All Products
Search
Document Center

Resource Management:Use a member to log on to the Alibaba Cloud Management Console

Last Updated:Nov 20, 2023

After you create a member in a resource directory or invite an Alibaba Cloud account to join a resource directory as a member, you can use the methods described in this topic to enable the member to log on to the Alibaba Cloud Management Console.

Logon methods

Logon method

Description

Applicable member type

References

Use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console

The system automatically creates a RAM role named ResourceDirectoryAccountAccessRole for each member in a resource directory and specifies the management account of the resource directory as the trusted entity for the RAM role. This way, the management account has permissions to assume the RAM roles of all members in the resource directory and log on to the Alibaba Cloud Management Console. You can use the management account of a resource directory to create a RAM user and grant administrative permissions to the RAM user. Then, you can use the RAM user to assume the RAM role ResourceDirectoryAccountAccessRole of a member in the resource directory and log on to the Alibaba Cloud Management Console.

  • Members that are created in a resource directory. Members that are created in a resource directory are of the resource account type. They have usernames but do not have logon passwords.

  • Alibaba Cloud accounts that are invited to join a resource directory as members. These members are of the cloud account type.

Use a RAM role to log on to the Alibaba Cloud Management Console

Use a RAM user created for a member to log on to the Alibaba Cloud Management Console

After you use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console, you can create a RAM user for the member and grant the required permissions to the RAM user. Then, you can log on to the Alibaba Cloud Management Console as the RAM user created for the member.

Log on to the Alibaba Cloud Management Console as a RAM user

Use the root user of a member to log on to the Alibaba Cloud Management Console (not recommended)

If you want to use a member of the cloud account type in a resource directory to log on to the Alibaba Cloud Management Console, you can use the username and password of the root user of the member. However, for security purposes, we recommend that you do not use this method.

Alibaba Cloud accounts that are invited to join a resource directory as members. These members are of the cloud account type.

Log on to the Alibaba Cloud Management Console as the root user of a member

Use a CloudSSO user to log on to the Alibaba Cloud Management Console

CloudSSO is integrated with Alibaba Cloud Resource Directory to help you manage identities and access permissions for multiple accounts in a centralized manner. After you activate CloudSSO and grant access permissions on a member in a resource directory to the CloudSSO user, the CloudSSO user can log on to the CloudSSO user portal and access resources of the member based on the related access configuration.

CloudSSO users.

Use CloudSSO to manage the identities and permissions of multiple accounts of an enterprise in a centralized manner

Use a RAM role to log on to the Alibaba Cloud Management Console

  1. Use the management account of a resource directory to create a RAM user and grant the required permissions to the RAM user.

    1. Use the management account of a resource directory to log on to the RAM console.

    2. Create a RAM user.

      In this example, a RAM user named Alice is created. For more information, see Create a RAM user.

    3. Grant the required permissions to Alice.

      You must attach the following policies to Alice:

      • AliyunSTSAssumeRoleAccess: defines the permissions that are required to call the AssumeRole operation of Security Token Service (STS).

      • AliyunResourceDirectoryFullAccess: defines the permissions that are required to manage a resource directory.

      Note

      If you want to use Alice as an administrator, you can attach the AdministratorAccess policy to Alice.

      For more information, see Grant permissions to RAM users.

  2. Use Alice to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console.

    1. Use Alice to log on to the Resource Management console.

    2. In the left-side navigation pane, choose Resource Directory > Overview.

    3. Click the Organization or Members tab.

    4. Find the desired member and click Logon Account in the Actions column.

      Then, Alice can assume the RAM role ResourceDirectoryAccountAccessRole of the member to log on to the Alibaba Cloud Management Console and perform operations that are defined for the RAM role.

Log on to the Alibaba Cloud Management Console as a RAM user

  1. Use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console.

  2. Create a RAM user for the member.

    In this example, a RAM user named Tom is created. For more information, see Create a RAM user.

  3. Grant the required permissions to Tom.

    If you want to allow Tom to access all resources of the member, attach the AdministratorAccess policy to Tom. In other cases, grant permissions to Tom based on your business requirements. For more information, see Grant permissions to RAM users.

  4. Use Tom to log on to the Alibaba Cloud Management Console.

Log on to the Alibaba Cloud Management Console as the root user of a member

Important

For security purposes, we recommend that you do not use the root user of a member to log on to the Alibaba Cloud Management Console.

  1. Log on to the Alibaba Cloud Management Console.

  2. Enter the username and password of the root user of the desired member in a resource directory.

  3. Click Sign in.

References