Relational Database Service (RDS)
IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.
In addition to IAM, the Organizations service also provides service control policies (SCPs) to set access control policies.
SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.
To learn more about how IAM policies are different from Organizations SCPs, see What Are the Differences in Access Control Between IAM and Organizations?
This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.
- For details about how to use these elements to edit an IAM custom identity policy, see Creating a Custom Identity Policy.
- For details about how to use these elements to create a custom SCP, see Creating an SCP.
Actions
Actions are specific operations that are allowed or denied in an identity policy.
- The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by RDS, see Resources.
- The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by RDS, see Conditions.
- The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.
The following table lists the actions that you can define in identity policy statements for RDS.
|
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
Alias |
|---|---|---|---|---|---|
|
rds:param:apply |
Grants permission to apply a parameter template. |
write |
- |
- |
- |
|
rds:instance:updateParameter |
Grants permission to modify parameters of an instance. |
write |
instance |
rds:param:modify |
|
|
rds:instance:restoreInPlace |
Grants permission to restore data to an existing or original instance. |
write |
- |
- |
- |
|
rds:instance:tableRestore |
Grants permission to restore tables. |
write |
- |
- |
- |
|
rds:database:drop |
Grants permission to delete a database. |
write |
instance |
- |
|
|
rds:log:getSlowLogs |
Grants permission to query slow query log statistics. |
read |
instance |
rds:log:list |
|
|
rds:instance:listDatabaseVersion |
Grants permission to query the database version information. |
read |
- |
- |
- |
|
rds:instance:listFlavors |
Grants permission to query specifications. |
read |
- |
- |
- |
|
rds:instance:listStorageType |
Grants permission to query storage types. |
read |
- |
- |
- |
|
rds:instance:create |
Grants permission to create a DB instance. |
write |
- |
- |
- |
|
rds:instance:stop |
Grants permission to stop an instance. |
write |
instance |
rds:instance:operateServer |
|
|
rds:instance:start |
Grants permission to start an instance. |
write |
instance |
rds:instance:operateServer |
|
|
rds:instance:updateName |
Grants permission to change an instance name. |
write |
instance |
rds:instance:modify |
|
|
rds:instance:updateRemark |
Grants permission to modify an instance description. |
write |
instance |
rds:instance:modify |
|
|
rds:instance:createDns |
Grants permission to create a private DNS server. |
write |
- |
- |
- |
|
rds:instance:updateDnsName |
Grants permission to modify a domain name. |
write |
instance |
rds:instance:modifyDns |
|
|
rds:instance:getDnsName |
Grants permission to query the domain name of an instance. |
read |
instance |
rds:instance:list |
|
|
rds:instance:getDnsName |
Grants permission to query the IPv6 domain name of an instance. |
read |
instance |
rds:instance:list |
|
|
rds:instance:getReplicaStatus |
Grants permission to query the replication status of an instance. |
read |
instance |
rds:instance:list |
|
|
rds:instance:modifySpec |
Grants permission to change instance specifications. |
write |
- |
- |
- |
|
rds:instance:extendSpace |
Grants permission to scale up storage space of an instance. |
permission_management |
instance |
- |
|
|
rds:instance:setAutoEnlargePolicy |
Grants permission to configure a storage autoscaling policy. |
permission_management |
instance |
rds:instance:modifyDns |
|
|
rds:instance:getAutoEnlargePolicy |
Grants permission to query an autoscaling policy. |
read |
instance |
rds:instance:list |
|
|
rds:instance:singleToHa |
Grants permission to change an instance from single-node to primary/standby. |
write |
instance |
- |
|
|
rds:instance:restart |
Grants permission to reboot an instance. |
write |
instance |
- |
|
|
rds:instance:deleteInstance |
Grants permission to delete a DB instance. |
write |
instance |
rds:instance:delete |
|
|
rds:instance:listAll |
Grants permission to query DB instances. |
read |
- |
- |
rds:instance:list |
|
rds:instance:modifyPublicAccess |
Grants permission to bind and unbind an EIP. |
write |
- |
- |
- |
|
rds:instance:modifyStrategy |
Grants permission to configure the failover priority of a primary/standby instance. |
permission_management |
instance |
- |
|
|
rds:instance:switchover |
Grants permission to perform a primary/standby switchover. |
write |
instance |
- |
|
|
rds:instance:modifySynchronizeModel |
Grants permission to configure the replication mode of a primary/standby instance. |
permission_management |
instance |
- |
|
|
rds:instance:openReadonly |
Grants permission to set an instance to read-only. |
permission_management |
instance |
- |
|
|
rds:instance:create |
Grants permission to migrate a standby instance. |
write |
- |
- |
- |
|
rds:instance:updateOpsWindow |
Grants permission to configure the maintenance window of an instance. |
write |
instance |
rds:instance:modify |
|
|
rds:instance:upgradeDatabaseVersion |
Grants permission to upgrade the version of an instance. |
write |
instance |
rds:instance:modify |
|
|
rds:instance:enableSecondLevelMonitoring |
Grants permission to enable Monitoring by Seconds. |
permission_management |
instance |
rds:log:switch |
|
|
rds:instance:getSecondLevelMonitoringConfig |
Grants permission to query the configuration of Monitoring by Seconds. |
read |
instance |
rds:log:list |
|
|
rds:instance:buildDrRelation |
Grants permission to configure DR capabilities for primary and DR instances, and promote DR instances to primary. |
write |
instance |
- |
|
|
rds:instance:getReplicaStatus |
Grants permission to query the DR replication status. |
read |
instance |
rds:instance:list |
|
|
rds:instance:listAll |
Grants permission to query DR instances in batches. |
read |
- |
- |
rds:instance:list |
|
rds:instance:modifySSL |
Grants permission to enable or disable SSL. |
permission_management |
- |
- |
- |
|
rds:instance:modifySSL |
Grants permission to obtain the SSL certificate download address. |
permission_management |
- |
- |
- |
|
rds:instance:modifyPort |
Grants permission to change a database port. |
write |
instance |
- |
|
|
rds:instance:modifySecurityGroup |
Grants permission to modify a security group. |
write |
- |
- |
- |
|
rds:instance:modifyIp |
Grants permission to change a floating IP address. |
write |
instance |
- |
|
|
rds:instance:modifyBackupPolicy |
Grants permission to configure an automated backup policy. |
permission_management |
instance |
- |
|
|
rds:instance:modifyBackupPolicy |
Grants permission to configure a cross-region automated backup policy. |
permission_management |
instance |
- |
|
|
rds:instance:getBackupPolicy |
Grants permission to query an automated backup policy. |
read |
instance |
rds:instance:list |
|
|
rds:instance:getBackupPolicy |
Grants permission to query a cross-region automated backup policy. |
read |
instance |
rds:instance:list |
|
|
rds:backup:create |
Grants permission to create a manual backup. |
write |
- |
- |
- |
|
rds:backup:list |
Grants permission to query backups. |
list |
- |
- |
- |
|
rds:backup:list |
Grants permission to query cross-region backups. |
list |
- |
- |
- |
|
rds:instance:listAll |
Grants permission to query DB instances for which cross-region backups are created. |
read |
- |
- |
rds:instance:list |
|
rds:backup:download |
Grants permission to obtain a backup download link. |
read |
- |
- |
- |
|
rds:backup:delete |
Grants permission to delete a manual backup. |
write |
- |
- |
- |
|
rds:instance:getRestoreTime |
Grants permission to query the restoration time range of an instance. |
read |
instance |
rds:instance:list |
|
|
rds:instance:getRestoreTime |
Grants permission to query the restoration time range of a cross-region backup. |
read |
instance |
rds:instance:list |
|
|
rds:instance:create |
Grants permission to restore data to a new DB instance. |
write |
- |
- |
- |
|
rds:instance:tableRestore |
Grants permission to check whether fast restoration can be used for restoring databases or tables of a DB instance. |
write |
- |
- |
- |
|
rds:backup:list |
Grants permission to query databases that can be restored to a specified point in time. |
list |
- |
- |
- |
|
rds:instance:tableRestore |
Grants permission to restore databases to a point in time. |
write |
- |
- |
- |
|
rds:instance:listAll |
Grants permission to query the target version to which a DB instance can be upgraded. |
read |
- |
- |
rds:instance:list |
|
rds:instance:listAll |
Grants permission to perform a major version upgrade pre-check for a DB instance. |
read |
- |
- |
rds:instance:list |
|
rds:instance:listAll |
Grants permission to query the major version check status or upgrade status of a DB instance |
read |
- |
- |
rds:instance:list |
|
rds:instance:listAll |
Grants permission to query the major version upgrade check history of a DB instance. |
read |
- |
- |
rds:instance:list |
|
rds:instance:update |
Grants permission to upgrade a major version. |
read |
- |
- |
rds:instance:modify |
|
rds:instance:listAll |
Grants permission to query the major version upgrade history of a DB instance. |
read |
- |
- |
rds:instance:list |
|
rds:log:getSlowLogs |
Grants permission to query slow query logs. |
read |
instance |
rds:log:list |
|
|
rds:log:getErrorLogs |
Grants permission to query database error logs. |
read |
instance |
rds:log:list |
|
|
rds:log:setSlowLogSensitiveStatus |
Grants permission to show original slow query logs. |
permission_management |
instance |
rds:log:switch |
|
|
rds:log:getSlowLogs |
Grants permission to query slow query log files. |
read |
instance |
rds:log:list |
|
|
rds:log:getErrorLogs |
Grants permission to query extended logs. |
read |
instance |
rds:log:list |
|
|
rds:log:download |
Grants permission to obtain links for downloading extended logs. |
read |
instance |
- |
|
|
rds:log:download |
Grants permission to download slow query logs. |
read |
instance |
- |
|
|
rds:auditlog:operate |
Grants permission to configure an audit log policy. |
permission_management |
instance |
- |
|
|
rds:auditlog:list |
Grants permission to query the policy for audit logs. |
read |
instance |
- |
|
|
rds:auditlog:list |
Grants permission to query audit logs. |
read |
instance |
- |
|
|
rds:auditlog:download |
Grants permission to obtain the link for downloading audit logs. |
read |
instance |
- |
|
|
rds:binlog:setPolicy |
Grants permission to configure a binlog policy. |
permission_management |
instance |
- |
|
|
rds:binlog:get |
Grants permission to query binlogs. |
read |
instance |
- |
|
|
rds:instance:listAll |
Grants permission to obtain the number of instances after diagnosis. |
read |
- |
- |
rds:instance:list |
|
rds:instance:listAll |
Grants permission to obtain the result of a specific diagnosis item. |
read |
- |
- |
rds:instance:list |
|
rds:instance:modifyProxy |
Grants permission to enable or disable database proxy. |
write |
instance |
- |
|
|
rds:instance:getDBProxy |
Grants permission to query information about a database proxy. |
read |
instance |
rds:instance:list |
|
|
rds:instance:getProxyFlavors |
Grants permission to query database proxy specifications. |
read |
instance |
rds:instance:list |
|
|
rds:instance:modifyProxy |
Grants permission to configure a routing policy for a database proxy. |
write |
instance |
- |
|
|
rds:database:createDatabase |
Grants permission to create a database. |
write |
instance |
rds:database:create |
|
|
rds:database:list |
Grants permission to query databases. |
list |
instance |
- |
|
|
rds:database:update |
Grants permission to modify the database remarks of a DB instance. |
write |
instance |
rds:database:create |
|
|
rds:database:drop |
Grants permission to delete a database. |
write |
instance |
- |
|
|
rds:databaseUser:create |
Grants permission to create a database account. |
write |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query database users. |
list |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query authorized users of a specified database. |
list |
instance |
- |
|
|
rds:databaseUser:update |
Grants permission to modify the remarks of a database account. |
write |
instance |
- |
|
|
rds:databaseUser:drop |
Grants permission to delete a database account. |
write |
instance |
- |
|
|
rds:password:update |
Grants permission to change a database password. |
write |
instance |
- |
|
|
rds:databasePrivilege:grant |
Grants permission to authorize a database account. |
write |
instance |
- |
|
|
rds:databasePrivilege:revoke |
Grants permission to revoke permissions of a database account. |
write |
instance |
- |
|
|
rds:password:update |
Grants permission to reset the password for user root. |
write |
instance |
- |
|
|
rds:database:createDatabase |
Grants permission to create a database. |
write |
instance |
rds:database:create |
|
|
rds:databaseUser:create |
Grants permission to create a database account. |
write |
instance |
- |
|
|
rds:database:update |
Grants permission to create a database schema. |
write |
instance |
rds:database:create |
|
|
rds:databasePrivilege:grant |
Grants permission to grant read or write permissions to a database account. |
write |
instance |
- |
|
|
rds:databasePrivilege:grant |
Grants permission to grant operation permissions to a database account. |
write |
instance |
- |
|
|
rds:password:update |
Grants permission to change a database password. |
write |
instance |
- |
|
|
rds:database:list |
Grants permission to query databases. |
list |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query database users. |
list |
instance |
- |
|
|
rds:database:list |
Grants permission to query database schemas. |
list |
instance |
- |
|
|
rds:databasePrivilege:grant |
Grants permission to configure account permissions. |
write |
instance |
- |
|
|
rds:database:update |
Grants permission to modify the database remarks of a DB instance. |
write |
instance |
rds:database:create |
|
|
rds:databaseUser:update |
Grants permission to modify the remarks of a database account. |
write |
instance |
- |
|
|
rds:database:drop |
Grants permission to delete a database. |
write |
instance |
- |
|
|
rds:databaseUser:drop |
Grants permission to delete a database account. |
write |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query the pg_hba.conf file configurations of a DB instance. |
list |
instance |
- |
|
|
rds:databaseUser:update |
Grants permission to modify or add one or more records in the pg_hba.conf file. |
write |
instance |
- |
|
|
rds:databaseUser:create |
Grants permission to overwrite the pg_hba.conf file. |
write |
instance |
- |
|
|
rds:databaseUser:drop |
Grants permission to delete one or more records from the pg_hba.conf file. |
write |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query the pg_hba.conf change history of a DB instance. |
list |
instance |
- |
|
|
rds:database:list |
Grants permission to query available SQL Server character sets. |
list |
instance |
- |
|
|
rds:database:createDatabase |
Grants permission to create a database. |
write |
instance |
rds:database:create |
|
|
rds:database:list |
Grants permission to query databases. |
list |
instance |
- |
|
|
rds:databaseUser:create |
Grants permission to create a database account. |
write |
instance |
- |
|
|
rds:password:update |
Grants permission to change a database password. |
write |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query database users. |
list |
instance |
- |
|
|
rds:databaseUser:list |
Grants permission to query authorized users of a specified database. |
list |
instance |
- |
|
|
rds:databaseUser:drop |
Grants permission to delete a database account. |
write |
instance |
- |
|
|
rds:databasePrivilege:grant |
Grants permission to authorize a database account. |
write |
instance |
- |
|
|
rds:databasePrivilege:revoke |
Grants permission to revoke permissions of a database account. |
write |
instance |
- |
|
|
rds:instance:SetMsdtcHosts |
Grants permission to add MSDTC hosts. |
write |
instance |
rds:instance:modify |
|
|
rds:instance:getMsdtcHosts |
Grants permission to query MSDTC hosts. |
read |
instance |
rds:instance:list |
|
|
rds:param:listAll |
Grants permission to query parameter templates. |
list |
- |
- |
rds:param:list |
|
rds:param:createTemplate |
Grants permission to create a parameter template. |
write |
- |
- |
rds:param:create |
|
rds:param:updateTemplate |
Grants permission to modify parameters in a parameter template. |
write |
- |
- |
rds:param:modify |
|
rds:param:copy |
Grants permission to replicate a parameter template. |
write |
- |
- |
rds:param:create |
|
rds:param:listInstanceParamHistories |
Grants permission to query change history of instance parameters. |
list |
- |
- |
rds:param:list |
|
rds:instance:getParameter |
Grants permission to query the parameter template of an instance. |
read |
instance |
rds:param:list |
|
|
rds:param:get |
Grants permission to query parameters of a parameter template. |
read |
- |
- |
rds:param:list |
|
rds:param:get |
Grants permission to delete a parameter template. |
read |
- |
- |
- |
|
rds:database:update |
Grants permission to create an extension. |
write |
instance |
rds:database:create |
|
|
rds:database:list |
Grants permission to query extensions. |
list |
instance |
- |
|
|
rds:database:drop |
Grants permission to delete an extension. |
write |
instance |
- |
|
|
rds:instance:updateParameter |
Grants permission to modify the value of a specified parameter for a DB instance. |
write |
instance |
rds:param:modify |
|
|
rds:instance:getParameter |
Grants permission to obtain the value of a specified parameter for a DB instance. |
read |
instance |
rds:param:list |
|
|
rds:instance:setRecycleBin |
Grants permission to configure a recycling policy. |
write |
- |
- |
- |
|
rds:instance:listAll |
Grants permission to query the recycling policy. |
read |
- |
- |
rds:instance:list |
|
rds:instance:listAll |
Grants permission to query DB instances in the recycle bin. |
read |
- |
- |
rds:instance:list |
|
rds:instance:createTag |
Grants permission to add tags in batches. |
write |
instance |
rds:instance:dealTag |
|
|
rds:instance:deleteTag |
Grants permission to delete tags in batches. |
write |
instance |
rds:instance:dealTag |
|
|
rds:tag:list |
Grants permission to query project tags. |
list |
- |
- |
- |
|
rds:instance:listQuotas |
Grants permission to query resource quotas. |
read |
- |
- |
rds:instance:list |
|
rds:task:listAll |
Grants permission to obtain task information. |
list |
- |
- |
rds:task:list |
|
rds:task:listAll |
Grants permission to obtain task information of a specified DB instance in a specified time range. |
list |
- |
- |
rds:task:list |
|
rds:instance:tde |
Grants permission to enable TDE. |
permission_management |
instance |
- |
|
|
rds:instance:deleteDisasterRecovery |
Grants permission to remove a DR relationship. |
write |
instance |
- |
|
|
rds:instance:showReplayDelayStatus |
Grants permission to query the log replay delay status. |
read |
instance |
rds:instance:list |
|
|
rds:instance:switchLogReplay |
Grants permission to stop and resume log replay. |
write |
instance |
rds:instance:modify |
|
|
rds:instance:queryRecoveryTimeWindow |
Grants permission to query the recovery time window of WAL logs. |
read |
instance |
rds:instance:list |
|
|
rds:binlog:setPolicy |
Grants permission to set the retention period for local binlogs. |
permission_management |
instance |
- |
|
|
rds:binlog:get |
Grants permission to get the retention period for local binlogs. |
read |
instance |
- |
|
|
rds:instance:listAll |
Grants permission to obtain the number of instances after diagnosis. |
read |
- |
- |
rds:instance:list |
|
rds:instance:listAll |
Grants permission to obtain the result of a specific diagnosis item. |
read |
- |
- |
rds:instance:list |
|
rds:instance:update |
Grants permission to add SQL throttling rules. |
read |
- |
- |
rds:instance:modify |
|
rds:instance:update |
Grants permission to delete SQL throttling rules. |
read |
- |
- |
rds:instance:modify |
|
rds:instance:update |
Grants permission to modify SQL throttling rules. |
read |
- |
- |
rds:instance:modify |
|
rds:instance:get |
Grants permission to query SQL throttling rules. |
read |
instance |
rds:instance:list |
|
|
rds:instance:update |
Grants permission to enable or disable a SQL throttling rule or disable all SQL throttling rules. |
read |
- |
- |
rds:instance:modify |
|
rds:instance:update |
Grants permission to unlock an instance from the read-only state. |
read |
- |
- |
rds:instance:modify |
Each API of RDS usually supports one or more actions. Table 2 lists the supported actions and dependencies.
|
API |
Action |
Dependencies |
|---|---|---|
|
PUT /v3.1/{project_id}/configurations/{config_id}/apply |
rds:param:apply |
- |
|
PUT /v3.1/{project_id}/instances/{instance_id}/configurations |
rds:instance:updateParameter |
- |
|
POST /v3.1/{project_id}/instances/recovery |
rds:instance:restoreInPlace |
- |
|
POST /v3.1/{project_id}/instances/{instance_id}/restore/tables |
rds:instance:tableRestore |
- |
|
DELETE /v3.1/{project_id}/instances/{instance_id}/database/{db_name} |
rds:database:drop |
- |
|
POST /v3.1/{project_id}/instances/{instance_id}/slow-logs/statistics |
rds:log:getSlowLogs |
- |
|
GET /v3/{project_id}/datastores/{database_name} |
rds:instance:listDatabaseVersion |
- |
|
GET /v3/{project_id}/flavors/{database_name}?version_name={version_name}&spec_code={spec_code}&is_serverless={is_serverless} |
rds:instance:listFlavors |
- |
|
GET /v3/{project_id}/storage-type/{database_name}?version_name={version_name}&ha_mode={ha_mode} |
rds:instance:listStorageType |
- |
|
POST /v3/{project_id}/instances |
rds:instance:create |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action/shutdown |
rds:instance:stop |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action/startup |
rds:instance:start |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/name |
rds:instance:updateName |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/alias |
rds:instance:updateRemark |
- |
|
POST /v3/{project_id}/instances/{instance_id}/create-dns |
rds:instance:createDns |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/modify-dns |
rds:instance:updateDnsName |
- |
|
GET /v3/{project_id}/instances/{instance_id}/dns |
rds:instance:getDnsName |
- |
|
GET /v3/{project_id}/instances/{instance_id}/dns-ipv6 |
rds:instance:getDnsName |
- |
|
GET /v3/{project_id}/instances/{instance_id}/replication/status |
rds:instance:getReplicaStatus |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action |
rds:instance:modifySpec |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action |
rds:instance:extendSpace |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/disk-auto-expansion |
rds:instance:setAutoEnlargePolicy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/disk-auto-expansion |
rds:instance:getAutoEnlargePolicy |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action |
rds:instance:singleToHa |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action |
rds:instance:restart |
- |
|
DELETE /v3/{project_id}/instances/{instance_id} |
rds:instance:deleteInstance |
- |
|
GET /v3/{project_id}/instances |
rds:instance:listAll |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/public-ip |
rds:instance:modifyPublicAccess |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/failover/strategy |
rds:instance:modifyStrategy |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/failover |
rds:instance:switchover |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/failover/mode |
rds:instance:modifySynchronizeModel |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/readonly-status |
rds:instance:openReadonly |
- |
|
POST /v3/{project_id}/instances/{instance_id}/migrateslave |
rds:instance:create |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/ops-window |
rds:instance:updateOpsWindow |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db-upgrade |
rds:instance:upgradeDatabaseVersion |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/second-level-monitor |
rds:instance:enableSecondLevelMonitoring |
- |
|
GET /v3/{project_id}/instances/{instance_id}/second-level-monitor |
rds:instance:getSecondLevelMonitoringConfig |
- |
|
POST /v3/{project_id}/instances/{instance_id}/action |
rds:instance:buildDrRelation |
- |
|
GET /v3/{project_id}/instances/{instance_id}/disaster-recovery |
rds:instance:getReplicaStatus |
- |
|
GET /v3/{project_id}/instances/disaster-recovery-relation |
rds:instance:listAll |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/ssl |
rds:instance:modifySSL |
- |
|
GET /v3/{project_id}/instances/{instance_id}/ssl-cert/download-link |
rds:instance:modifySSL |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/port |
rds:instance:modifyPort |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/security-group |
rds:instance:modifySecurityGroup |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/ip |
rds:instance:modifyIp |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/backups/policy |
rds:instance:modifyBackupPolicy |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/backups/offsite-policy |
rds:instance:modifyBackupPolicy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/backups/policy |
rds:instance:getBackupPolicy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/backups/offsite-policy |
rds:instance:getBackupPolicy |
- |
|
POST /v3/{project_id}/backups |
rds:backup:create |
- |
|
GET /v3/{project_id}/backups?instance_id={instance_id}&backup_id={backup_id}&backup_type={backup_type}&offset={offset}&limit={limit}&begin_time={begin _time}&end_time={end_time} |
rds:backup:list |
- |
|
GET /v3/{project_id}/offsite-backups?instance_id={instance_id}&backup_id={backup_id}&backup_type={backup_type}&offset={offset}&limit={limit}&begin_time={begin _time}&end_time={end_time} |
rds:backup:list |
- |
|
GET /v3/backups/offsite-backup-instance?offset={offset}&limit={limit} |
rds:instance:listAll |
- |
|
GET /v3/{project_id}/backup-files?backup_id={backup_id} |
rds:backup:download |
- |
|
DELETE /v3/{project_id}/backups/{backup_id} |
rds:backup:delete |
- |
|
GET /v3/{project_id}/instances/{instance_id}/restore-time?date=2020-12-26 |
rds:instance:getRestoreTime |
- |
|
GET /v3/{project_id}/instances/{instance_id}/offsite-restore-time?date=2020-12-26 |
rds:instance:getRestoreTime |
- |
|
POST /v3/{project_id}/instances |
rds:instance:create |
- |
|
POST /v3/{project_id}/instances/fast-restore |
rds:instance:tableRestore |
- |
|
POST /v3/{project_id}/{engine}/instances/history/databases |
rds:backup:list |
- |
|
POST /v3/{project_id}/instances/batch/restore/databases |
rds:instance:tableRestore |
- |
|
GET /v3/{project_id}/instances/{instance_id}/major-version/available-version |
rds:instance:listAll |
- |
|
POST /v3/{project_id}/instances/{instance_id}/major-version/inspection |
rds:instance:listAll |
- |
|
GET /v3/{project_id}/instances/{instance_id}/major-version/status?action={current_action} |
rds:instance:listAll |
- |
|
GET /v3/{project_id}/instances/{instance_id}/major-version/inspection-histories?offset={offset}&limit={limit}&order={order}&sort_field={sort_field}&target_version={target_version}&is_available={is_available} |
rds:instance:listAll |
- |
|
POST /v3/{project_id}/instances/{instance_id}/major-version/upgrade |
rds:instance:update |
- |
|
GET /v3/{project_id}/instances/{instance_id}/major-version/upgrade-histories?offset={offset}&limit={limit}&order={order}&sort_field={sort_field} |
rds:instance:listAll |
- |
|
POST /v3/{project_id}/instances/{instance_id}/slow-logs |
rds:log:getSlowLogs |
- |
|
POST /v3/{project_id}/instances/{instance_id}/error-logs |
rds:log:getErrorLogs |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/slowlog-sensitization/{status} |
rds:log:setSlowLogSensitiveStatus |
- |
|
GET /v3/{project_id}/instances/{instance_id}/slowlog-files |
rds:log:getSlowLogs |
- |
|
GET /v3/{project_id}/instances/{instance_id}/xellog-files |
rds:log:getErrorLogs |
- |
|
POST /v3/{project_id}/instances/{instance_id}/xellog-download |
rds:log:download |
- |
|
POST /v3/{project_id}/instances/{instance_id}/slowlog-download |
rds:log:download |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/auditlog-policy |
rds:auditlog:operate |
- |
|
GET /v3/{project_id}/instances/{instance_id}/auditlog-policy |
rds:auditlog:list |
- |
|
GET /v3/{project_id}/instances/{instance_id}/auditlog?start_time={start_time}&end_time={end_time}&offset={offset}&limit={limit} |
rds:auditlog:list |
- |
|
POST /v3/{project_id}/instances/{instance_id}/auditlog-links |
rds:auditlog:download |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/binlog/clear-policy |
rds:binlog:setPolicy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/binlog/clear-policy |
rds:binlog:get |
- |
|
GET /v3/{project_id}/instances/diagnosis |
rds:instance:listAll |
- |
|
GET /v3/{project_id}/instances/diagnosis/info |
rds:instance:listAll |
- |
|
POST /v3/{project_id}/instances/{instance_id}/proxy/open |
rds:instance:modifyProxy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/proxy-list |
rds:instance:getDBProxy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/proxy/flavors |
rds:instance:getProxyFlavors |
- |
|
POST /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id}/route-mode |
rds:instance:modifyProxy |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/proxy/{proxy_id} |
rds:instance:modifyProxy |
- |
|
POST /v3/{project_id}/instances/{instance_id}/database |
rds:database:createDatabase |
- |
|
GET /v3/{project_id}/instances/{instance_id}/database/detail?page={page}&limit={limit} |
rds:database:list |
- |
|
POST /v3/{project_id}/instances/{instance_id}/database/update |
rds:database:update |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/database/{db_name} |
rds:database:drop |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_user |
rds:databaseUser:create |
- |
|
GET /v3/{project_id}/instances/{instance_id}/db_user/detail?page={page}&limit={limit} |
rds:databaseUser:list |
- |
|
GET /v3/{project_id}/instances/{instance_id}/database/db_user?db-name={db-name}&page={page}&limit={limit} |
rds:databaseUser:list |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/db-users/{user_name}/comment |
rds:databaseUser:update |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/db_user/{user_name} |
rds:databaseUser:drop |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_user/resetpwd |
rds:password:update |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_privilege |
rds:databasePrivilege:grant |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/db_privilege |
rds:databasePrivilege:revoke |
- |
|
POST /v3/{project_id}/instances/{instance_id}/password |
rds:password:update |
- |
|
POST /v3/{project_id}/instances/{instance_id}/database |
rds:database:createDatabase |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_user |
rds:databaseUser:create |
- |
|
POST /v3/{project_id}/instances/{instance_id}/schema |
rds:database:update |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_privilege |
rds:databasePrivilege:grant |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db-user-privilege |
rds:databasePrivilege:grant |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_user/resetpwd |
rds:password:update |
- |
|
GET /v3/{project_id}/instances/{instance_id}/database/detail?page={page}&limit={limit} |
rds:database:list |
- |
|
GET /v3/{project_id}/instances/{instance_id}/db_user/detail?page={page}&limit={limit} |
rds:databaseUser:list |
- |
|
GET /v3/{project_id}/instances/{instance_id}/schema/detail?db_name={name}&page={page}&limit={limit} |
rds:database:list |
- |
|
POST /v3/{project_id}/instances/{instance_id}/user-privilege |
rds:databasePrivilege:grant |
- |
|
POST /v3/{project_id}/instances/{instance_id}/database/update |
rds:database:update |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/db-users/{user_name}/comment |
rds:databaseUser:update |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/database/{db_name} |
rds:database:drop |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/db_user/{user_name} |
rds:databaseUser:drop |
- |
|
GET /v3/{project_id}/instances/{instance_id}/hba-info |
rds:databaseUser:list |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/hba-info |
rds:databaseUser:update |
- |
|
POST /v3/{project_id}/instances/{instance_id}/hba-info |
rds:databaseUser:create |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/hba-info |
rds:databaseUser:drop |
- |
|
GET /v3/{project_id}/instances/{instance_id}/hba-info/history |
rds:databaseUser:list |
- |
|
GET /v3/{project_id}/collations |
rds:database:list |
- |
|
POST /v3/{project_id}/instances/{instance_id}/database |
rds:database:createDatabase |
- |
|
GET /v3/{project_id}/instances/{instance_id}/database/detail?page={page}&limit={limit}&db-name={db-name}&recover_model={recover_model} |
rds:database:list |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_user |
rds:databaseUser:create |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_user/resetpwd |
rds:password:update |
- |
|
GET /v3/{project_id}/instances/{instance_id}/db_user/detail?page={page}&limit={limit} |
rds:databaseUser:list |
- |
|
GET /v3/{project_id}/instances/{instance_id}/database/db_user?db-name={db-name}&page={page}&limit={limit} |
rds:databaseUser:list |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/db_user/{user_name} |
rds:databaseUser:drop |
- |
|
POST /v3/{project_id}/instances/{instance_id}/db_privilege |
rds:databasePrivilege:grant |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/db_privilege |
rds:databasePrivilege:revoke |
- |
|
POST /v3/{project_id}/instances/{instance_id}/msdtc/host |
rds:instance:SetMsdtcHosts |
- |
|
GET /v3/{project_id}/instances/{instance_id}/msdtc/hosts?offset={offset}&limit={limit} |
rds:instance:getMsdtcHosts |
- |
|
GET /v3/{project_id}/configurations |
rds:param:listAll |
- |
|
POST /v3/{project_id}/configurations |
rds:param:createTemplate |
- |
|
PUT /v3/{project_id}/configurations/{config_id} |
rds:param:updateTemplate |
- |
|
POST /v3/{project_id}/configurations/{config_id}/copy |
rds:param:copy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/configuration-histories?offset={offset}&limit={limit}&start_time={start_time}&end_time={end_time}¶m_name={param_name} |
rds:param:listInstanceParamHistories |
- |
|
GET /v3/{project_id}/instances/{instance_id}/configurations |
rds:instance:getParameter |
- |
|
GET /v3/{project_id}/configurations/{config_id} |
rds:param:get |
- |
|
DELETE /v3/{project_id}/configurations/{config_id} |
rds:param:get |
- |
|
POST /v3/{project_id}/instances/{instance_id}/extensions |
rds:database:update |
- |
|
GET /v3/{project_id}/instances/{instance_id}/extensions?database_name={database_name}&offset={offset}&limit={limit} |
rds:database:list |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/extensions |
rds:database:drop |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/parameter/{name} |
rds:instance:updateParameter |
- |
|
GET /v3/{project_id}/instances/{instance_id}/parameter/{name} |
rds:instance:getParameter |
- |
|
PUT /v3/{project_id}/instances/recycle-policy |
rds:instance:setRecycleBin |
- |
|
GET /v3/{project_id}/instances/recycle-policy |
rds:instance:listAll |
- |
|
GET /v3/{project_id}/recycle-instances?offset={offset}&limit={limit} |
rds:instance:listAll |
- |
|
POST /v3/{project_id}/instances/{instance_id}/tags/action |
rds:instance:createTag |
- |
|
POST /v3/{project_id}/instances/{instance_id}/tags/action |
rds:instance:deleteTag |
- |
|
GET /v3/{project_id}/tags |
rds:tag:list |
- |
|
GET /v3/{project_id}/quotas |
rds:instance:listQuotas |
- |
|
GET /v3/{project_id}/jobs?id={id} |
rds:task:listAll |
- |
|
GET /v3/{project_id}/instances/{instance_id}/tasklist/detail?start_time={start_time}&end_time={end_time} |
rds:task:listAll |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/tde |
rds:instance:tde |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/delete-disaster-recovery |
rds:instance:deleteDisasterRecovery |
- |
|
GET /v3/{project_id}/instances/{instance_id}/replay-delay/show |
rds:instance:showReplayDelayStatus |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/log-replay/update |
rds:instance:switchLogReplay |
- |
|
GET /v3/{project_id}/instances/{instance_id}/recovery-time |
rds:instance:queryRecoveryTimeWindow |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/binlog/clear-policy |
rds:binlog:setPolicy |
- |
|
GET /v3/{project_id}/instances/{instance_id}/binlog/clear-policy |
rds:binlog:get |
- |
|
GET /v3/{project_id}/instances/diagnosis |
rds:instance:listAll |
- |
|
GET /v3/{project_id}/instances/diagnosis/info |
rds:instance:listAll |
- |
|
POST /v3/{project_id}/instances/{instance_id}/sql-limit |
rds:instance:update |
- |
|
DELETE /v3/{project_id}/instances/{instance_id}/sql-limit |
rds:instance:update |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/sql-limit/update |
rds:instance:update |
- |
|
GET /v3/{project_id}/instances/{instance_id}/sql-limit?db_name={db_name}&offset={offset}&limit={limit} |
rds:instance:get |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/sql-limit/switch |
rds:instance:update |
- |
|
PUT /v3/{project_id}/instances/{instance_id}/unlock-node-readonly-status |
rds:instance:update |
- |
Resources
A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.
The following table lists the resource types that you can define in identity policy statements for RDS.
Conditions
A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.
- The condition key that you specify can be a global condition key or a service-specific condition key.
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
- Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, rds:) apply only to operations of the RDS service. For details, see Table 4.
- The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key–value pairs in a request, so g:TagKeys is a multivalued condition key.
- A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported condition operators, see condition operators.
The following table lists the condition keys that you can define in identity policies for RDS. You can include these condition keys to specify conditions for when your identity policy is in effect.
|
Service-specific Condition Key |
Type |
Single-valued/Multivalued |
Description |
|---|---|---|---|
|
rds:Encrypted |
Boolean |
Single-valued |
Filters access permissions based on the tag key of whether to enable disk encryption transferred in the request parameter. |
|
rds:BackupEnabled |
Boolean |
Single-valued |
Filters access permissions based on the tag key of whether to enable the backup policy transferred in the request parameter. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
