All Products
Search
Document Center

Resource Access Management:Create an AccessKey pair

Last Updated:Dec 26, 2023

This topic describes how to create an AccessKey pair for a Resource Access Management (RAM) user and an Alibaba Cloud account.

Important

If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. For security purposes, we recommend that you create AccessKey pairs for RAM users, instead of for your Alibaba Cloud account.

What is an AccessKey pair?

An AccessKey pair is a permanent access credential that is provided to an Alibaba Cloud user. The user can use the AccessKey pair to access Alibaba Cloud by using a development tool such as the API, CLI, SDK, Cloud Shell, and Terraform. The AccessKey pair cannot be used for console logons.

An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which need to be used together. Keep an AccessKey pair confidential.

  • The AccessKey ID is used to identify a user.

  • The AccessKey secret is used to verify the identity of the user. You must keep your AccessKey secret strictly confidential.

The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.

Create an AccessKey pair for a RAM user

Prerequisites

You can use one of the following accounts to create an AccessKey pair for a RAM user:

  • You can use the Alibaba Cloud account to which the RAM user belongs.

  • You can use a RAM user who has administrative rights. The RAM user is attached the AliyunRAMFullAccess policy.

  • You can use a RAM user that is granted the permissions to manage AccessKey pairs. You can use the Alibaba Cloud account to which the RAM user belongs to grant the permissions. For more information about how to grant a RAM user the permissions to manage AccessKey pairs, see Manage security settings of RAM users.

Limits

  • An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Record and keep your AccessKey secret confidential. If an AccessKey pair is leaked or lost, you must create another AccessKey pair.

  • You can create a maximum of two AccessKey pairs for a RAM user.

Procedure

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click the username of the RAM user that you want to manage.

  4. In the User AccessKeys section, click Create AccessKey.

  5. In the Create AccessKey message, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

  6. Click OK.

Create an AccessKey pair for an Alibaba Cloud account

Limits

  • Starting November 20, 2023, if you use an Alibaba Cloud account, you can view the AccessKey secret only once when you create an AccessKey pair for the account. If you use an Alibaba Cloud account and you do not sign the informed consent form for AccessKey pairs that were created before July 5, 2023, you can save and download the AccessKey secret of your AccessKey pair for the last time.

  • You can create a maximum of five AccessKey pairs for an Alibaba Cloud account.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. Move the pointer over the profile picture in the upper-right corner of the page that appears and click AccessKey Management.

  3. In the Note message, read the security tips and click Use Current AccessKey Pair.

  4. On the AccessKey Pair page, click Create AccessKey.

  5. In the Create AccessKey message, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

  6. Select I have saved the AccessKey Secret.

  7. Click OK.

References