Configure Alibaba Cloud access credentials
NineData supports credential method of access key or role of the Alibaba Cloud account, to create a private network connection terminal node for NineData, query private network connection (PrivateLink), ECS, RDS, VPC, NAT gateway and other necessary information, and to establish a peer-to-peer network connection between the NineData server and the database.
Permission description
To leverage this menthod, user's Alibaba Cloud access credentials need to have the following permissions (presented in the form of JSON permission scripts).
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:CreateVSwitchRequest",
"ecs:DescribeSecurityGroupAttribute"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstances",
"rds:ModifySecurityIps"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"vpc:DescribeVSwitches",
"vpc:CreateVSwitch",
"vpc:DescribeVpcs",
"vpc:ListVpcEndpointServicesByEndUser"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"Privatelink:ListVpcEndpointZones",
"privatelink:ListVpcEndpointConnections",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointServicesByEndUser"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"vpc:DescribeVpcs",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterEndpoints"
],
"Resource":"*"
}
]
}
If using a RAM account, please contact the administrator to authorize the RAM account or authorize a role for NineData to use according to this article.
Step 1: Create permission policy
Log in to the Alibaba Cloud RAM Console, click the JSON tab on the Create Policy page.
Copy the permission script in the Permission Description of this article , paste it into the text box of the RAM console, and click Next to edit policy information.
In the Basic Information area, enter the Name of the policy, and click OK.
tipThe name supports 1 ~ 128 characters and can contain English letters, numbers and dashes (-).
Step 2 (optional): Add Access Key
Access user's Alibaba Cloud resources directly through AccessKey ID and AccessKey Secret.
Log in to Alibaba Cloud RAM Console, click Add Permissions in the Actions column to the right of the target user.
tipThe user must belong to the AccessKey to be added.
On the Add Permissions page, click Custom Policy in the Select Policy area, find and click the name of the policy created in Step 1, The policy will automatically appear in the box on the right, click OK, then click Complete.
Move the mouse to the avatar in the upper right corner of the page, click AccessKey Management in the pop-up menu, or directly click here to enter the AccessKey Pair page, click Create AccessKey, and record AccessKey ID and AccessKey Secret in the pop-up View Secret window, can also choose to click Download CSV File to download the CSV file that records the AccessKey information, or click Copy to copy the AccessKey information to the clipboard.
tipEach user can create up to 2 AccessKeys in an account. User can delete existing one: removing an AccessKey requires clicking Disable before selecting Delete. When deleting, user need to enter the AccessKey ID for confirmation.
Warning: Deleting the AccessKey may cause business interruption, please ensure that the AccessKey is not used by any business before deleting.
Log in to NineData Console, click Datasource > Access Credentials on the left console, and click Create Credential in the upper right corner, configure according to the table below, and click Create Credential.
Parameter Description Name Enter a credential name. To facilitate subsequent search and management, please try to use meaningful names. Cloud Vendor Click Alibaba Cloud. Type Select AccessKey . Access Key Enter the AccessKey ID recorded in Step 3. Access Key Secret Enter the AccessKey Secret recorded in Step 3.
Step 3 (optional): Add roles
Authorize NineData to access user's Alibaba Cloud resources by acting as the Alibaba Cloud role previously configured.
Log in to Aliyun RAM Console, click Create Role, and in the window that pops up on the right, select Alibaba Cloud Account, and click Next.
Enter RAM Role Name.
tipThe character name supports 1 to 64 characters, and can contain English letters, numbers and dashes (-).
Under Select Trusted Alibaba Cloud Account, select Other Alibaba Cloud Account, fill in the NineData service account
1062166699324909into the text box, and click OK.tipThis step is essential so that NineData can access the necessary resources in user's Alibaba Cloud account though the configured role.
Click Add Permissions to RAM Role, in the Add Permissions window, click Custom Policy in the Select Policy area, find and click the name of the policy created in Step 1 below, the policy will automatically appear in the box on the right, click OK, and then click Complete.
On the Roles page, click the name of the newly created role to enter the Basic Information page of the role, record the ARN of the role on this page, then click Copy directly to the right of the ARN to copy the ARN to the clipboard.
Log in to NineData Console, click Datasource > Access Credentials on the left console, and click Create Credentials in the upper right corner, configure according to the table below, and click Create Credential.
Parameter Description Name Enter a credential name. To facilitate subsequent search and management, please try to use meaningful names. Cloud Vendor Click Alibaba Cloud. Type Select Role. Role Name Enter the role name created in the above steps. ARN Enter the ARN corresponding to the role name.