:RefreshYaoChiAgentUserToken |
- |
|
rds:RemoveRCNodePoolNodes |
- |
|
rds:RemoveTagsFromResource |
Removes tags from a resource. |
|
rds:RenewRCInstance |
Renews a subscription RDS Custom instance. |
|
rds:ReplaceRCInstanceSystemDisk |
Reinstalls the operating system of an RDS Custom instance. |
|
rds:RestartDBInstances |
- |
|
rds:RevokeRCSecurityGroupPermission |
- |
|
rds:RollbackTransaction |
- |
|
rds:RunRCCommand |
- |
|
rds:Select |
- |
|
rds:StartRCInstances |
- |
|
rds:StartSqlLogTrail |
- |
|
rds:StopRCInstances |
- |
|
rds:SwitchDBInstancesHA |
- |
|
rds:SwitchOverMajorVersionUpgrade |
Performs a traffic switchover for a zero-downtime major version upgrade of an RDS for PostgreSQL instance. |
|
rds:SyncRCKeyPair |
- |
|
rds:SyncRCSecurityGroup |
- |
|
rds:UnassociateEipAddressWithRCInstance |
- |
|
rds:Update |
- |
|
rds:UpdateUserBackupFile |
Modifies the notes and retention period of a user backup. |
|
rds:UpgradeDBInstanceMajorVersion |
Initiates a major version upgrade task for an RDS for PostgreSQL instance. |
|
rds:UpgradeDBInstancesKernelVersion |
- |
For actions that do not support resource group authorization, permissions granted at the resource group level have no effect. To grant these permissions to a RAM user, you must create a custom policy and apply it at the account level.
The following are two examples of custom policies that you can adjust as needed.
-
This policy allows all read-only operations that do not support resource group-level authorization. The
Actionelement lists these operations.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:DescribeAccountCompleteProgress", "rds:DescribeActionEventPolicy", "rds:DescribeActiveOperationMaintainConf", "rds:DescribeActiveOperationTask", "rds:DescribeActiveOperationTaskType", "rds:DescribeActiveOperationTasks", "rds:DescribeApplyResource", "rds:DescribeAvailableCrossRegion", "rds:DescribeAvailableDedicatedHostZones", "rds:DescribeAvailableInstanceClass", "rds:DescribeAvailableRecoveryTime", "rds:DescribeAvailableResource", "rds:DescribeBatchTask", "rds:DescribeClassList", "rds:DescribeControlEventConfig", "rds:DescribeCrossBackupMetaList", "rds:DescribeDBInstancePerformanceDup", "rds:DescribeDBInstancePromoteActivity", "rds:DescribeDBInstanceUpgradeActivity", "rds:DescribeDBInstancesByExpireTime", "rds:DescribeDbInstances", "rds:DescribeDedicatedHostAttribute", "rds:DescribeDedicatedHostByTags", "rds:DescribeDedicatedHostDisks", "rds:DescribeDedicatedHostDistribution", "rds:DescribeDedicatedHostGroups", "rds:DescribeDedicatedHostMetric", "rds:DescribeDedicatedHostTags", "rds:DescribeDedicatedHosts", "rds:DescribeDedicatedInstanceDistribution", "rds:DescribeDtsJob", "rds:DescribeEncryptionKeyList", "rds:DescribeEvaluateDedicatedHosts", "rds:DescribeEventMetaInfo", "rds:DescribeEvents", "rds:DescribeFCTrigger", "rds:DescribeGetScene", "rds:DescribeHistoryEventsStat", "rds:DescribeHostAdInfo", "rds:DescribeHostEcsLevelInfo", "rds:DescribeHostGroupElasticStrategyParameters", "rds:DescribeHostInstanceMonitorInfo", "rds:DescribeInstanceKeywords", "rds:DescribeKmsAssociateResources", "rds:DescribeListUserBackupFileRecord", "rds:DescribeMarketingActivity", "rds:DescribeMarketingActivityForInner", "rds:DescribeMyBaseHostOverView", "rds:DescribeMyBaseInstanceOverView", "rds:DescribeParameterGroup", "rds:DescribeRCAvailableResource", "rds:DescribeRCCloudAssistantStatus", "rds:DescribeRCClusterConfig", "rds:DescribeRCClusterNodePoolDetail", "rds:DescribeRCClusterNodePools", "rds:DescribeRCClusterNodes", "rds:DescribeRCClusters", "rds:DescribeRCDeploymentSets", "rds:DescribeRCElasticScaling", "rds:DescribeRCImageList", "rds:DescribeRCInstanceDdosCount", "rds:DescribeRCInstanceHistoryEvents", "rds:DescribeRCInstanceIpAddress", "rds:DescribeRCInstanceTimedScheduleTask", "rds:DescribeRCInstanceTypeFamilies", "rds:DescribeRCInstanceTypes", "rds:DescribeRCInstanceVncUrl", "rds:DescribeRCInvocationResults", "rds:DescribeRCMetricList", "rds:DescribeRCNodePool", "rds:DescribeRCResourcesModification", "rds:DescribeRCSecurityGroupList", "rds:DescribeRCSecurityGroupPermission", "rds:DescribeRCVCluster", "rds:DescribeRdsResourceSettings", "rds:DescribeRdsVSwitchs", "rds:DescribeRdsVpcs", "rds:DescribeRegions", "rds:DescribeReplicaInitializeProgress", "rds:DescribeReplicas", "rds:DescribeSqlLogInstances", "rds:DescribeSqlLogTemplatesList", "rds:DescribeSqlLogTemplatesTimeDistribution", "rds:DescribeSqlLogTimeDistribution", "rds:DescribeSqlTemplatesConsumeAndScanRows", "rds:DescribeUserBackupFiles", "rds:DescribeUserEncryptionKeyList", "rds:DescribeUserInfo", "rds:DescribeVSwitchList", "rds:DescribeVpcZoneNos", "rds:DescribeWhitelistTemplate", "rds:DescribeYaoChiAgentAuthorizationStatus", "rds:DescribeYaoChiAgentTopQuestions", "rds:DescribeYaoChiAgentUserSessions" ], "Resource": "*" } ] } -
This policy allows all actions that do not support resource group-level authorization. The
Actionelement lists these actions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AcceptRCInquiredSystemEvent", "rds:AssociateEipAddressWithRCInstance", "rds:AttachRCDisk", "rds:AttachRCInstances", "rds:AttachRCInstancesToNodePool", "rds:AuthorizeBackupEncryption", "rds:AuthorizeRCSecurityGroupPermission", "rds:BatchExecuteStatement", "rds:BeginTransaction", "rds:CancelActiveOperationTasks", "rds:CheckBackupEncryptionAuthorized", "rds:CheckCreateDdrDBInstance", "rds:CheckRdsCustomInit", "rds:CheckUserIfAuthoriseMyBaseSystemRole", "rds:CloneDBInstanceForSecurity", "rds:CloneParameterGroup", "rds:CommitTransaction", "rds:ConfirmNotify", "rds:CreateDBInstances", "rds:CreateDdrInstance", "rds:CreateDedicatedHost", "rds:CreateDedicatedHostAccount", "rds:CreateDedicatedHostGroup", "rds:CreateGADInstance", "rds:CreateGadInstanceMember", "rds:CreateMigrationTask", "rds:CreateMyBase", "rds:CreateOrderForResourcePack", "rds:CreateRCClusterNodePool", "rds:CreateRCDeploymentSet", "rds:CreateRCImage", "rds:CreateRCNodePool", "rds:CreateRCVCluster", "rds:CreateServiceLinkedRole", "rds:CreateYaoChiAgentSession", "rds:CreateYouhuiForOrder", "rds:Delete", "rds:DeleteDedicatedHostAccount", "rds:DeleteDedicatedHostGroup", "rds:DeleteGadInstance", "rds:DeleteParameterGroup", "rds:DeleteRCClusterNodePool", "rds:DeleteRCClusterNodes", "rds:DeleteRCDeploymentSet", "rds:DeleteRCInstanceTimedScheduleTask", "rds:DeleteRCNodePool", "rds:DeleteRCVCluster", "rds:DeleteSecret", "rds:DeleteUserBackupFile", "rds:DescibeImportsFromDatabase", "rds:DescribeAccountCompleteProgress", "rds:DescribeActionEventPolicy", "rds:DescribeActiveOperationMaintainConf", "rds:DescribeActiveOperationTask", "rds:DescribeActiveOperationTaskType", "rds:DescribeActiveOperationTasks", "rds:DescribeApplyResource", "rds:DescribeAvailableCrossRegion", "rds:DescribeAvailableDedicatedHostZones", "rds:DescribeAvailableInstanceClass", "rds:DescribeAvailableRecoveryTime", "rds:DescribeAvailableResource", "rds:DescribeBatchTask", "rds:DescribeClassList", "rds:DescribeControlEventConfig", "rds:DescribeCrossBackupMetaList", "rds:DescribeDBInstancePerformanceDup", "rds:DescribeDBInstancePromoteActivity", "rds:DescribeDBInstanceUpgradeActivity", "rds:DescribeDBInstancesByExpireTime", "rds:DescribeDbInstances", "rds:DescribeDedicatedHostAttribute", "rds:DescribeDedicatedHostByTags", "rds:DescribeDedicatedHostDisks", "rds:DescribeDedicatedHostDistribution", "rds:DescribeDedicatedHostGroups", "rds:DescribeDedicatedHostMetric", "rds:DescribeDedicatedHostTags", "rds:DescribeDedicatedHosts", "rds:DescribeDedicatedInstanceDistribution", "rds:DescribeDtsJob", "rds:DescribeEncryptionKeyList", "rds:DescribeEvaluateDedicatedHosts", "rds:DescribeEventMetaInfo", "rds:DescribeEvents", "rds:DescribeFCTrigger", "rds:DescribeGetScene", "rds:DescribeHistoryEventsStat", "rds:DescribeHostAdInfo", "rds:DescribeHostEcsLevelInfo", "rds:DescribeHostGroupElasticStrategyParameters", "rds:DescribeHostInstanceMonitorInfo", "rds:DescribeInstanceKeywords", "rds:DescribeKmsAssociateResources", "rds:DescribeListUserBackupFileRecord", "rds:DescribeMarketingActivity", "rds:DescribeMarketingActivityForInner", "rds:DescribeMyBaseHostOverView", "rds:DescribeMyBaseInstanceOverView", "rds:DescribeParameterGroup", "rds:DescribeRCAvailableResource", "rds:DescribeRCCloudAssistantStatus", "rds:DescribeRCClusterConfig", "rds:DescribeRCClusterNodePoolDetail", "rds:DescribeRCClusterNodePools", "rds:DescribeRCClusterNodes", "rds:DescribeRCClusters", "rds:DescribeRCDeploymentSets", "rds:DescribeRCElasticScaling", "rds:DescribeRCImageList", "rds:DescribeRCInstanceDdosCount", "rds:DescribeRCInstanceHistoryEvents", "rds:DescribeRCInstanceIpAddress", "rds:DescribeRCInstanceTimedScheduleTask", "rds:DescribeRCInstanceTypeFamilies", "rds:DescribeRCInstanceTypes", "rds:DescribeRCInstanceVncUrl", "rds:DescribeRCInvocationResults", "rds:DescribeRCMetricList", "rds:DescribeRCNodePool", "rds:DescribeRCResourcesModification", "rds:DescribeRCSecurityGroupList", "rds:DescribeRCSecurityGroupPermission", "rds:DescribeRCVCluster", "rds:DescribeRdsResourceSettings", "rds:DescribeRdsVSwitchs", "rds:DescribeRdsVpcs", "rds:DescribeRegions", "rds:DescribeReplicaInitializeProgress", "rds:DescribeReplicas", "rds:DescribeSqlLogInstances", "rds:DescribeSqlLogTemplatesList", "rds:DescribeSqlLogTemplatesTimeDistribution", "rds:DescribeSqlLogTimeDistribution", "rds:DescribeSqlTemplatesConsumeAndScanRows", "rds:DescribeUserBackupFiles", "rds:DescribeUserEncryptionKeyList", "rds:DescribeUserInfo", "rds:DescribeVSwitchList", "rds:DescribeVpcZoneNos", "rds:DescribeWhitelistTemplate", "rds:DescribeYaoChiAgentAuthorizationStatus", "rds:DescribeYaoChiAgentTopQuestions", "rds:DescribeYaoChiAgentUserSessions", "rds:DetachGadInstanceMember", "rds:DetachRCDisk", "rds:DiscountAuthenticate", "rds:ExecuteStatement", "rds:GetYaoChiAgent", "rds:Insert", "rds:InsertList", "rds:InstallRCCloudAssistant", "rds:ListRCVClusters", "rds:ListUserBackupFiles", "rds:ModifyActionEventPolicy", "rds:ModifyActiveOperationMaintainConf", "rds:ModifyActiveOperationTasks", "rds:ModifyCustinsResource", "rds:ModifyDedicatedHostAccount", "rds:ModifyDedicatedHostAttribute", "rds:ModifyDedicatedHostClass", "rds:ModifyDedicatedHostGroupAttribute", "rds:ModifyDynamicResource", "rds:ModifyEventInfo", "rds:ModifyRCClusterNodePool", "rds:ModifyRCDiskAttribute", "rds:ModifyRCDiskChargeType", "rds:ModifyRCDiskSpec", "rds:ModifyRCElasticScaling", "rds:ModifyRCInstanceAttribute", "rds:ModifyRCInstanceChargeType", "rds:ModifyRCInstanceDescription", "rds:ModifyRCInstanceKeyPair", "rds:ModifyRCInstanceNetworkSpec", "rds:ModifyRCInstanceTimedScheduleTask", "rds:ModifyRCInstanceVpcAttribute", "rds:ModifyRCSecurityGroupPermission", "rds:ModifyRCVCluster", "rds:ModifyTaskInfo", "rds:QueryHostInstanceConsoleInfo", "rds:QueryNotify", "rds:QueryPriceForResourcePack", "rds:QueryRecommendByCode", "rds:RdsCustomInit", "rds:RebootRCInstance", "rds:RebootRCInstances", "rds:RebuildDBInstance", "rds:ReceiveDBInstance", "rds:RedeployRCInstance", "rds:RefreshYaoChiAgentUserToken", "rds:RemoveRCNodePoolNodes", "rds:RemoveTagsFromResource", "rds:RenewRCInstance", "rds:ReplaceRCInstanceSystemDisk", "rds:RestartDBInstances", "rds:RevokeRCSecurityGroupPermission", "rds:RollbackTransaction", "rds:RunRCCommand", "rds:Select", "rds:StartRCInstances", "rds:StartSqlLogTrail", "rds:StopRCInstances", "rds:SwitchDBInstancesHA", "rds:SwitchOverMajorVersionUpgrade", "rds:SyncRCKeyPair", "rds:SyncRCSecurityGroup", "rds:UnassociateEipAddressWithRCInstance", "rds:Update", "rds:UpdateUserBackupFile", "rds:UpgradeDBInstanceMajorVersion", "rds:UpgradeDBInstancesKernelVersion" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage resources across the entire account. To adhere to the principle of least privilege, grant only the necessary permissions.
FAQ
Check the resource group of a resource
-
Method 1: Click the resource name to view its resource group on the details page.
-
Method 2: Log in to the Resource Management console and go to . On the left, select the account that owns the resource (the current account is selected by default). Use the filters to find the resource and view its resource group.
View product resources in a resource group
-
Method 1: Log in to the Resource Management console and go to . On the left, under the account that owns the resources (the current account is selected by default), click the target resource group. Then, on the right, select the product from the Select Resource Type dropdown list to view all its resources in the resource group.
-
Method 2: Log in to the Resource Management console and go to . Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, select the product from the Product dropdown list at the top of the page to view all its resources in the resource group.
Bulk move resources between resource groups
Log in to the Resource Management console and go to . Find the target resource group and click Resource Management in its Actions column. On this page, use filters to locate the target resources, select their checkboxes in the first column, click Move Resource Group at the bottom of the page, and then follow the on-screen instructions to complete the move.