This topic describes how to use Resource Access Management (RAM) to control access from Alibaba Cloud accounts to Cloud Storage Gateway (CSG). To implement access control, you need to create RAM users or groups, and grant required permissions to the users or groups.

Background information

RAM is a resource access control service provided by Alibaba Cloud. RAM allows you to avoid sharing your AccessKey pair with other users. You can grant users the minimum permissions as needed. This reduces the risks of information leakage. For more information, see What is RAM?.
  • RAM users: If you have created multiple CSG instances and multiple users in your organization need to access these instances, you can create a policy to allow specific users to access the instances. This eliminates the risk of disclosing the AccessKey pair of your Alibaba Cloud account, which helps maintain account security.
  • RAM user groups: You can create multiple user groups and grant different permissions to each user group. This allows you to manage users in the same group at the same time.

Create a RAM user

  1. Use your Alibaba Cloud account to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users, and then click Create User.
  3. Enter the user account information.
  4. Select the Console Password Logon and Programmatic Access check boxes under Access Mode.
  5. Select Custom Logon Password under Console Password, enter a password, and select Required at Next Logon under Password Reset.
  6. Optional. Select Required to Enable MFA under Multi-factor Authentication and click OK.
  7. Save the new account, password, AccessKey ID, and AccessKey secret.
    Note We recommend that you save the AccessKey pair and keep all details strictly confidential.

Create a user group

If you have multiple RAM users under your Alibaba Cloud account, you can create RAM user groups to classify and authorize these RAM users for easier user and permission management. For example, you can add RAM users with identical responsibilities to the same group.

  1. Use your Alibaba Cloud account to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Groups, and click Create Group.
  3. Enter the group name and display name, and then click OK.

Grant permissions to the RAM user or group

By default, a new RAM user or group does not have any permissions. You must grant permissions to the RAM user or group before you use the user or group to manage resources through the console or API. The following example illustrates how to grant permissions to a RAM user.

  1. On the Users page, select the target RAM user account and click Add Permissions.
  2. On the Add Permissions page that appears, select the required CSG permissions and grant the permissions to the RAM user account.

    To access CSG instances deployed on Alibaba Cloud, you must grant the RAM user the following permissions. To access on-premises gateways, you only need to grant the RAM user the AliyunHCSSGWFullAccess and AliyunOSSFullAccess permissions.

    • AliyunHCSSGWFullAccess: provides full access to CSG.
    • AliyunOSSFullAccess: provides full access to Object Storage Service (OSS).
    • AliyunVPCFullAccess: provides full access to Virtual Private Cloud (VPC).
    • AliyunECSFullAccess: provides full access to Elastic Compute Service (ECS).
    Add permissions