Resource Access Management (RAM) allows you to separately manage the permissions of your Alibaba Cloud account and its RAM users. You can grant different permissions to different RAM users to avoid security risks caused by exposure of the AccessKey pair of your Alibaba Cloud account.
Background information
Enterprise A has activated Message Queue for Apache Kafka and wants to grant different permissions to its employees with different duties to perform operations on Message Queue for Apache Kafka resources, such as instances, topics, and consumer groups. Therefore, employees with different duties require different permissions. Enterprise A has the following requirements:
- For security reasons, the enterprise does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, it prefers to create different RAM users for the employees and grant different permissions to these users.
- A RAM user can only use resources under authorization. Resource usage and costs are not separately calculated for that RAM user. All expenses are billed to the Alibaba Cloud account of the enterprise.
- The enterprise can revoke the permissions granted to RAM users and delete RAM users at any time.
Step 1. Create a RAM user
Use the Alibaba Cloud account of the enterprise to log on to the RAM console and create a RAM user.
Step 2: Grant permissions to the RAM user
Grant different permissions to RAM users.
What to do next
RAM users of employees of the enterprise can access Message Queue for Apache Kafka in the following ways.
- Console
- Open the RAM User Logon page in your browser.
- On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Login.
Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the ID of the Alibaba Cloud account is used.
- API
In the code, use the AccessKey ID and AccessKey secret of the RAM user to call an API to access Message Queue for Apache Kafka.