An Alibaba Cloud Resource Access Management (RAM) user is an entity that you create in Alibaba Cloud to represent the person or application that uses it to interact with Alibaba Cloud. A RAM user can access Alibaba Cloud resources after you grant required permissions to the user.

Create a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Users.
  3. In the upper-right corner of the displayed page, click Create User.
  4. Enter the username, display name, and description.
  5. Click OK.

Manage your RAM users

After you create one or more RAM users, you can customize user settings as needed.

  • Modify basic information about a RAM user.
    1. In the left-side navigation pane of the RAM console, click Users.
    2. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can also enter keywords to search for a specific username.
    3. In the Basic Information section, click Edit Basic Information.
    4. In the displayed dialog box, modify the username, display name, and description as needed.
    5. Click OK.
  • Manage console logon.

    You can set a logon password for RAM users to use when they log on to the console.

    1. In the left-side navigation pane of the RAM console, click Users.
    2. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can also enter keywords to search for a specific username.
    3. In the Web Console Logon Management section, click Enable Console Logon.
    4. In the displayed dialog box, enter a new password.
    5. Confirm the new password and click OK.
  • Attach an MFA device.

    Multi-factor authentication (MFA) is an effective means to provide more security protection than the standard username and password authentication method.

    1. In the left-side navigation pane of the RAM console, click Users.
    2. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can also enter keywords to search for a specific username.
    3. In the MFA Device section, click Enable VMFA Device and attach the MFA device to the RAM user as prompted.
    After you enable MFA, two authentication factors are required when the RAM user logs on to Alibaba Cloud:
    • The first authentication factor is a valid username and password.
    • The second authentication factor is verification code authentication, which is generated by the MFA device as specified by the RAM user.

    The specified MFA device is an application that generates a 6-digit verification code that complies with the time-based one-time password algorithm (TOTP) standard RFC 6238. Such an application is generally an app that runs on a target mobile device.

  • Manage AccessKeys.Create an AccessKey.

    To create an AccessKey for a RAM user who needs to call API actions, follow these steps:

    1. In the left-side navigation pane of the RAM console, click Users.
    2. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can also enter keywords to search for a specific username.
    3. In the User Access Key section, click Create Access Key.
    4. In the displayed dialog box, confirm the AccessKey information and save it for later use.
      Note
      • The AccessKeySecret is displayed only once when you first create it. Currently, only the AccessKeyId, AccessKey status, the latest time when the AccessKey was used, and the time when the AccessKey was created can be queried.
      • If the AccessKey is mistakenly disclosed or lost, you must create a new one.

    Disable an AccessKey.

    In the User Access Key section, you can:
    • Click Disable to disable an AccessKey.
    • Click Enable to enable an AccessKey.
    Delete an AccessKey.
    Notice Do not delete an AccessKey while it is being used by another user. Deleting an AccessKey that is currently in use may cause service failure. Exercise caution when performing this action.

    To delete an AccessKey, click Delete, and then click OK.

Grant permission to a RAM user

After you create a RAM user, you can click Authorize to grant permission to the RAM user.
  1. In the Actions column, click Authorize on the right of the target RAM user.
  2. In the displayed dialog box, select the target policy from the Available Authorization Policy Names column.
  3. Click the rightwards arrow and then click OK.
    Note To remove a policy, you can select the target policy from the Selected Authorization Policy Name column, and click the leftwards arrow.

Delete a RAM user

Notice Do not delete a RAM user that is active. Deleting an active RAM user may result in service failure. Exercise caution when performing this action.
  1. In the left-side navigation pane of the RAM console, click Users.
  2. In the Actions column, click Delete on the right of the target RAM user.
  3. In the displayed dialog box, select Unlink Dependent Objects and click OK.

What to do next

  • You can add a RAM user to one or more user groups and grant permission to the group as needed. For more information, see RAM user groups.
  • You can attach one or more policies to a RAM user to allow the user to access resources. For more information, see Permission granting in RAM.