Use Resource Access Management (RAM) users and RAM roles to access Application Real-Time Monitoring Service (ARMS). Do not use your Alibaba Cloud account directly -- RAM identities let you enforce least-privilege access and isolate credentials for each person or application.
RAM provides three building blocks for access control:
| Concept | What it is | When to use it |
|---|---|---|
| RAM user | A persistent identity with a logon password, an AccessKey pair, or both | Individual team members or applications that need ongoing ARMS access |
| RAM user group | A collection of RAM users that share the same permissions | Teams where multiple people need identical access levels |
| RAM role | A virtual identity with no permanent credentials -- usable only after a trusted entity assumes it and receives a temporary Security Token Service (STS) token | Scenarios that require temporary credentials instead of permanent ones |
RAM users
RAM users can be created by an Alibaba Cloud account or by any RAM user or RAM role that has administrative rights. A RAM user can log on to the console or call API operations only after it receives the required permissions.
Best practices
Use an admin RAM user instead of the Alibaba Cloud account. Create a RAM user with administrative rights from your Alibaba Cloud account, then use that admin user for day-to-day management -- including creating and managing other RAM users.
Separate human users from programmatic users. Create distinct RAM users for people and for applications. For example, if an engineer who owns a monitoring script leaves the team, disabling their personal account also breaks the script. A dedicated programmatic RAM user avoids this problem and lets you rotate its AccessKey pair independently.
Create RAM users through the RAM console or API operations.
RAM console -- Requires the username and password of the Alibaba Cloud account. Enable multi-factor authentication (MFA) for console users to add an extra layer of security.
API operations -- Require an AccessKey pair.
Follow the principle of least privilege. Grant only the minimum permissions required for each task. This limits the impact of accidental or unauthorized actions.
Keep AccessKey credentials out of source code. Hardcoded AccessKey IDs and AccessKey secrets risk leaking credentials for every resource in your account. Use STS tokens or environment variables instead.
Enable single sign-on (SSO) for enterprise users. SSO lets RAM users authenticate through your enterprise identity provider, centralizing credential management and reducing password fatigue.
Related topics
RAM user groups
RAM user groups simplify permission management when multiple users need the same access. Instead of attaching policies to each user individually, attach them to the group once. Every member inherits the group's permissions automatically.
Best practices
Apply least-privilege permissions at the group level. Grant each group only the permissions its members need. This makes it easier to audit and adjust access as requirements change.
Remove users promptly when their responsibilities change. If a team member moves to a different project or no longer needs ARMS access, remove them from the group to prevent unnecessary privilege retention.
Related topics
RAM roles
A RAM role is a virtual identity to which policies can be attached. Unlike a RAM user, a RAM role has no permanent credentials -- no logon password and no AccessKey pair. To use a RAM role, a trusted entity assumes it and receives a temporary STS token. The trusted entity then uses that token to access Alibaba Cloud resources as the role.
Best practices
Keep the trusted entity stable. Changing the trusted entity of a RAM role after creation can cause permission loss that affects running workloads. Adding a new trusted entity can lead to privilege escalation. Test all changes in a non-production environment first.
Call the AssumeRole operation to get temporary credentials. A trusted entity calls AssumeRole to receive an STS token, which is valid for a limited time. Set the token validity period to the shortest duration your workflow allows to limit the window of exposure if the token is compromised.
The maximum validity period of an STS token equals the session duration configured for the RAM role. Set an appropriate session duration to balance usability and security.
Enable SSO for RAM roles in enterprise environments. Role-based SSO allows federated identities to assume RAM roles directly from your enterprise identity provider, streamlining access without creating individual RAM users.
Related topics
ARMS permission policies
ARMS provides system policies for common access patterns and supports custom policies for fine-grained control over individual ARMS features.
| Policy type | Use case | Details |
|---|---|---|
| System policy | Predefined, covers standard ARMS access scenarios | System policies for ARMS |
| Custom policy -- Application Monitoring | Restrict access to specific Application Monitoring resources | Attach a custom policy to a RAM user |
| Custom policy -- Browser Monitoring | Restrict access to specific Browser Monitoring resources | Attach a custom policy to a RAM user |
| Custom policy -- Tracing Analysis | Restrict access to specific Tracing Analysis resources | Create a custom policy for Tracing Analysis |
| Custom policy -- Alert Management | Restrict access to specific Alert Management resources | Create a custom policy for Alert Management |