Resource Access Management (RAM) is a service provided by Alibaba Cloud. It allows you to manage user identities and resource access permissions.


RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. RAM has the following features:

  • You can manage RAM users and their AccessKey pairs. You can also enable multi-factor authentication (MFA) for RAM users.
  • You can manage the permissions of RAM users to access Alibaba Cloud resources.
  • You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP addresses.
  • You can manage instances and data that are created by RAM users. For an enterprise, RAM ensures that the instances and data created by RAM users are still available even if the users leave the organization.
  • You can use single sign-on (SSO) services. Alibaba Cloud provides two types of SSO service for identity providers (IdPs): user-based SSO and role-based SSO.


Scenario Description
Use RAM to manage user permissions and resources An enterprise wants to migrate a project to Alibaba Cloud. The enterprise has purchased several types of Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Specific employees are required to manage these cloud resources. Different employees require different permissions to fulfill their duties.
Use an STS token for authorizing a mobile app to access Alibaba Cloud resources An enterprise has developed a mobile app and purchased the OSS service. The mobile app runs on mobile devices. These mobile devices are not controlled by the enterprise. The enterprise must grant the necessary permissions to the mobile app. The mobile app can then upload data to and download data from OSS.
Use a RAM role to grant permissions across Alibaba Cloud accounts An enterprise (Enterprise A) has purchased multiple types of Alibaba Cloud resource, such as ECS instances, RDS instances, SLB instances, and OSS buckets. Enterprise A wants to authorize another enterprise (Enterprise B) to access specified resources of Enterprise A.
Use RAM for authorizing applications to access Alibaba Cloud resources An enterprise has purchased ECS instances and wants to deploy its applications on these ECS instances. These applications need to use AccessKey pairs to call API operations of other Alibaba Cloud services.


RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users to access Alibaba Cloud resources. RAM allows you to keep your Alibaba Cloud account and password strictly confidential in the scenario where multiple users in your enterprise need to collaboratively manage cloud resources. It also allows you to grant the users the minimum required permissions to ensure high security.

Learning path

You can use the RAM learning path to learn more about RAM and basic operations. You can also perform custom development by using diverse API operations, SDK packages, and other easy-to-use tools.