Before you can use Secrets Manager to manage Resource Access Management (RAM) secrets, you must authorize Secrets Manager to manage AccessKey pairs of RAM users. To perform the authorization, you can assign a RAM role with the required permissions to Secrets Manager. This topic describes how to authorize Secrets Manager to manage AccessKey pairs of RAM users.

Step 1: Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Click JSON and enter the following script: 
    {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ram:ListAccessKeys",
                "ram:CreateAccessKey",
                "ram:DeleteAccessKey",
                "ram:UpdateAccessKey"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
  5. Click Next: Edit Basic Information. On the page that appears, configure the Name and Note parameters. Set the Name parameter to AliyunKMSManagedRAMCrendentialsRolePolicy.
  6. Check and optimize the document of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  7. Click OK.

Step 2: Create a RAM role and attach the policy to the RAM role

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role panel, select Alibaba Cloud Service for the Trusted entity type parameter and click Next.
  5. Select Normal Service Role for the Role Type parameter.
  6. Configure the RAM Role Name and Note parameters. Set the RAM Role Name parameter to AliyunKMSManagedRAMCrendentialsRole.
  7. Select Key Management Service for Select Trusted Service.
  8. Click OK.
  9. Click Close.
  10. Grant permissions to the RAM role.
    1. In the Create Role panel, click Add Permissions to RAM Role in the Finish step. In the Add Permissions panel, the Principal parameter is automatically configured.
    2. In the Select Policy section, click Custom Policy and select the AliyunKMSManagedRAMCrendentialsRolePolicy policy.
    3. Click OK.
    4. Click Complete.