This topic provides answers to some frequently asked questions (FAQ) about logon, billing, and permissions of RAM users.

What are the logon URL and logon names of RAM users?

You can visit the RAM user logon page.
Note Alternatively, you can log on to the RAM console by using an Alibaba Cloud account and find the logon URL of RAM users on the Overview page. If you use this URL to visit the logon page, the system automatically provides the default domain name and you only need to enter the username.
You can log on the console as a RAM user by using one of the following logon names:
  • Logon name 1: <$username>@<$AccountAlias>.onaliyun.com. Example: username@company-alias.onaliyun.com.
    Note The logon name of the RAM user is in the User Principal Name (UPN) format. All logon names that are listed in the RAM console follow this format. <$username> indicates the username of the RAM user. <$AccountAlias>.onaliyun.com indicates the default domain name.
  • Logon name 2: <$username>@<$AccountAlias>. Example: username@company-alias.
    Note <$username> indicates the username of the RAM user. <$AccountAlias> indicates the account alias.
  • Logon name 3: <$username>@<$DomainAlias>. You can use this logon name if you have configured a domain alias.
    Note <$username> indicates the username of the RAM user. <$DomainAlias> indicates the domain alias.

What are the default domain name and domain alias?

For more information about the default domain name and domain alias, see Terms.

To view and manage the default domain name and domain alias, perform the following steps:

  1. Log on to the RAM console by using an Alibaba Cloud account or as a RAM user who has the RAM management permissions.
  2. In the left-side navigation pane, click Settings under Identities.
  3. On the Settings page, click the Advanced tab. On this tab, you can view and manage the default domain name and domain alias.

What permissions does a RAM user need to purchase Alibaba Cloud services?

  • If a RAM user wants to purchase an Alibaba Cloud service on a pay-as-you-go basis, the RAM user only needs the permission to create instances or resources.
  • If a RAM user wants to use the subscription billing method, both the permission to create instances and the permission to make payments are required. To acquire the permission to make payments, the RAM user must be attached with the AliyunBSSOrderAccess policy.
  • When a RAM user purchases a service, the RAM user may need to use or create other resources. In this case, the RAM user must be authorized to read or create the resources.

    The following example is a policy that contains the permissions required for creating Elastic Compute Service (ECS) instances.

    If the policy is attached to a RAM user, the RAM user can create ECS instances from launch templates.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:DescribeLaunchTemplates",
            "ecs:CreateInstance",
            "ecs:RunInstances",
            "ecs:DescribeInstances",
            "ecs:DescribeImages",
            "ecs:DescribeSecurityGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    If you need to use or create other resources when creating an ECS instance, the corresponding permissions are required. The following table lists the operations on other resources and the required permissions.
    Note
    Operation Permission
    Use a snapshot to create an ECS instance ecs:DescribeSnapshots
    Create and use a VPC
    • vpc:CreateVpc
    • vpc:CreateVSwitch
    Create and use a security group
    • ecs:CreateSecurityGroup
    • ecs:AuthorizeSecurityGroup
    Assign a RAM role to an ECS instance
    • ecs:DescribeInstanceRamRole
    • ram:ListRoles
    • ram:PassRole
    Use an AccessKey pair
    • ecs:CreateKeyPair
    • ecs:DescribeKeyPairs
    Create an ECS instance on a dedicated host ecs:AllocateDedicatedHosts

Why is a RAM user unable to access the resources after I have granted the RAM user the required permissions?

  • Check whether the policy that is attached to the RAM user is accurate.
  • Check whether custom policies that are attached to the RAM user contain "Effect": "Deny" to restrict the use of resources or operations. The policies may have been attached to the RAM user or a RAM user group that includes the RAM user.

    For example, both the AliyunECSReadOnlyAccess system policy and the following custom policy are attached to the RAM user. In this case, the RAM user is not allowed to view ECS resources because a Deny statement takes precedence over an Allow statement.

    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Deny",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }              

Why can a RAM user perform operations on resources without the required permissions?

For example, a RAM user can view the list of ECS instances even if the AliyunECSFullAccess system policy, the AliyunECSReadOnlyAccess system policy, or related custom policies are not attached to the RAM user.

  • Check whether the policies are attached to the RAM user group that includes the RAM user.
  • Check whether other polices attached to the RAM user contain the required permissions.

    For example, the AliyunCloudMonitorFullAccess system policy indicates full access to CloudMonitor. This policy contains the following permissions: "ecs: DescribeInstances", "rds: DescribeDBInstances", and "slb: DescribeLoadBalancer". If the AliyunCloudMonitorFullAccess policy is attached to a RAM user, the RAM user can view the information of ECS, ApsaraDB for RDS, and Server Load Balancer (SLB) instances.

How do I grant a RAM user the permission to manage renewals?

You must create a custom policy of renewal management for a specific cloud service and attach the policy to the RAM user. A renewal management policy for all cloud services does not exist. The permissions to purchase the service and make payments are required for RAM users to enable renewal management.

For example, if you want to authorize a RAM user to manage ECS instance renewals, you must grant the required permissions described in What permissions does a RAM user need to purchase Alibaba Cloud services? You must also attach the AliyunBSSOrderAccess policy to the RAM user.

How is a RAM user charged for consumed resources?

  • The fees that are incurred by a RAM user are billed to the parent Alibaba Cloud account.
  • A RAM user can use the discounts that are applied to the parent Alibaba Cloud account by default.
  • Financial configurations such as consumption budget, credit limit, and payment methods apply to all RAM users that belong to an Alibaba Cloud account. Financial configurations that apply to a single RAM user are unavailable.
  • RAM users can be authorized to add funds to the parent Alibaba Cloud account. The added funds belong to the Alibaba Cloud account.
  • RAM users or RAM user groups are not separately billed. We recommend that you use Resource Management if you want to obtain bills that contain detailed charges incurred by each RAM user. For more information, see.