RAM users (sub-accounts) can log on to the IOT Platform console to manage IoT resources, and use the corresponding AccessKeyId and AccessKeySecret to use IoT application programming interface (API).

You need to create a RAM user first, and assign the permissions for accessing IoT Platform to this RAM user by using authorization policies. For more information about customizing authorization policies, see Custom permissions.

Create a RAM user

Skip this step if you already have a RAM user.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, select Identities > Users .
  3. Click Create User.
  4. Specify the Logon Name and Display Name parameters, and Under Access Mode, select Console Password Logon or Programmatic Access.
    Note We recommend that you select only one access mode for the RAM users to ensure the security of your Alibaba Cloud account. This prevents RAM users who have terminated their employment contracts with the company from accessing Alibaba Cloud resources.
  5. Click OK.

After you create the RAM user, the RAM user can log on to the official website and the IoT Platform console by using the Resource Access Management (RAM) user logon link. To obtain the RAM user logon link, go to the Overview page in the RAM console.

However, the RAM user cannot access your Alibaba Cloud resources before you grant permissions to the RAM user. Therefore, you need to assign permissions for accessing IoT Platform to this RAM user.

Authorize the RAM user to access IoT Platform

In the RAM console, assign permissions to a RAM user on the Users page, or assign the same permissions to a group on the Groups page. To assign permissions to a RAM user, follow these steps:

  1. Log on to the RAM consoleusing the primary account.
  2. In the left-side navigation pane, click Users.
  3. Select the RAM user that you want to assign permissions to, and then click Add Permissions .
  4. In the Add Permissions dialog box, select the authorization policy that you want to apply to this RAM user, and then click OK.
    Note To assign custom permissions to the RAM user, you need to create an authorization policy first. For more information about customizing an authorization policy, see Custom permissions.


The authorized RAM user can access the resources defined in the authorization policy, and perform the specified operations.

Logon to the console using a RAM user

The primary account user can log on to the console from the official website. However, the RAM user needs to log on to the console on the RAM User Logon page.

  1. Obtain the link for logging on to the RAM User Logon page.

    Log on to the RAM console using the primary account, view the RAM User Logon Link on the Overview page, and then send this logon link to the RAM user.

  2. The RAM user accesses the RAM User Logon page, and logs on to the console.
    • Method 1: Use the default domain name to log on to the console. The format of the logon name for a RAM user is <$username>@<$AccountAlias>.onaliyun.com, for example, username@company-alias.onaliyun.com.
    • Method 2: Use the account alias to log on to the console. The format of the logon name for a RAM user is <$username>@<$AccountAlias>, for example, username@company-alias.
    • Method 3: Use a domain alias to log on to the console if you have specified one. The format of the logon name for a RAM user is <$username>@<$DomainAlias>.
  3. Click Console in the upper-right corner of the page to go to the Home page.
  4. Click Products, and select IoT Platform to go to the IoT Platform console.

Then, the RAM user can perform authorized operations in the console.