Last Updated: Jun 30, 2017

If a new user or application needs to access your cloud resources, you can create and grant permissions to a RAM-User. The general procedure to do this is as follows:

  1. Use the primary account (or a RAM-User with RAM operation permissions) to log on to the RAM console.
  2. Create a RAM user and add the user to one or more groups.
  3. Attach one or more authorization policies to the user (or the group to which the user belongs).
  4. Set an access key for the user. If the user is to perform operations using the console, you need to set a logon password for the user. If the user is to call APIs, you need to create an API access key for the user.
  5. If the user needs to use special permissions (for example, to stop ECS instances), you can set MFA for the user and require that the user uses an MFA password to log on to the Alibaba Cloud console.
  6. Provide the user with the logon URL, username, and logon password.

Basic settings

  • Set the enterprise alias

    1. Log on to the RAM console and select Settings > Enterprise Alias Settings.

    2. Click Edit Enterprise Alias.

  • Set the password policy for the RAM user

    Log on to the RAM console and click Settings > Password Strength Settings.


    All RAM users created hereafter must comply with the password strength set.

Create a RAM user

  1. Log on to the RAM console and click Users.

  2. Click New User on the User Management page, and then fill in the user information in the pop-up window.

Set a logon password

  1. Log on to the RAM console and click Users.

  2. Select a user to go to the User Details page.

  3. Click Enable console login and set an initial password for the user in the pop-up window. You can also specify that the user must change this password upon the first logon.

    Enable Logon

  4. After setting a logon password, you can also enable MFA, Reset Password, or Disable console login.

    Set Logon

Create an access key (AK)

A user access key is equivalent to a logon password, but it is used in different scenarios. Access keys are used to call cloud service APIs, while logon passwords are used to log on to the console. If the user does not have to call APIs, you do not have to create an access key for the user.

  1. Log on to the RAM console and click Users.

  2. Select a user to open the User Details page.

  3. Click Create Access key in the User Access Key section to create a new access key in the pop-up window.



New access keys are displayed only during creation. For security purposes, RAM does not provide an access key query interface. Therefore, please keep the access key safe. If your access key is disclosed or lost, you must create a new one.

Set virtual MFA

Multi-Factor Authentication (MFA) is a simple but effective best practice that can provide additional security protection. After MFA is enabled, when a user logs on to Alibaba Cloud, the system requires the user to enter the user name and password (first security factor), and then enter a variable verification code (second security factor) provided by the user’s VMFA (virtual MFA) device. All these factors work together to offer higher security protection for your account.

The VMFA device is an application that generates a 6-digit verification code. It complies with the time-based one-time password algorithm (TOTP) standard (RFC 6238). This application can run on mobile hardware devices including smartphones, making it easily accessible. However, the security level offered by the VMFA application is not as high as that offered by a physical VMFA device because the VMFA application can run on devices with poor security such as smartphones.

  1. Log on to the RAM console and click Users.

  2. Select a user to open the User Details page.

  3. Click Enable VMFA device in the MFA Device section and then go to the Bind MFA Device process.Enable VMFA Device

RAM user logon

RAM-Users are different from Alibaba Cloud accounts, and therefore, their logon portal is different. RAM-Users cannot log on from the Alibaba Cloud account logon page.

On the RAM console overview page, you can find the RAM-User logon link. RAM-Users can log on to the Alibaba Cloud console through the logon URL.

RAM User Logon URL

Note: By default, RAM-Users do not have any access permissions. A RAM-User without permissions can log on to the console, but cannot perform any operations. For details on how to grant permissions to RAM-Users, refer to User Authorization.

Thank you! We've received your feedback.