All Products
Search
Document Center

Object Storage Service:Use the credentials of a RAM user to log on to the OSS console

Last Updated:Nov 08, 2023

This topic describes how to use the credentials of a Resource Access Management (RAM) user to log on to the Object Storage Service (OSS) console.

Background information

You can use the credentials of a RAM user to log on to the OSS console in the following scenarios:

  • A bucket that is created by using an Alibaba Cloud account stores internal documents of your enterprise. To share specific internal documents with your employees, you can create RAM users for your employees and grant permissions to the RAM users. The RAM users can log on to the OSS console to view these documents.

  • Some of your partners need to periodically view specific materials. You can store the materials in a bucket, create RAM users for the partners, and grant the RAM users the permissions to access the bucket. This way, the partners can log on to the OSS console as RAM users to periodically view the materials.

Step 1: Create a RAM user

  1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • (Optional) Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

    Note

    You can click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

      • Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.

    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.

  6. Click OK.

Step 2: Grant permissions to the RAM user

  1. In the left-side navigation pane, choose Identities > Users.

  2. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

  3. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.

      • Specific Resource Group: The permissions take effect in a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. Attach policies to the RAM user.

      To ensure that you can use the features in the OSS console after you log on as a RAM user, attach the following policies to the RAM user as shown in the following figure: AliyunOSSFullAccess, AliyunCloudMonitorFullAccess, AliyunMNSFullAccess, and AliyunCDNFullAccess. ram

      If system policies cannot meet your requirements, you can configure a custom policy. For more information, see Create a custom policy.

Step 3: Log on to the OSS console as the RAM user

  1. In the left-side navigation pane of the RAM console, click Overview.

  2. On the Overview tab, obtain the value of Login URL in the Basic Information section.

  3. Click the logon link of the RAM user. Use the username of the RAM user and click Next. Enter the credentials of the RAM user to log on to the Alibaba Cloud Management Console.

  4. Access OSS by using the OSS console link.