All Products
Search

This Product

    :Use RAM to implement account-based access control

    Document Center

    :Use RAM to implement account-based access control

    Last Updated:Jan 26, 2024

    This topic describes how to use Resource Access Management (RAM) to control the access of Alibaba Cloud accounts to Cloud Storage Gateway (CSG). To implement access control, you must create RAM users or groups, and grant required permissions to the users or groups.

    Background information

    RAM is an Alibaba Cloud access control service that allows you to implement shared access without exposing the AccessKey pair of an Alibaba Cloud account. You can grant users the minimum permissions as needed, which helps improve data security. For more information, see What is RAM?

    • RAM users: If multiple users in your organization need to access your gateways, you can create a policy to allow specified users to access the gateways. This prevents leakage risks that arise from sharing your AccessKey pair and improves account security.

    • RAM user groups: You can create multiple user groups and grant different permissions to each user group. This allows you to manage users in the same group at the same time.

    Create a RAM user

    1. Use your Alibaba Cloud account to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users and click Create User.

    3. Configure user account information.

    4. Specify the allowed access methods. You can select Console Access, OpenAPI Access, or both.

    5. Select Reset Custom Password for Set Logon Password, enter an initial password, and select Required at Next Logon for Password Reset.

    6. (Optional )Select Required for Enable MFA and then click OK.

    7. Save the user name, password, and AccessKey pair of the account.

      Note

      We recommend that you immediately save the AccessKey pair and keep it strictly confidential.

    Create a group

    If you have multiple RAM users within your Alibaba Cloud account, you can create RAM user groups to classify and authorize these RAM users. This simplifies the management of RAM users and permissions.

    1. Use your Alibaba Cloud account to log on to the RAM console.

    2. In the left-navigation pane, choose Identities > Groups and click Create User Group.

    3. Specify a user group name and display name, and click OK.

    Grant permissions to the RAM user or group

    By default, a RAM user or group does not have permissions. You must use the console or call related API operations to grant permissions to the RAM user or group before you use the user or group to manage resources. The following example describes how to grant permissions to a RAM user.

    1. On the Users page, select the RAM user, and then click Add Permissions in the Actions column.

    2. In the Add Permissions panel, select the policy that you want to attach to the RAM user.

      To access on-premises gateways, you need to attach only the AliyunHCSSGWFullAccess and AliyunOSSFullAccess policies to the user. To access gateways deployed on Alibaba Cloud, you must attach the following policies to the RAM user:

      • AliyunHCSSGWFullAccess: provides full access to CSG.

      • AliyunOSSFullAccess: provides full access to Object Storage Service (OSS).

      • AliyunVPCFullAccess: provides full access to Virtual Private Cloud (VPC).

      • AliyunECSFullAccess: provides full access to Elastic Compute Service (ECS).

      image.png