Using IAM Roles or Policies to Grant Access to RDS

Identity and Access Management (IAM) lets you manage role/policy-based permissions of your RDS instances. With IAM, you can:

Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing RDS resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your RDS resources.

If your Huawei Cloud account does not need individual IAM users, you may skip over this topic.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about RDS system-defined permissions in Role/policy-based Permissions Management. If you want to grant other services' permissions, see System-defined Permissions.

Process Flow

Figure 1 Process of granting RDS permissions

On the IAM console, create a user group and grant it permissions (RDS ReadOnlyAccess as an example).
Create an IAM user and add it to the user group created in 1.
Log in as the IAM user and verify permissions.
Log in to the console as the created user, switch to the region where it is authorized, and verify the permissions.
- Choose Relational Database Service from the service list. Then click Buy DB Instance on the RDS console. If a message appears indicating that you have insufficient permissions to perform the operation, the RDS ReadOnlyAccess policy is in effect.
- Choose any other service from the service list. If a message appears indicating that you have insufficient permissions to access the service, the RDS ReadOnlyAccess policy has already taken effect.

Example Custom Policies

Create custom policies to supplement the system-defined policies of RDS. For details about actions supported in custom policies, see Actions Supported by Policy-based Authorization.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists some typical RDS custom policy examples.

Example 1: Allowing users to create RDS instances

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:instance:create"
            ]
        }
    ]
}

Example 2: Denying RDS instance deletion
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

The following method can be used if you need to assign permissions of the RDS FullAccess policy to a user but you want to prevent the user from deleting RDS instances. Create a custom policy for denying RDS instance deletion, and attach both policies to the group the user belongs to. Then, the user can perform all operations on RDS instances except deleting RDS instances. The following is an example policy.
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "rds:instance:delete"
            ]
        }
    ]
}
```

Example 3: Creating a custom policy containing multiple actions

A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). The following is an example policy containing multiple actions.

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "rds:instance:create",
                "rds:instance:delete",
                "vpc:vpcs:list",
                "vpc:vpcs:get"
            ],
            "Effect": "Allow"
        }
    ]
}

RDS Resources

A resource is an object that exists within a service. RDS resources include instances. To select these resources, specify their paths.

**Table 1** RDS resources and their paths
Resource	Resource Name	Resource Path
instance	Instance	[Format] RDS:::instance:instance-ID [Notes] For instance resources, RDS automatically generates the prefix (*RDS:::instance:) for resource paths. To specify a path for a specific instance, add the instance ID to the end. To specify paths for multiple instances, add different instance IDs for each path. You can also use an asterisk to indicate any instance. Example: RDS:::instance:* indicates any RDS instance.