Resource Access Management (RAM) is a service provided by Alibaba Cloud. It allows you to manage user identities and resource access permissions.
RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, different RAM users are authorized to access different Alibaba Cloud resources. The following section lists the features of RAM:
- You can manage RAM users and their AccessKey pairs. You can also enable multi-factor authentication (MFA) devices for RAM users.
- You can manage the permissions of RAM users to access Alibaba Cloud resources.
- You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP address.
- You can manage the instances or data created by RAM users. For enterprises, RAM ensures that the instances or data created by RAM users are still available even if the users leave the enterprises.
- You can use single sign-on (SSO) services. Alibaba Cloud provides two types of SSO services for enterprise identity providers (IdPs): user-based SSO and role-based SSO.
|Use RAM to manage user permissions and resources||An enterprise wants to migrate a project to the cloud. This requires the purchase of various Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Some employees need to manage these cloud resources, and different employees require different permissions to fulfill their duties.|
|Use a temporary STS token for authorizing a mobile app to access Alibaba Cloud resources||An enterprise has developed a mobile app and purchased the OSS service. The mobile app runs on mobile devices. These mobile devices are not controlled by the enterprise. The enterprise must grant the required permissions to the mobile app. Then, the mobile app can access OSS to upload and download data.|
|Use a RAM role to grant permissions across Alibaba Cloud accounts||An enterprise (Enterprise A) has purchased multiple Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.|
|Use RAM for authorizing applications to access Alibaba Cloud resources||An enterprise has purchased Elastic Compute Service (ECS) instances and wants to deploy its applications on these ECS instances. These applications need to use AccessKey pairs to call API operations of other Alibaba Cloud services.|
RAM allows you to create and manage RAM users, such as employees, systems, and apps. You can manage the permissions of RAM users to access Alibaba Cloud resources. RAM is also applicable in the scenario where multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant the corresponding users the minimum required permissions. This ensures higher security because you can keep your Alibaba Cloud account and password confidential.
The endpoint for accessing RAM by calling API operations is
You can use the RAM learning path to learn more about RAM and basic operations. You can also perform custom development by using diverse API operations, SDK packages, and other easy-to-use tools.