Help Center/ GeminiDB/ API Reference/ Permissions and Supported Actions/ Actions Supported by Identity Policy-based Authorization
Updated on 2025-11-27 GMT+08:00
View PDF
Share

Actions Supported by Identity Policy-based Authorization

IAM provides system-defined policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by GeminiDB, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by GeminiDB, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Identity Policy Compatibility.

The following table lists the actions that you can define in identity policy statements for GeminiDB.

Table 1 Actions supported by GeminiDB

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

gaussdbfornosql::listResourceQuota

Grants the permission to query resource quotas.

Read

-

-

nosql:instance:list

gaussdbfornosql:configuration:compare

Grants permission to compare two parameter templates.

Read

-

-

nosql:param:list

gaussdbfornosql:configuration:get

Grants permission to query details about a parameter template.

Read

-

-

nosql:param:list

gaussdbfornosql:instance:get

Grants the permission to query database instance details.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:getAutoExtendVolumePolicy

Grants the permission to query the automatic scale-up policy.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:getBackupPolicy

Grants permission to query an automated backup policy.

Read

Instance *

nosql:backup:modifyBackupPolicy

gaussdbfornosql:instance:getBiactiveRegion

Grants the permission to query the regions where an instance can be deployed.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:getBiactiveRelation

Grants the permission to query the existing active-active relationship of an instance.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:getBigKeys

Grants the permission to obtain big keys of a GeminiDB Redis instance.

Read

Instance *

nosql:instance:getBigKeys

gaussdbfornosql:instance:getConfiguration

Grants permission to query parameters of a specified DB instance.

Read

Instance *

nosql:param:list

gaussdbfornosql:instance:getDisasterDataSyncStatus

Grants the permission to obtain the data synchronization status of a DR instance.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:getLoadBalance

Grants the permission to query the load balancer status.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:getPasswordlessConfig

Grants the permission to obtain the password-free configuration of a GeminiDB Redis instance.

Read

Instance *

-

nosql:instance:getPasswordlessConfig

gaussdbfornosql:instance:getRecyclePolicy

Grants permission to query the recycling policy.

Read

-

-

nosql:instance:list

gaussdbfornosql:instance:getRequiredIpNums

Grants the permission to query the number of IP addresses required for creating an instance or adding nodes.

Read

-

-

-

gaussdbfornosql:instance:getRestorablePeriod

Grants the permission to query the time range in which an instance can be restored.

Read

Instance *

nosql:backup:list

gaussdbfornosql:instance:getSlowLogPlaintextStatus

Grants permission to query the status of Show Original Log.

Read

Instance *

-

nosql:instance:list

gaussdbfornosql:instance:listOffsiteBackupRegion

Grants permission to obtain the remote backup region of a specified instance.

Read

-

-

nosql:backup:list

gaussdbfornosql:instance:precheckDisaster

Grants the permission to check whether a DR relationship can be established.

Read

Instance *

nosql:instance:list

gaussdbfornosql::updateEpsQuota

Grants the permission to query enterprise project quotas.

Write

-

-

nosql:quota:modify

gaussdbfornosql:configuration:copy

Grants the permission to copy a parameter group.

Write

-

-

nosql:param:create

gaussdbfornosql:configuration:create

Grants permission to create a parameter template.

Write

-

-

nosql:param:create

gaussdbfornosql:configuration:delete

Grants permission to delete a parameter template.

Write

-

-

nosql:param:delete

gaussdbfornosql:configuration:reset

Grants permission to reset a parameter template.

Write

-

-

nosql:param:modify

gaussdbfornosql:configuration:update

Grants permission to modify parameters in a parameter template.

Write

-

-

nosql:param:modify

gaussdbfornosql:instance:addNode

Grants the permission to add nodes to an instance.

Write

Instance *

nosql:instance:extendNode

gaussdbfornosql:instance:applyConfiguration

Grants permission to apply a parameter template to a DB instance or DB instance node.

Write

-

-

nosql:instance:modifyParameter

gaussdbfornosql:instance:buildBiactiveRelation

Grants the permission to create active-active instances.

Write

Instance *

nosql:instance:buildBiactiveInstance

gaussdbfornosql:instance:create

Grants permission to create a DB instance.

Write

-

nosql:instance:create

gaussdbfornosql:instance:createBackup

Grants the permission to create manual backups.

Write

Instance *

nosql:backup:create

gaussdbfornosql:instance:createColdVolume

Grants the permission to create cold storage.

Write

Instance *

nosql:instance:modifyStorageSize

gaussdbfornosql:instance:createDatabaseUser

Grants the permission to create a database account.

Write

Instance *

nosql:instance:createDatabaseUser

gaussdbfornosql:instance:createDisaster

Grants the permission to set up a DR relationship.

Write

Instance *

nosql:dr:construct

gaussdbfornosql:instance:createExclusiveResource

Grants the permission to create dedicated resources.

Write

-

-

nosql:dcc:create

gaussdbfornosql:instance:delete

Grants permission to delete a DB instance.

Write

Instance *

nosql:instance:delete

gaussdbfornosql:instance:deleteBackup

Grants the permission to delete a manual backup.

Write

-

-

nosql:backup:delete

gaussdbfornosql:instance:deleteColdVolume

Grants the permission to delete cold storage.

Write

Instance *

nosql:instance:modifyStorageSize

gaussdbfornosql:instance:deleteDatabaseUser

Grants the permission to delete a database account.

Write

Instance *

nosql:instance:deleteDatabaseUser

gaussdbfornosql:instance:deleteDisaster

Grants the permission to remove the DR relationship.

Write

Instance *

nosql:dr:deconstruct

gaussdbfornosql:instance:deleteNode

Grants the permission to reduce the number of nodes in an instance.

Write

Instance *
  • nosql:instance:delete
  • nosql:instance:reduceNode

gaussdbfornosql:instance:deleteSession

Grants the permission to delete an instance session list.

Write

Instance *

nosql:session:delete

gaussdbfornosql:instance:extendExclusiveResource

Grants the permission to expand dedicated resources.

Write

-

-

nosql:dcc:extend

gaussdbfornosql:instance:getOffsiteBackupPolicy

Grants the permission to obtain the remote backup policy of a specified instance.

Write

Instance *

nosql:instance:modifyBackupPolicy

gaussdbfornosql:instance:operateDatabase

Grants the permission to modify a database.

Write

Instance *

nosql:instance:operateDatabase

gaussdbfornosql:instance:operateDisasterDataSync

Grants the permission to synchronize data between two instances with a DR relationship.

Write

Instance *

nosql:dr:operateDataSync

gaussdbfornosql:instance:releaseBiactiveRelation

Grants the permission to remove active-active relationship.

Write

Instance *

nosql:instance:releaseBiactiveInstance

gaussdbfornosql:instance:rename

Grants the permission to rename an instance.

Write

Instance *

nosql:instance:rename

gaussdbfornosql:instance:resetDbPassword

Grants the permission to reset a database account password.

Write

Instance *

nosql:instance:resetDatabaseUser

gaussdbfornosql:instance:restart

Grants permission to restart a DB instance.

Write

Instance *

nosql:instance:restart

gaussdbfornosql:instance:restore

Grants permission to restore data to the original DB instance.

Write

-

-

nosql:backup:refreshInstanceFromBackup

gaussdbfornosql:instance:setAutoExtendVolumePolicy

Grants the permission to set an autoscaling policy.

Write

-

-

nosql:instance:modifyStorageSize

gaussdbfornosql:instance:setBackupPolicy

Grants permission to configure an automated backup policy.

Write

Instance *

nosql:backup:list

gaussdbfornosql:instance:setLogConfigs

Grants the permission to set log configurations.

Write

-

-

nosql:instances:saveLtsStreams

gaussdbfornosql:instance:setOffsiteBackupPolicy

Grants permission to set a remote backup policy.

Write

Instance *

nosql:instance:modifyBackupPolicy

gaussdbfornosql:instance:setPasswordlessConfig

Grants the permission to sey the password-free configuration of a GeminiDB Redis instance.

Write

Instance *

nosql:instance:setPasswordlessConfig

gaussdbfornosql:instance:setRecyclePolicy

Grants permission to configure a recycling policy.

Write

-

-

nosql:recyclePolicy:set

gaussdbfornosql:instance:switchNodeStatus

Grants the permission to start or stop a node.

Write

-

-

nosql:instance:switchNodeStatus

gaussdbfornosql:instance:switchSSL

Grants the permission to enable or disable SSL.

Write

Instance *

nosql:instance:switchSSL

gaussdbfornosql:instance:switchoverDisaster

Grants the permission to switch the primary/standby DR relationship.

Write

Instance *

nosql:dr:switchoverDisasterRecovery

gaussdbfornosql:instance:updateColdVolume

Grants the permission to scale up cold storage.

Write

Instance *

nosql:instance:modifyStorageSize

gaussdbfornosql:instance:updateConfiguration

Grants permission to modify the parameter template configuration of a DB instance or DB instance node.

Write

Instance *

nosql:instance:modifyParameter

gaussdbfornosql:instance:updateDbUserPrivilege

Grants the permission to modify database account permissions.

Write

Instance *

nosql:instance:modifyDbUserPrivilege

gaussdbfornosql:instance:updateEIP

Grants the permission to bind or unbind an EIP.

Write

Instance *
  • nosql:instance:bindPublicIp
  • nosql:instance:unbindPublicIp

gaussdbfornosql:instance:updateHighRiskCommands

Grants the permission to modify high-risk commands.

Write

Instance *

nosql:instances:modifyHighRiskCommands

gaussdbfornosql:instance:updateLoadBalance

Grants the permission to modify load balancers.

Write

Instance *

nosql:instance:modifyInstanceLb

gaussdbfornosql:instance:updatePassword

Grants the permission to reset the administrator password.

Write

Instance *

nosql:instance:modifyPasswd

gaussdbfornosql:instance:updatePort

Grants permission to change a database port.

Write

Instance *

nosql:instance:modifyPort

gaussdbfornosql:instance:updateSecurityGroup

Grants permission to change the security group of a DB instance.

Write

Instance *

nosql:instance:modifySecurityGroup

gaussdbfornosql:instance:updateSlowLogPlaintextSwitch

Grants permission to enable or disable Show Original Log.

Write

Instance *

nosql:instance:modifySlowLogPlaintextSwitch

gaussdbfornosql:instance:updateSourceSubnet

Grants the permission to update CIDR block configurations.

Write

Instance *

nosql:instance:setSourceSubnet

gaussdbfornosql:instance:updateSpec

Grants permission to change the instance class.

Write

Instance *

nosql:instance:modifySpecification

gaussdbfornosql:instance:updateVolume

Grants permission to scale up storage space of a DB instance.

Write

Instance *

nosql:instance:modifyStorageSize

gaussdbfornosql:instance:upgradeDatabaseVersion

Grants permission to upgrade the version of a DB instance.

Write

Instance *

nosql:instance:upgradeDatabaseVersion

gaussdbfornosql::listEpsQuota

Grants the permission to query enterprise project quotas.

List

-

-

nosql:quota:list

gaussdbfornosql::listResourcesByTags

Grants the permission to query resource tags.

List

-

-
  • nosql:instance:list
  • nosql:tag:list

gaussdbfornosql::listTagsForResource

Grants permission to query tags of a specified DB instance.

List

Instance *
  • nosql:instance:list
  • nosql:tag:list

gaussdbfornosql:backup:list

Grants permission to query backups.

List

-

-

nosql:backup:list

gaussdbfornosql:configuration:list

Grants permission to query parameter templates.

List

-

-

nosql:param:list

gaussdbfornosql:configuration:listAppliedHistory

Grants permission to query application records of a parameter template.

List

-

-

nosql:param:list

gaussdbfornosql:configuration:listUpdatedHistory

Grants permission to query change history of a parameter template.

List

-

-

nosql:param:list

gaussdbfornosql:datastore:list

Grants the permission to query engine versions.

List

-

-

-

gaussdbfornosql:instance:list

Grants permission to query DB instances.

List

-

-

nosql:instance:list

gaussdbfornosql:instance:listDatabase

Grants the permission to query the database list.

List

Instance *
  • nosql:database:list
  • nosql:backup:list

gaussdbfornosql:instance:listDatabaseUser

Grants the permission to query the database accounts and details.

List

Instance *

nosql:dbuser:list

gaussdbfornosql:instance:listErrorLog

Grants permission to query error logs.

List

Instance *

nosql:instance:list

gaussdbfornosql:instance:listExclusiveResource

Grants the permission to query dedicated resources.

List

-

-

-

gaussdbfornosql:instance:listFlavors

Grants permission to query specifications.

List

-

-

nosql:instance:list

gaussdbfornosql:instance:listHighRiskCommands

Grants the permission to query high-risk commands.

List

Instance *

nosql:command:list

gaussdbfornosql:instance:listLogConfigs

Grants the permission to query log configurations.

List

-

-

nosql:instances:list

gaussdbfornosql:instance:listOffsiteBackup

Grants permission to obtain cross-region backups.

List

-

-

nosql:backup:list

gaussdbfornosql:instance:listOffsiteBackupInstance

Grants permission to obtain the cross-region backup instance.

List

-

-

nosql:backup:list

gaussdbfornosql:instance:listRecycleInstances

Grants permission to query DB instances in the recycle bin.

List

-

-

nosql:instance:list

gaussdbfornosql:instance:listRestorableInstances

Grants the permission to query instances that can be restored.

List

Instance *

nosql:instance:list

gaussdbfornosql:instance:listSession

Grants the permission to query sessions of an instance.

List

Instance *

nosql:session:list

gaussdbfornosql:instance:listSlowLog

Grants permission to query slow query logs.

List

Instance *

nosql:instance:list

gaussdbfornosql:tag:list

Grants permission to query all tags in a project.

List

-

-

nosql:tag:list

gaussdbfornosql:task:list

Grants the permission to view tasks.

List

Instance *

nosql:task:list

gaussdbfornosql:instance:batchUpgradeDatabaseVersion

Grants the permission to install database patches in batches.

Write

-

-

nosql:instance:batchUpgradeDatabaseVersion

gaussdbfornosql:instance:getHotKeys

Grants the permission to query hot keys of GeminiDB Redis instances.

Read

Instance *

nosql:instance:getHotKeys

gaussdbfornosql:instance:setRedisDisabledCommands

Grants the permission to disable commands for GeminiDB Redis instances.

Write

Instance *

nosql:instance:setRedisDisabledCommands

gaussdbfornosql:instance:listRedisDisabledCommands

Grants the permission to query commands disabled for GeminiDB Redis instances.

Read

Instance *

nosql:instance:queryRedisDisabledCommands

gaussdbfornosql:instance:modifyMaintenanceWindow

Grants the permission to set the maintenance window of an instance.

Write

Instance *

nosql:instance:modifyMaintenanceWindow

gaussdbfornosql:instance:deleteRedisDisabledCommands

Grants the permission to delete commands disabled for GeminiDB Redis instances.

Write

Instance *

nosql:instance:deleteRedisDisabledCommands

gaussdbfornosql:instance:listDBCacheMappings

Grants the permission to query memory acceleration mappings and details.

List

-

-

nosql:instance:listDBCacheMappings

gaussdbfornosql:instance:createDBCacheRule

Grants the permission to create memory acceleration rules.

Write

-

-

nosql:instance:createDBCacheRule

gaussdbfornosql:instance:deleteDBCacheMapping

Grants the permission to remove memory acceleration mappings.

Write

-

-

nosql:instance:deleteDBCacheMapping

gaussdbfornosql:instance:createDBCacheMapping

Grants the permission to create memory acceleration mappings.

Write

-

-

nosql:instance:createDBCacheMapping

gaussdbfornosql:instance:updateDBCacheRule

Grants the permission to modify memory acceleration rules.

Write

-

-

nosql:instance:updateDBCacheRule

gaussdbfornosql:instance:listDBCacheRules

Grants the permission to query memory acceleration rules and details.

List

-

-

nosql:instance:listDBCacheRules

gaussdbfornosql:instance:deleteDBCacheRule

Grants the permission to delete memory acceleration rules.

Write

-

-

nosql:instance:deleteDBCacheRule

gaussdbfornosql:instance:operateDataDump

Grants the permission to enable or disable instance data export.

Write

Instance *

nosql:instance:operateDataDump

gaussdbfornosql:instance:setSecondLevelMonitoringConfig

Grants the permission to enable or disable monitoring by seconds.

Write

Instance *

nosql:instance:secondLevelMonitoring

gaussdbfornosql:instance:getSecondLevelMonitoringConfig

Grants the permission to query the configuration of monitoring by seconds.

Read

Instance *

nosql:instance:secondLevelMonitoring

gaussdbfornosql:instance:setAutoNodeExpansionPolicy

Grants the permission to set an automatic node scale-out policy.

Write

Instance *

nosql:instance:extendNode

gaussdbfornosql:instance:getAutoNodeExpansionPolicy

Grants the permission to query an automatic node scale-out policy.

Read

Instance *

nosql:instance:list

gaussdbfornosql:instance:listSslCertDownloadAddresses

Grants the permission to obtain the address for downloading the SSL certificate.

List

Instance *

nosql:instance:listSslCertDownloadAddresses

gaussdbfornosql:instance:redisPitrRestore

Grants the permission to restore the current GeminiDB Redis instance to a specified point in time.

Write

Instance *

nosql:instance:redisPitrRestore

gaussdbfornosql:instance:setRedisPitrPolicy

Grants the permission to set a policy for restoring a GeminiDB Redis instance to a specified point in time.

Write

Instance *

nosql:instance:setRedisPitrPolicy

gaussdbfornosql:instance:getRedisPitrPolicy

Grants the permission to query a policy for restoring a GeminiDB Redis instance to a specified point in time.

Read

Instance *

nosql:instance:getRedisPitrPolicy

gaussdbfornosql:instance:listRedisPitrRestoreTime

Grants the permission to query the time range in which a GeminiDB Redis instance can be restored.

List

Instance *

nosql:instance:listRedisPitrRestoreTime

gaussdbfornosql:instance:getRedisPitrInfo

Grants the permission to query storage used for restoring a GeminiDB Redis instance to a specified point in time.

Read

Instance *

nosql:instance:getRedisPitrInfo

gaussdbfornosql:instance:stopBackup

Grants the permission to stop backups.

Write

-

-

nosql:backup:stop

gaussdbfornosql:instance:redisDataRestore

Grants the permission to import a data file to an existing instance.

Write

Instance *

nosql:instance:redisDataRestore

gaussdbfornosql:instance:setTags

Grants the permission to add or delete tags for an instance in batches.

tagging

Instance *

nosql:instance:tag

gaussdbfornosql:instance:setDisasterSettings

Grants the permission to set the percentage of faulty nodes to be taken over.

Write

-

-

nosql:dr:setDisasterRecoverySettings

gaussdbfornosql:instance:listDisasterSettings

Grants the permission to query the percentage of faulty nodes to be taken over.

List

-

-

nosql:dr:listDisasterRecoverySettings

gaussdbfornosql:instance:maintenanceWindow

Grants the permission to query the maintenance window of an instance.

Read

-

nosql:instance:maintenanceWindow

gaussdbfornosql:instance:cancelScheduleJob

Grants the permission to cancel a scheduled task.

Write

-

-

nosql:instance:cancelScheduleJob

Each API of GeminiDB supports one or more actions. The following table lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by GeminiDB APIs

API

Action

Dependencies

GET /

-

-

GET /{version}

-

-

GET /v3.1/{project_id}/flavors

-

-

GET /v3/{project_id}/datastores/{datastore_name}/versions

-

-

GET /v3/{project_id}/dedicated-resources

gaussdbfornosql:instance:listExclusiveResource

-

POST /v3/{project_id}/instances

gaussdbfornosql:instance:create

-

DELETE /v3/{project_id}/instances/{instance_id}

gaussdbfornosql:instance:delete

-

GET /v3/{project_id}/instances

gaussdbfornosql:instance:list

-

POST /v3/{project_id}/instances/{instance_id}/extend-volume

gaussdbfornosql:instance:updateVolume

-

POST /v3/{project_id}/instances/{instance_id}/enlarge-node

gaussdbfornosql:instance:addNode

-

POST /v3/{project_id}/instances/{instance_id}/reduce-node

gaussdbfornosql:instance:deleteNode

-

GET /v3/{project_id}/redis/nodes/{node_id}/sessions

gaussdbfornosql:instance:listSession

-

GET /v3/{project_id}/redis/nodes/{node_id}/session-statistics

gaussdbfornosql:instance:listSession

-

DELETE /v3/{project_id}/redis/nodes/{node_id}/sessions

gaussdbfornosql:instance:deleteSession

-

GET /v3/{project_id}/instances/{instance_id}/available-flavors

gaussdbfornosql:instance:listFlavors

-

PUT /v3/{project_id}/instances/{instance_id}/resize

gaussdbfornosql:instance:updateSpec

-

PUT /v3/{project_id}/instances/{instance_id}/password

gaussdbfornosql:instance:updatePassword

-

PUT /v3/{project_id}/instances/{instance_id}/name

gaussdbfornosql:instance:rename

-

PUT /v3/{project_id}/instances/{instance_id}/security-group

gaussdbfornosql:instance:updateSecurityGroup

-

POST /v3/{project_id}/instances/{instance_id}/db-upgrade

gaussdbfornosql:instance:upgradeDatabaseVersion

-

POST /v3/{project_id}/instances/db-upgrade

gaussdbfornosql:instance:batchUpgradeDatabaseVersion

-

POST /v3/{project_id}/instances/{instance_id}/cold-volume

gaussdbfornosql:instance:createColdVolume

-

PUT /v3/{project_id}/instances/{instance_id}/cold-volume

gaussdbfornosql:instance:updateColdVolume

-

POST /v3/{project_id}/instances/{instance_id}/nodes/{node_id}/public-ip

gaussdbfornosql:instance:updateEIP

-

POST /v3/{project_id}/instances/{instance_id}/ssl-option

gaussdbfornosql:instance:switchSSL

-

POST /v3/{project_id}/instances/{instance_id}/restart

gaussdbfornosql:instance:restart

-

PUT /v3/{project_id}/instances/disk-auto-expansion

gaussdbfornosql:instance:setAutoExtendVolumePolicy

-

PUT /v3/{project_id}/instances/{instance_id}/port

gaussdbfornosql:instance:updatePort

-

POST /v3/{project_id}/weak-password-verification

-

-

POST /v3/{project_id}/instances/{instance_id}/client-network

gaussdbfornosql:instance:updateSourceSubnet

-

DELETE /v3/{project_id}/instances/{instance_id}/enlarge-failed-nodes

gaussdbfornosql:instance:deleteNode

-

GET /v3/{project_id}/ip-num-requirement

gaussdbfornosql:instance:getRequiredIpNums

-

GET /v3/{project_id}/instances/{instance_id}/disk-auto-expansion

gaussdbfornosql:instance:getAutoExtendVolumePolicy

-

PUT /v3/{project_id}/instances/{instance_id}/volume

gaussdbfornosql:instance:updateVolume

-

GET /v3/{project_id}/instances/{instance_id}/high-risk-commands

gaussdbfornosql:instance:listHighRiskCommands

-

PUT /v3/{project_id}/instances/{instance_id}/high-risk-commands

gaussdbfornosql:instance:updateHighRiskCommands

-

GET /v3/{project_id}/instances/{instance_id}/hot-keys

gaussdbfornosql:instance:getHotKeys

-

POST /v3/{project_id}/redis/instances/{instance_id}/disabled-commands

gaussdbfornosql:instance:setRedisDisabledCommands

-

GET /v3/{project_id}/redis/instances/{instance_id}/disabled-commands

gaussdbfornosql:instance:listRedisDisabledCommands

-

DELETE /v3/{project_id}/redis/instances/{instance_id}/disabled-commands

gaussdbfornosql:instance:deleteRedisDisabledCommands

-

PUT /v3/{project_id}/instances/{instance_id}/maintenance-window

gaussdbfornosql:instance:modifyMaintenanceWindow

-

PUT /v3/{project_id}/instance/{instance_id}/switchover

gaussdbfornosql:instance:switchover

-

PUT /v3/{project_id}/instances/{instance_id}/nodes

gaussdbfornosql:instance:switchNodeStatus

-

POST /v3/{project_id}/instances/{instance_id}/big-keys

gaussdbfornosql:instance:getBigKeys

-

GET /v3/{project_id}/instances/{instance_id}/passwordless-config

gaussdbfornosql:instance:getPasswordlessConfig

-

PUT /v3/{project_id}/instances/{instance_id}/passwordless-config

gaussdbfornosql:instance:setPasswordlessConfig

-

GET /v3/{project_id}/dbcache/mappings

gaussdbfornosql:instance:listDBCacheMappings

-

POST /v3/{project_id}/dbcache/rule

gaussdbfornosql:instance:createDBCacheRule

-

DELETE /v3/{project_id}/dbcache/mapping

gaussdbfornosql:instance:deleteDBCacheMapping

-

POST /v3/{project_id}/dbcache/mapping

gaussdbfornosql:instance:createDBCacheMapping

-

PUT /v3/{project_id}/dbcache/rule

gaussdbfornosql:instance:updateDBCacheRule

-

GET /v3/{project_id}/dbcache/rules

gaussdbfornosql:instance:listDBCacheRules

-

DELETE /v3/{project_id}/dbcache/rule

gaussdbfornosql:instance:deleteDBCacheRule

-

PUT /v3/{project_id}/instances/{instance_id}/data-dump

gaussdbfornosql:instance:operateDataDump

-

PUT /v3/{project_id}/instances/{instance_id}/monitoring-by-seconds/switch

gaussdbfornosql:instance:setSecondLevelMonitoringConfig

-

GET /v3/{project_id}/instances/{instance_id}/monitoring-by-seconds/switch

gaussdbfornosql:instance:getSecondLevelMonitoringConfig

-

PUT /v3/{project_id}/instances/{instance_id}/node-auto-expansion-policy

gaussdbfornosql:instance:setAutoNodeExpansionPolicy

-

GET /v3/{project_id}/instances/{instance_id}/node-auto-expansion-policy

gaussdbfornosql:instance:getAutoNodeExpansionPolicy

-

GET /v3/{project_id}/instances/{instance_id}/ssl-cert/download-link

gaussdbfornosql:instance:listSslCertDownloadAddresses

-

PUT /v3/{project_id}/instances/{instance_id}/lb

gaussdbfornosql:instance:updateLoadBalance

-

GET /v3/{project_id}/instances/{instance_id}/sessions

gaussdbfornosql:instance:listSession

-

DELETE /v3/{project_id}/instances/{instance_id}/sessions

gaussdbfornosql:instance:deleteSession

-

GET /v4/{project_id}/backups

gaussdbfornosql:backup:list

-

GET /v3.1/{project_id}/backups

gaussdbfornosql:backup:list

-

GET /v3.1/{project_id}/instances/{instance_id}/backups/policy

gaussdbfornosql:instance:getBackupPolicy

-

GET /v3/{project_id}/instances/{instance_id}/backups/policy

gaussdbfornosql:instance:getBackupPolicy

-

PUT /v3/{project_id}/instances/{instance_id}/backups/policy

gaussdbfornosql:instance:setBackupPolicy

-

GET /v3/{project_id}/backups/{backup_id}/restorable-instances

gaussdbfornosql:instance:listRestorableInstances

-

GET /v3/{project_id}/instances/{instance_id}/backups/restorable-time-periods

gaussdbfornosql:instance:getRestorablePeriod

-

POST /v3/{project_id}/instances/{instance_id}/backups

gaussdbfornosql:instance:createBackup

-

DELETE /v3/{project_id}/backups/{backup_id}

gaussdbfornosql:instance:deleteBackup

-

POST /v3/{project_id}/instances/{instance_id}/recovery

gaussdbfornosql:instance:restore

-

GET /v3/{project_id}/instances/recycle-policy

gaussdbfornosql:instance:getRecyclePolicy

-

PUT /v3/{project_id}/instances/recycle-policy

gaussdbfornosql:instance:setRecyclePolicy

-

GET /v3/{project_id}/recycle-instances

gaussdbfornosql:instance:listRecycleInstances

-

GET /v3/{project_id}/instances/{instance_id}/databases

gaussdbfornosql:instance:listDatabase

-

GET /v3/{project_id}/instances/{instance_id}/tables

gaussdbfornosql:backup:list

-

PUT /v3/{project_id}/redis/instances/{instance_id}/pitr

gaussdbfornosql:instance:redisPitrRestore

-

PUT /v3/{project_id}/redis/instances/{instance_id}/pitr/policy

gaussdbfornosql:instance:setRedisPitrPolicy

-

GET /v3/{project_id}/redis/instances/{instance_id}/pitr/policy

gaussdbfornosql:instance:getRedisPitrPolicy

-

GET /v3/{project_id}/redis/instances/{instance_id}/pitr/restorable-time-periods

gaussdbfornosql:instance:listRedisPitrRestoreTime

-

GET /v3/{project_id}/redis/instances/{instance_id}/pitr

gaussdbfornosql:instance:getRedisPitrInfo

-

PUT /v3/{project_id}/backups/{backup_id}

gaussdbfornosql:instance:stopBackup

-

DELETE /v3/{project_id}/instances/backups

gaussdbfornosql:instance:deleteBackup

-

POST /v3/{project_id}/redis/instances/{instance_id}/recovery

gaussdbfornosql:instance:redisDataRestore

-

GET /v3.1/{project_id}/configurations

gaussdbfornosql:configuration:list

-

PUT /v3.1/{project_id}/configurations/{config_id}/apply

gaussdbfornosql:instance:applyConfiguration

-

PUT /v3.1/{project_id}/instances/{instance_id}/configurations

gaussdbfornosql:instance:updateConfiguration

-

GET /v3/{project_id}/configurations

gaussdbfornosql:configuration:list

-

POST /v3/{project_id}/configurations

gaussdbfornosql:configuration:create

-

PUT /v3/{project_id}/configurations/{config_id}

gaussdbfornosql:configuration:update

-

POST /v3/{project_id}/configurations/{config_id}/reset

gaussdbfornosql:configuration:reset

-

GET /v3/{project_id}/instances/{instance_id}/configurations

gaussdbfornosql:instance:getConfiguration

-

PUT /v3/{project_id}/configurations/{config_id}/apply

gaussdbfornosql:instance:applyConfiguration

-

PUT /v3/{project_id}/instances/{instance_id}/configurations

gaussdbfornosql:instance:updateConfiguration

-

GET /v3/{project_id}/configurations/{config_id}

gaussdbfornosql:configuration:get

-

DELETE /v3/{project_id}/configurations/{config_id}

gaussdbfornosql:configuration:delete

-

GET /v3/{project_id}/configurations/{config_id}/applicable-instances

gaussdbfornosql:instance:list

-

GET /v3/{project_id}/instances/{instance_id}/configuration-histories

gaussdbfornosql:configuration:listUpdatedHistory

-

GET /v3/{project_id}/configurations/{config_id}/applied-histories

gaussdbfornosql:configuration:listAppliedHistory

-

POST /v3/{project_id}/configurations/comparison

gaussdbfornosql:configuration:compare

-

POST /v3/{project_id}/configurations/{config_id}/copy

gaussdbfornosql:configuration:copy

-

GET /v3/{project_id}/configurations/datastores

gaussdbfornosql:datastore:list

-

POST /v3/{project_id}/redis/instances/{instance_id}/db-users

gaussdbfornosql:instance:createDatabaseUser

-

PUT /v3/{project_id}/redis/instances/{instance_id}/db-users/privilege

gaussdbfornosql:instance:updateDbUserPrivilege

-

PUT /v3/{project_id}/redis/instances/{instance_id}/db-users/password

gaussdbfornosql:instance:resetDbPassword

-

DELETE /v3/{project_id}/redis/instances/{instance_id}/db-users

gaussdbfornosql:instance:deleteDatabaseUser

-

GET /v3/{project_id}/redis/instances/{instance_id}/db-users

gaussdbfornosql:instance:listDatabaseUser

-

GET /v3/{project_id}/redis/instances/{instance_id}/databases

gaussdbfornosql:instance:listDatabase

-

PUT /v3/{project_id}/instances/{instance_id}/databases

gaussdbfornosql:instance:operateDatabase

-

POST /v3/{project_id}/instances/resource_instances/action

gaussdbfornosql::listResourcesByTags

-

POST /v3/{project_id}/instances/{instance_id}/tags/action

gaussdbfornosql:instance:setTags

-

GET /v3/{project_id}/instances/{instance_id}/tags

gaussdbfornosql::listTagsForResource

-

GET /v3/{project_id}/tags

gaussdbfornosql:tag:list

-

GET /v3/{project_id}/instances/{instance_id}/slowlog?start_date={start_date}&end_date={end_date}

gaussdbfornosql:instance:listSlowLog

-

POST /v3/{project_id}/redis/instances/{instance_id}/slow-logs

gaussdbfornosql:instance:listSlowLog

-

POST /v3/{project_id}/influxdb/instances/{instance_id}/slow-logs

gaussdbfornosql:instance:listSlowLog

-

POST /v3/{project_id}/cassandra/instances/{instance_id}/slow-logs

gaussdbfornosql:instance:listSlowLog

-

POST /v3/{project_id}/mongodb/instances/{instance_id}/slow-logs

gaussdbfornosql:instance:listSlowLog

-

GET /v3/{project_id}/instances/{instance_id}/error-log

gaussdbfornosql:instance:listErrorLog

-

POST /v3/{project_id}/mongodb/instances/{instance_id}/error-logs

gaussdbfornosql:instance:listErrorLog

-

PUT /v3/{project_id}/instances/{instance_id}/slowlog-desensitization

gaussdbfornosql:instance:updateSlowLogPlaintextSwitch

-

GET /v3/{project_id}/instances/{instance_id}/slowlog-desensitization

gaussdbfornosql:instance:getSlowLogPlaintextStatus

-

POST /v3/{project_id}/instances/logs/lts-configs

gaussdbfornosql:instance:setLogConfigs

-

DELETE /v3/{project_id}/instances/logs/lts-configs

gaussdbfornosql:instance:setLogConfigs

-

GET /v3/{project_id}/instances/logs/lts-configs

gaussdbfornosql:instance:setLogConfigs

-

GET /v3/{project_id}/quotas

gaussdbfornosql::listResourceQuota

-

GET /v3/{project_id}/instances/{instance_id}/disaster-recovery/regions

gaussdbfornosql:instance:list

-

PUT /v3/{project_id}/instances/disaster-recovery/settings

gaussdbfornosql:instance:setDisasterSettings

-

GET /v3/{project_id}/instances/disaster-recovery/settings

gaussdbfornosql:instance:listDisasterSettings

-

POST /v3/{project_id}/instances/{instance_id}/dual-active-relationship

gaussdbfornosql:instance:buildBiactiveRelation

-

DELETE /v3/{project_id}/instances/{instance_id}/dual-active-relationship

gaussdbfornosql:instance:releaseBiactiveRelation

-

GET /v3/{project_id}/jobs

gaussdbfornosql:task:list

-

GET /v3/{project_id}/instances/{instance_id}/ops-window

gaussdbfornosql:instance:maintenanceWindow

-

GET /v3/{project_id}/scheduled-jobs

gaussdbfornosql:task:list

-

DELETE /v3/{project_id}/scheduled-jobs/{job_id}

gaussdbfornosql:instance:cancelScheduleJob

-

GET /v3/{project_id}/enterprise-projects/quotas

gaussdbfornosql::listEpsQuota

-

PUT /v3/{project_id}/enterprise-projects/quotas

gaussdbfornosql::updateEpsQuota

-

PUT /v3/{project_id}/instances/{instance_id}/lb/access-control

gaussdbfornosql:instance:updateLoadBalance

-

GET /v3/{project_id}/instances/{instance_id}/lb/access-control

gaussdbfornosql:instance:getLoadBalance

-

GET /v3/{project_id}/flavors

-

-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy is applied to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for GeminiDB.

Table 3 Resource types supported by GeminiDB

Resource Type

URN

Instance

geminidb:<region>:<account-id>:instance:<instance-id>

Conditions

Condition Key Overview

A condition is a set of condition keys and operators that determine when an identity policy is applied.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, geminidb:) are only applied to operations of GeminiDB. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For details about supported operators, see operators.

The following table lists the condition keys that you can define in identity policies for GeminiDB. You can use these condition keys to specify conditions for when your identity policy is applied.

Table 4 Service-specific condition keys supported by GeminiDB

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

gaussdbfornosql:AssociatePublicIp

boolean

Single-valued

Filters access by tag key that specifies whether an EIP is bound in a request.

gaussdbfornosql:VpcId

string

Single-valued

Filters access by tag key that specifies a VPC ID in a request.

gaussdbfornosql:Subnet

string

Single-valued

Filters access by tag key that specifies a subnet in a request.

Examples of Condition Keys

  • gaussdbfornosql:AssociatePublicIp

    Example: Prohibiting GeminiDB instances from binding to an EIP

    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "gaussdbfornosql:instance:updateEIP"
      ],
      "Condition": {
        "Bool": {
          "gaussdbfornosql:AssociatePublicIp": [
            "true"
          ]
        }
      }
    }
  ]
}
  • gaussdbfornosql:VpcId

    Example: Allowing instance creation in a specified VPC

    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "gaussdbfornosql:instance:create"
      ],
      "Condition": {
        "StringEquals": {
          "gaussdbfornosql:VpcId": [
            "f457aa28-72de-42b8-8517-d9c6e14b9d09"
          ]
        }
      }
    }
  ]
}
  • gaussdbfornosql:Subnet
    Example: Allowing instance creation in a specified subnet 
    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "gaussdbfornosql:instance:create"
      ],
      "Condition": {
        "StringEquals": {
          "gaussdbfornosql:Subnet": [
            "c0650bbe-4c89-4f2a-8cd2-3e2171b96d99"
          ]
        }
      }
    }
  ]
}