A RAM user is an identity that you create in Alibaba Cloud Resource Access Management (RAM). A RAM user represents an O&M engineer or app that uses the identity to interact with Alibaba Cloud. A RAM user can access Alibaba Cloud resources after being granted the required permissions.

Create a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Users. In the upper-right corner of the page that appears, click Create User.
  3. In the dialog box that appears, enter the username, display name, and description. Click OK.

Manage RAM users

After creating one or more RAM users, you can manage and modify configurations of the RAM users based on your needs.

  • Modify basic information of a RAM user
    1. In the left-side navigation pane of the RAM console, click Users. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can use fuzzy search by entering a keyword to search for a specific username.
    2. In the Basic Information section, click Edit Basic Information.
    3. In the dialog box that appears, modify the username, display name, and description.
  • Manage the Web console logon
    You can set a logon password for a RAM user to log on to the console.
    1. In the left-side navigation pane of the RAM console, click Users. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can use fuzzy search by entering a keyword to search for a specific username.
    2. In the Web Console Logon Management section, click Enable Console Logon.
    3. In the dialog box that appears, enter a new password and click OK.
  • Enable an MFA device

    Multi-factor authentication (MFA) is an easy-to-use and effective authentication method. In addition to the username and password, you can use an MFA device to ensure the security. The multi-factor authentication will provide high-level protection for your account.

    1. In the left-side navigation pane of the RAM console, click Users. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can use fuzzy search by entering a keyword to search for a specific username.
    2. In the MFA Device section, click Enable VMFA Device to enable the MFA device for the RAM user as prompted.
    After you enable an MFA device, two authentication factors are required when the RAM user logs on to Alibaba Cloud console:
    • The first authentication factor is a valid username and password.
    • The second authentication factor is a random verification code, which is generated by the MFA device.

    A virtual MFA device is an app that generates a six-digit verification code. The verification code is generated based on the Time-based One-Time Password algorithm (TOTP) which is defined in RFC 6238. This app runs on a target mobile device, such as a smart phone.

  • Manage AccessKey pairs

    Create an AccessKey pair

    To create an AccessKey pair for a RAM user who needs to call API operations, follow these steps:

    1. In the left-side navigation pane of the RAM console, click Users. In the User Name/Display Name column, click the username of the target RAM user.
      Note You can use fuzzy search by entering a keyword to search for a specific username.
    2. In the User Access Key section, click Create Access Key.
    3. In the dialog box that appears, confirm the AccessKey pair information and save the information for subsequent use.
      Note
      • The AccessKey secret is only displayed when you create an AccessKey pair, and is not available for subsequent queries. Currently, you can only query the AccessKey ID, status, creation time, and the time when the AccessKey pair was last used.
      • If an AccessKey pair is disclosed or lost, you must create a new one.

    Disable or enable an AccessKey pair

    In the User Access Key section, you can perform the following operations:
    • Click Disable to disable an AccessKey pair.
    • Click Enable to enable an AccessKey pair.
    Delete an AccessKey pair
    Notice Use caution when you delete an AccessKey pair. If the AccessKey pair is being used by an app, system errors may occur on the app.

    To delete an AccessKey pair, choose Delete > OK.

Log on to the Alibaba Cloud console as a RAM user

The logon name of a RAM user must be in the User Principal Name (UPN) format. All logon names listed in the RAM console use this format.

On the RAM user logon page, you can enter the logon name by using either of the following format:
  • <$username >@< $AccountAlias>.onaliyun.com (the complete UPN format)
  • <$username >@<$AccountAlias>

The logon URL for RAM users is different from that for Alibaba Cloud accounts. The logon URL for Alibaba Cloud accounts cannot be used by RAM users.

The logon URL for RAM users is https://signin.alibabacloud.com/login.htm.
Note Alternatively, you can log on to the RAM console by using the Alibaba Cloud account, and find the logon URL on the Overview page.

Grant permission to a RAM user

After creating a RAM user, you can click Authorize to grant permission to the RAM user.
  1. In the Actions column, click Authorize on the right side of the target RAM user.
  2. In the Edit User-Level Authorization dialog box that appears, select the target policy from the Available Authorization Policy Names column. Click the rightwards arrow and click OK.
    Note To remove a policy, you can select the target policy from the Selected Authorization Policy Name column, and click the leftwards arrow.

Delete a RAM user

Notice Use caution when you perform this operation. If you delete a RAM user that is being used by an app, system errors may occur on the app.
  1. In the left-side navigation pane of the RAM console, click Users.
  2. In the Actions column, click Delete on the right side of the target RAM user.
  3. In the Delete User dialog box that appears, select Unlink Dependent Objects and click OK.

Additional information

  • You can add a RAM user to one or more RAM user groups and grant permissions to the groups as needed. For more information, see RAM user groups.
  • You can attach one or more policies to a RAM user to allow the user to access resources. For more information, see Permission granting in RAM.