This topic describes how to generate and download a user credential report that contains the credential details of your Alibaba Cloud account and RAM users in the RAM console. The credential details include the passwords, AccessKey pairs, and multi-factor authentication (MFA) devices. You can use credential reports for compliance checks and auditing.
Procedure
Result
The following table describes the fields that are included in the user credential report.
Field | Example | Description |
---|---|---|
user | username@company-alias.onaliyun.com | The username of the Alibaba Cloud user. The value in the first row of the CSV file is <root>, which indicates the Alibaba Cloud account. The values in the remaining rows are the usernames of the RAM users under the Alibaba Cloud account, and the values are in the User Principal Name (UPN) format. |
user_creation_time | 2019-11-11T12:33:18Z | The time when the Alibaba Cloud user was created.
Note Specify the time in the ISO 8601 standard in the YYYY-MM-DDThh:mm:ssZ format. The
time must be in UTC.
|
user_last_logon | 2019-11-11T12:45:18Z | The last time when the RAM user logged on to the RAM console.
Note The RAM user may log on to the RAM console by using the password or single sign-on
(SSO). If the RAM user has never logged on to the RAM console, the value of this field
is
- .
|
password_exist | TRUE | Indicates whether a password for logging on to the RAM console is available. Valid
values are TRUE and FALSE .
Note If you are using a resource account that is created on the Resource Directory page
of the Resource Management console, you can view the password. However, the password
cannot be used to log on to the RAM console.
|
password_active | N/A | Indicates whether the password is active. Valid values are TRUE , FALSE , and N/A .
|
password_last_changed | 2019-11-11T12:50:18Z | The time when the password was last changed. If the logon configurations for a RAM
user are not available, the value for the RAM user is N/A .
Note RAM records the changes that were made after April 5, 2016. If the password was changed
on this date or earlier, the value for this field is
N/A . The user credential report may not include the changes that were made in an interval
leading up to the report generation time. The interval is about 24 hours, but the
actual time may vary based on the scenario.
|
password_next_rotation | 2019-11-13T12:50:18Z | The time when a new password must be set in compliance with the password rotation
policy.
|
mfa_active | TRUE | Indicates whether to enable an MFA device. Valid values are TRUE , FALSE , and N/A . If the logon configurations for a RAM user are not available, the value for the
RAM user is N/A .
|
access_key_1_exist | TRUE | Indicates whether the first AccessKey pair exists. Valid values are TRUE and FALSE .
|
access_key_1_active | TRUE | Indicates whether the first AccessKey pair is active. Valid values are TRUE , FALSE , and N/A . If no AccessKey pair has been created, the value is N/A .
|
access_key_1_last_rotated | 2019-11-11T12:50:18Z | The time when the first AccessKey pair was created or last changed. If no AccessKey
pair has been created, the value is N/A .
|
access_key_1_last_used | 2019-11-13T12:50:18Z | The time when the first AccessKey pair was last used.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The
user credential report may not include the usage records of the AccessKey pairs in
an interval leading up to the report generation time. The interval is about two hours,
but the actual time may vary based on the scenario.
|
access_key_2_exist | TRUE | Indicates whether the second AccessKey pair exists. Valid values are TRUE and FALSE .
|
access_key_2_active | TRUE | Indicates whether the second AccessKey pair is active. Valid values are TRUE , FALSE , and N/A . If no AccessKey pair has been created, the value is N/A .
|
access_key_2_last_rotated | 2019-11-11T12:50:18Z | The time when the second AccessKey pair was created or last changed. If no AccessKey
pair has been created, the value is N/A .
|
access_key_2_last_used | 2019-11-13T12:50:18Z | The time when the second AccessKey pair was last used.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The
user credential report may not include the usage records of the AccessKey pairs in
an interval leading up to the report generation time. The interval is about two hours,
but the actual time may vary based on the scenario.
|
Note A maximum of two AccessKey pairs can be created for each Alibaba Cloud user (Alibaba
Cloud account user or RAM user) in the RAM console. Before this limit takes effect,
more than two AccessKey pairs can be created. Therefore, an Alibaba Cloud user may
have more than two AccessKey pairs. The information about the additional AccessKey
pairs is listed in the last columns of the CSV file. The names of these columns start
with
additional_access_key_
.