How do I log on to the Alibaba Cloud console as a RAM user?

You can visit https://signin-intl.aliyun.com/login.htm or visit the RAM user logon URL on the right of the overview page in the RAM console.

The user name for logon can be in either of the following formats: <$username>@<$AccountAlias> and <$username>@<$AccountAlias>.onaliyun.com. If you have created a domain alias, you can also use the domain alias in <$username>@<$DomainAlias> format for logon.
Note When you log on to the Alibaba Cloud console by visiting the RAM user logon URL on the right of the overview page in the RAM console, the system automatically provides a default domain name. You only need to enter the user name.

What are the default domain name, account alias, and domain alias? How do I use and manage them?

For details about the default domain name, account alias, and domain alias, see Terms.

To view and manage the default domain name, account alias, and domain alias of your account, log on to the RAM console using the account or as a RAM user with the RAM permission, and choose Identities > Settings > Advanced > Domain Alias.

What permissions are required for a RAM user to purchase Alibaba Cloud products?

  • For Pay-As-You-Go products, permission to create product instances, or similar permissions are required.
  • For Subscription products, permission to create product instances and permission to make payments (the AliyunBSSOrderAccess policy) are required.
  • For products that must be purchased with the use or creation of some other resources, the permission for reading or creating the corresponding resources is required. The following example describes the permissions required for creating an ECS instance.
    The following policy allows a RAM user to create an ECS instance through the console, the APIs, or the instance launch template.
    
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:DescribeLaunchTemplates",
            "ecs:CreateInstance",
            "ecs:RunInstances",
            "ecs:DescribeInstances",
            "ecs:DescribeImages",
            "ecs:DescribeSecurityGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    To allow a user to use or create other resources when the user is creating an ECS instance, grant the user the following permissions according to the resource types. Log on to the RAM console and click Policies. On the displayed page, create a custom policy and grant permissions as required to the user.
    Operation Policy action
    Use a snapshot to create an ECS instance. ecs:DescribeSnapshots
    Create and use a VPC.

    vpc:CreateVpc

    vpc:CreateVSwitch

    Create and use a security group.

    ecs:CreateSecurityGroup

    ecs:AuthorizeSecurityGroup

    Specify the instance RAM role.

    ecs:DescribeInstanceRamRole

    ram:ListRoles

    ram:PassRole

    Use a key pair.

    ecs:CreateKeyPair

    ecs:DescribeKeyPairs

    Create an ECS instance on a Dedicated Host (DDH). ecs:AllocateDedicatedHosts

After I grant permission to a user, why a message is displayed when the user accesses the system, indicating that the user does not have the permission?

  • Check whether the policy attached to the user is correct.
  • Check whether "Effect": "Deny" has been set in the custom policy (including policies of the user and policies of the user's groups) attached to the user for the corresponding resources or operations.

    For example, a user has both the AliyunECSReadOnlyAccess policy (which contains the read-only permission for accessing ECS) and the following policy:

    
    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Deny",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
    

    According to the "Deny takes priority" principle in RAM, the user is not allowed to view the ECS resources.

Why can a user perform operations without the corresponding permission?

For example, if a user that does not have the required custom policy or the FullAccess or ReadOnly system policy of ECS and can view ECS instances, perform the following operations:

  1. Check whether the group policy of the user contains the permission that allows the user to perform the corresponding operations.
  2. Check whether other polices attached to the user contain the corresponding permissions.

For example, the system policy of CloudMonitor is AliyunCloudMonitorFullAccess, which contains the following permissions: "ecs:DescribeInstances" (view ECS instances), "rds:DescribeDBInstances" (view RDS instances), and "slb:DescribeLoadBalancer" (view SLB instances). If you attach the AliyunCloudMonitorFullAccess policy to a user, the user has permission to view the information about the ECS, RDS, and SLB instances.

How do I grant permission to a user for renewal management only?

A unified renewal management policy is not currently available. You must customize a policy according to the specific products. You can grant the user the permission for purchasing the product and the payment permission.

For example, if you want a user to perform ECS renewal management, see What permissions are required for a RAM user to purchase Alibaba Cloud products? to grant required permissions and the AliyunBSSOrderAccess policy to the user.