All Products
Document Center

Create an admin user and complete its security settings

Last Updated: Nov 12, 2020

This topic describes how to create an admin user and complete its security settings.

Create an admin user

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, click Users under Identities.

  3. On the Users page, click Create User.

  4. On the Create User page, enter admin in Logon Name and administrator in Display Name.

  5. Select one of the following options for Access Mode:

    • Console Password Logon: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).

    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use development tools to access Alibaba Cloud resources. The AccessKey pair is created to run automated O&M scripts of Terraform. Do not use the AccessKey pair for business systems. If Terraform scripts are not applicable to your business, do not select this access mode.

  6. Configure the parameters and click OK.

  7. On the Create User page, click Copy in the Actions column to record your logon name, logon password, AccessKey ID, and AccessKey secret to your computer.

  8. In the left-side navigation pane, click Users under Identities.

  9. In the User Logon Name/Display Name column, find the admin user.

  10. In the Actions column, click Add Permissions. In the Add Permissions panel, the Principal field is automatically filled in.

  11. In the Select Policy section, select AdministratorAccess and click OK.

Enable MFA

  1. Log on to the RAM console by using an Alibaba Cloud account.

    • If you have selected Required for Enable MFA when modifying the logon settings of a RAM user, the RAM user needs to go to step 5 when the RAM user logs on to the RAM console.

    • If you allow a RAM user of your Alibaba Cloud account to manage its own MFA device, the RAM user can enable an MFA device in the RAM console. The procedure is as follows: Move the pointer over the profile picture in the upper-right corner of the console, and click Security. In the left-side navigation pane, click MFA Device Management. On the page that appears, click Enable MFA Device.

  2. In the left-side navigation pane, click Users under Identities.

  3. In the User Logon Name/Display Name column, click the username of the target RAM user.

  4. On the Authentication tab, click Enable the Virtual MFA Device.

  5. Download and install the Google Authenticator app on your mobile device.

    • For iOS, install the Google Authenticator app from the App Store.

    • For Android, install the Google Authenticator app from the Google Play Store.


    For Android, you must install a QR code scanner from the Google Play Store for Google Authenticator to identify QR codes.

  6. Open the Google Authenticator app.

  7. Select a method to enable the MFA device from the following available options.

    • Recommended. Tap BEGIN SETUP > Scan barcode in the Google Authenticator app, and scan the QR code that is displayed on the Scan the code tab in the RAM console.

    • Tap BEGIN SETUP > Manual entry, enter the username and key, and then tap the check sign (√) in the Google Authenticator app.


    You can obtain the username and key from the Retrieve manually enter information tab in the console.

  8. Enter the two consecutive verification codes that are obtained from the Google Authenticator app, and click Enable.


    The verification code in the Google Authenticator app is refreshed every 30 seconds.

Reset the password for the admin user

  1. On the Reset RAM User Password page, enter a new password for the admin user, enter the password again to confirm it, and then click Confirm Reset.

  2. Now you have completed the security settings for the admin user.