Resource Access Management (RAM) and Security Token Service (STS) are access control systems that are provided by Alibaba Cloud.

For more information about RAM and STS, see the RAM documentation.

RAM is used to control the permissions of accounts. You can use RAM to create and manage RAM users. You can also grant permissions to RAM users to control what resources the RAM users can access.

STS is a security token management system. It is used to manage short-term permissions that are granted to RAM users. You can use STS to grant permissions to temporary users.

Background

RAM and STS enable you to securely grant permissions without the need to expose the AccessKey information of your Alibaba Cloud account. The leak of the AccessKey pair of an Alibaba Cloud account gives rise to serious security risks. Users who obtain the AccessKey pair of an Alibaba Cloud account can manage all resources of the account and steal important information.

RAM is an access control service that is used to manage long-term permissions. The owner of an Alibaba Cloud account can create RAM users and grant different permissions to the RAM users. The AccessKey pairs of RAM users must be kept safe. However, if the AccessKey pair of a RAM user is leaked, only limited information is potentially exposed. RAM users are valid for a long term.

RAM enables you to grant long-term permissions to users, whereas STS enables you to grant short-term permissions to users. You can use STS to obtain temporary AccessKey pairs and tokens. The temporary AccessKey pairs and tokens can be sent to temporary users so that the temporary users can access specific resources. Permissions that are obtained from STS are strictly restricted and have validity periods. This reduces the effects of information leak.

For more information about how to use RAM and STS, see Examples.

Terms

Before you use RAM and STS, we recommend that you have a basic understanding of the following terms:

  • RAM user: a user that is created in the RAM console. An independent AccessKey pair is generated for a RAM user during or after the creation of the RAM user. After you create a RAM user, you must configure the password and permissions for the RAM user. Then, the RAM user can perform the authorized operations. A RAM user can be considered a user with specific operation permissions.
  • RAM role: an identity that has a set of permissions. RAM roles do not have independent logon passwords and AccessKey pairs. RAM users can assume RAM roles. After a RAM role is assigned to a RAM user, the RAM user has the permissions of the RAM role.
  • Policy: a set of permissions. For example, a policy defines the permissions that allow a RAM user to read or write specific resources.
  • Resource: cloud resources that are accessible to RAM users, such as all Tablestore instances, a Tablestore instance, or a table in a Tablestore instance.

The relationship between RAM users and RAM roles is similar to the relationship between individuals and their identities. For example, a person might be an employee at work and a father at home. A person has different identities in different scenarios. When a person uses an identity, the person has the permissions of the identity. A RAM role is not an entity that can perform operations. To perform the operations that a RAM role allows, you must assign the RAM role to a user. A RAM role can be assumed by multiple users.

Examples

To prevent the security risks that are caused by the leak of the AccessKey pair of an Alibaba Cloud account, you, an Alibaba Cloud account administrator, create two RAM users. One of them is named A and the other is named B. An independent AccessKey pair is generated for each of them. A has the read permission and B has the write permission. You can revoke the permissions from the RAM users at any time in the RAM console.

To meet business requirements, you want to grant users short-term permissions to access the IoT Platform API. In this case, we recommend that you do not disclose the AccessKey pair of A. We recommend that you create a RAM role C and grant C the permission to access the IoT Platform API. Note that C cannot be directly used because no AccessKey pair is configured for C. C is only a virtual entity that has the permission to access the IoT Platform API.

You must call the AssumeRole operation of STS to obtain temporary identity credentials that are required to access the IoT Platform API. When you call the AssumeRole operation, you must set the RoleArn parameter to the Alibaba Cloud Resource Name (ARN) of C. If the call is successful, STS returns the temporary AccessKey ID, AccessKey secret, and token as temporary identity credentials. The validity period of these credentials can be specified when you call the AssumeRole operation. You can deliver these credentials to the users who need to access the IoT Platform API. This access permission is temporary.

Why is it complicated to use RAM and STS?

The terms and use of RAM and STS are complicated. They deliver high account security and flexible access control at the cost of ease of use.

RAM allows you to create RAM users and RAM roles to separate the entities that perform operations from the virtual entities that define a set of permissions. A user who needs multiple permissions, such as the read and write permissions, may use only one permission at a time. In this case, you can create two RAM roles and grant one of them the read permission and the other the write permission. Then, you can create a RAM user and assign the two roles to the RAM user. When the RAM user needs the read permission, the RAM user assumes the RAM role that has the read permission. When the RAM user needs the write permission, the RAM user assumes the RAM role that has the write permission. This reduces the risks that are caused by unauthorized permissions in each operation. In addition, you can assign a RAM role to other Alibaba Cloud accounts and RAM users to grant them the permissions of the RAM role. This facilitates collaboration.

STS enables more flexible access control. For example, you can configure the validity period for credentials. If long-term credentials are required, you do not need to use STS. In this case, you can use only RAM to manage RAM users.

The following articles provide guidelines and examples to describe how to use RAM and STS. For more information about the code of RAM and STS, see the API reference of RAM and STS.