This topic describes how to create a Resource Access Management (RAM) user. A RAM user is an entity you create in RAM to represent an individual or a program that requires to access Alibaba Cloud. After you create a RAM user and grant the relevant permissions to the RAM user, the RAM user can access the required Alibaba Cloud resources.

Prerequisites

An Alibaba Cloud account is created and real-name verification is complete. To create an Alibaba Cloud account, visit the Alibaba Cloud official website. For more information about how to create an Alibaba Cloud account, see Create an Alibaba Cloud account.

Create a RAM user

Note
  • We recommend that you set Logon Name to vod in Step 4. In this topic, vod is used as an example.
  • We recommend that you set Access Mode to OpenAPI Access in Step 5.
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Enable an MFA device for a RAM user.
    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.
Important After you click OK, the system generates the logon password and the Accesskey pair of the RAM user. Keep the logon password and AccessKey pair secure.

Grant permissions to a RAM user

  1. Log on to the RAM console and click Identities > Users. On the page that appears, find the RAM user you create and click Add Permissions in the Actions column. This topic describes how to grant permissions to the vod user as an example.
  2. In the Add Permissions panel, grant permissions to the RAM user.
    Note We recommend that you attach the system policy AliyunVODFullAccess to the vod user so that the vod user has the permissions to manage and operate all ApsaraVideo VOD resources. You can enter AliyunVODFullAccess in the search box to search for the system policy. For more information about definitions and permissions of system policies in ApsaraVideo VOD, see Overview.
    12345
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  3. Click OK.
  4. Click Complete.

What to do next

For more information about how to grant RAM users the permissions to log on to the console, see Enable console logon for a RAM user.