Currently, ACM supports both Alibaba Cloud AccessKey/SecretKey and ACM-specific AccessKey/SecretKey. This topic explains why two sets of identification are in place, and how they are different.

Why two sets of identification are in place

  • Alibaba Cloud doesn’t support primary account at the first place. Alibaba Cloud primary accounts have a lot of permissions, and pose high risks once leaked. Therefore, you’re not encouraged to access other systems with the AccessKey/SecretKey of primary accounts.
  • Alibaba Cloud account system is mainly used for user access control with a limited QPS tolerance. Therefore, you’re not encourage to use it for authentication of data access control.

Their differences

Identification type Alibaba Cloud AccessKey/SecretKey ACM-specific AccessKey/SecretKey
Permission A primary account has all permissions. An unauthorized sub-account doesn’t have any permissions. An authorized sub-account has all permissions. (Authorization of finer granularity for sub-accounts to be implemented) Can operate on any data in a namespace
Usage Used in combination with other cloud products, such as implementing data encryption by integrating with KMS Compatible with old usage

Suggestions on usage

Alibaba Cloud now supports sub-account system, and provides interfaces with considerably higher performance, so ACM-specific account system no longer gives you an edge. Instead, we recommend that you use Alibaba Cloud account system.