This topic describes how to generate and download a user credential report that contains the credential details of your Alibaba Cloud account and RAM users in the RAM console. The credential details include the passwords, AccessKey pairs, and multi-factor authentication (MFA) devices. You can use credential reports for compliance checks and auditing.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account. You can also log on as a RAM user that is attached with the AliyunRAMFullAccess policy.
  2. In the left-side navigation pane, click Overview.
  3. In the Security Check section of the page that appears, click Download User Credential Report.
  4. After the user credential report is generated, click Download.
    Note The time required for generating the user credential report is affected by the number of RAM users under the current Alibaba Cloud account. If the generation of a report requires a long period of time, you can click Download Later. A new credential report in the comma-separated values (CSV) format can be generated only once every four hours. After you send a request to download a report, RAM checks whether a report has been generated within the past four hours. If the latest report is generated within the past four hours, the latest report is downloaded. If the latest report is generated four hours earlier or if no previous report has been generated, RAM generates a new report.

Result

The following table describes the fields that are included in the user credential report.

Field Example Description
user username@company-alias.onaliyun.com The username of the Alibaba Cloud user. The value in the first row of the CSV file is <root>, which indicates the Alibaba Cloud account. The values in the remaining rows are the usernames of the RAM users under the Alibaba Cloud account, and the values are in the User Principal Name (UPN) format.
user_creation_time 2019-11-11T12:33:18Z The time when the Alibaba Cloud user was created.
Note Specify the time in the ISO 8601 standard in the YYYY-MM-DDThh:mm:ssZ format. The time must be in UTC.
user_last_logon 2019-11-11T12:45:18Z The last time when the RAM user logged on to the RAM console.
Note The RAM user may log on to the RAM console by using the password or single sign-on (SSO). If the RAM user has never logged on to the RAM console, the value of this field is -.
password_exist TRUE Indicates whether a password for logging on to the RAM console is available. Valid values are TRUE and FALSE.
  • The value for a RAM user is determined by the logon configurations of the RAM user.
  • The value for an Alibaba Cloud account is TRUE, and cannot be changed.
Note If you are using a resource account that is created on the Resource Directory page of the Resource Management console, you can view the password. However, the password cannot be used to log on to the RAM console.
password_active N/A Indicates whether the password is active. Valid values are TRUE, FALSE, and N/A.
  • If the logon configurations for a RAM user are not available, the value for the RAM user is N/A.
  • The value for an Alibaba Cloud account is N/A and cannot be changed.
password_last_changed 2019-11-11T12:50:18Z The time when the password was last changed. If the logon configurations for a RAM user are not available, the value for the RAM user is N/A.
Note RAM records the changes that were made after April 5, 2016. If the password was changed on this date or earlier, the value for this field is N/A. The user credential report may not include the changes that were made in an interval leading up to the report generation time. The interval is about 24 hours, but the actual time may vary based on the scenario.
password_next_rotation 2019-11-13T12:50:18Z The time when a new password must be set in compliance with the password rotation policy.
  • If the password is permanently valid and password rotation is not required, the value is -.
  • If the logon configurations for a RAM user are not available, the value for the RAM user is N/A.
  • The value for an Alibaba Cloud account is N/A and cannot be changed.
mfa_active TRUE Indicates whether to enable an MFA device. Valid values are TRUE, FALSE, and N/A. If the logon configurations for a RAM user are not available, the value for the RAM user is N/A.
access_key_1_exist TRUE Indicates whether the first AccessKey pair exists. Valid values are TRUE and FALSE.
access_key_1_active TRUE Indicates whether the first AccessKey pair is active. Valid values are TRUE, FALSE, and N/A. If no AccessKey pair has been created, the value is N/A.
access_key_1_last_rotated 2019-11-11T12:50:18Z The time when the first AccessKey pair was created or last changed. If no AccessKey pair has been created, the value is N/A.
access_key_1_last_used 2019-11-13T12:50:18Z The time when the first AccessKey pair was last used.
  • If the AccessKey pair has not been used since RAM started to track this information, the value is -.
  • If no AccessKey pair has been created, the value is N/A.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The user credential report may not include the usage records of the AccessKey pairs in an interval leading up to the report generation time. The interval is about two hours, but the actual time may vary based on the scenario.
access_key_2_exist TRUE Indicates whether the second AccessKey pair exists. Valid values are TRUE and FALSE.
access_key_2_active TRUE Indicates whether the second AccessKey pair is active. Valid values are TRUE, FALSE, and N/A. If no AccessKey pair has been created, the value is N/A.
access_key_2_last_rotated 2019-11-11T12:50:18Z The time when the second AccessKey pair was created or last changed. If no AccessKey pair has been created, the value is N/A.
access_key_2_last_used 2019-11-13T12:50:18Z The time when the second AccessKey pair was last used.
  • If the AccessKey pair has not been used since RAM started to track this information, the value is -.
  • If no AccessKey pair has been created, the value is N/A.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The user credential report may not include the usage records of the AccessKey pairs in an interval leading up to the report generation time. The interval is about two hours, but the actual time may vary based on the scenario.
Note A maximum of two AccessKey pairs can be created for each Alibaba Cloud user (Alibaba Cloud account user or RAM user) in the RAM console. Before this limit takes effect, more than two AccessKey pairs can be created. Therefore, an Alibaba Cloud user may have more than two AccessKey pairs. The information about the additional AccessKey pairs is listed in the last columns of the CSV file. The names of these columns start with additional_access_key_.