Resource Access Management (RAM) is a service provided by Alibaba Cloud. It allows you to manage user identities and resource access permissions.

Features

RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, different RAM users are authorized to access different Alibaba Cloud resources. The following section lists the features of RAM:

  • You can manage RAM users and their AccessKey pairs. You can also enable multi-factor authentication (MFA) devices for RAM users.
  • You can manage the permissions of RAM users to access Alibaba Cloud resources.
  • You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP address.
  • You can manage the instances or data created by RAM users. For enterprises, RAM ensures that the instances or data created by RAM users are still available even if the users leave the enterprises.
  • You can use single sign-on (SSO) services. Alibaba Cloud provides two types of SSO services for enterprise identity providers (IdPs): user-based SSO and role-based SSO.

Scenarios

Scenario Description
Use RAM to manage user permissions and resources An enterprise wants to migrate a project to the cloud. This requires the purchase of various Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Some employees need to manage these cloud resources, and different employees require different permissions to fulfill their duties.
Use a temporary STS token for authorizing a mobile app to access Alibaba Cloud resources An enterprise has developed a mobile app and purchased the OSS service. The mobile app runs on mobile devices. These mobile devices are not controlled by the enterprise. The enterprise must grant the required permissions to the mobile app. Then, the mobile app can access OSS to upload and download data.
Use a RAM role to grant permissions across Alibaba Cloud accounts An enterprise (Enterprise A) has purchased multiple Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.
Use RAM for authorizing applications to access Alibaba Cloud resources An enterprise has purchased Elastic Compute Service (ECS) instances and wants to deploy its applications on these ECS instances. These applications need to use AccessKey pairs to call API operations of other Alibaba Cloud services.

Benefits

RAM allows you to create and manage RAM users, such as employees, systems, and apps. You can manage the permissions of RAM users to access Alibaba Cloud resources. RAM is also applicable in the scenario where multiple users in an enterprise need to collaboratively manage cloud resources. RAM allows you to grant the corresponding users the minimum required permissions. This ensures higher security because you can keep your Alibaba Cloud account and password confidential.

Endpoint

The endpoint for accessing RAM by calling API operations is https://ram.aliyuncs.com.

Learning path

You can use the RAM learning path to learn more about RAM and basic operations. You can also perform custom development by using diverse API operations, SDK packages, and other easy-to-use tools.