A RAM user can be used to access the resources of IoT Platform. This article describes how to create a RAM user, authorize a RAM user to access the resources of IoT Platform, and use a RAM user to log on to the IoT Platform console.

Background information

To use a RAM user to access IoT Platform, you must create a RAM user and attach a policy that contains the access permission on IoT Platform to the RAM user. For more information about how to create custom policies, see Custom permissions.

Create a RAM user

If you already have a RAM user, skip the following steps:

  1. Log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, set the Logon Name and Display Name parameters.
  5. In the Access Mode section, select Console access or Programmatic Access and set the parameters.
    Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user is removed from the organization.
  6. Click OK.
  7. Authenticate your identity. Alibaba Cloud may authenticate your identity by using a verification code. The verification code is sent to the mobile number that is bound your Alibaba Cloud account. You must enter the verification code in the verification dialog box.

After you create a RAM user, you can use the RAM user to log on to the Alibaba Cloud official website and the IoT Platform console. The logon URL for RAM users is displayed on the Overview page of the RAM console.

A RAM user can access your Alibaba Cloud resources only after you authorize the RAM user. To enable a RAM user to access the resources of IoT Platform, you must grant the RAM user the access permission on IoT Platform.

Authorize a RAM user to access IoT Platform

In the RAM console, you can grant permissions to a single RAM user on the Users page. You can also grant the same permissions to all members in a RAM user group on the Groups page. The following example shows you how to grant permissions to a single RAM user.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. Select the RAM user that you want to authorize and click Add Permissions below the list of RAM users.
  4. In the Add Permissions panel, select the IoT Platform policies that you want to attach to the RAM user and click OK.
    Note If you want to grant custom permissions to a RAM user, you must create a custom policy. For more information about how to create custom policies, see Custom permissions.

After the authorization is complete, the RAM user can access resources and perform operations as defined in the policies that are attached to the RAM user.

Log on to the console as a RAM user

If you use an Alibaba Cloud account, you can log on to the console from the Alibaba Cloud official website. If you are a RAM user, you must log on to the console from the RAM Account Login page.

  1. Obtain the URL of the RAM Account Login page.

    Log on to the RAM console by using your Alibaba Cloud account. On the Overview page, copy the URL in the Account Management section. You can send the URL to RAM users.

  2. Go to the RAM Account Login page to log on to the console as a RAM user.

    You can log on to the console as a RAM user by using a logon name in the following formats:

    • Logon name 1: <$username>@<$AccountAlias>.onaliyun.com. Example: username@company-alias.onaliyun.com.
      Note The logon name of the RAM user is in the User Principal Name (UPN) format. All logon names that are listed in the RAM console follow this format. <$username> indicates the username of the RAM user. <$AccountAlias>.onaliyun.com indicates the default domain name.
    • Logon name 2: <$username>@<$AccountAlias>. Example: username@company-alias.
      Note <$username> indicates the username of the RAM user. <$AccountAlias> indicates the account alias.
    • Logon name 3: <$username>@<$DomainAlias>. You can use this logon name if you have configured a domain alias.
      Note <$username> indicates the username of the RAM user. <$DomainAlias> indicates the domain alias.
  3. In the upper-right corner, click Console to go to the Alibaba Cloud Management Console.
  4. Move the pointer over the upper-left corner in the console and choose Products and Services > IoT Platform. Then, you can go to the IoT Platform console.

After you log on to the IoT Platform console as a RAM user, you can use the RAM user to perform authorized operations in the console.