With RAM-RAM RAM users, you can split permissions, grant different permissions to RAM users as needed, and avoid security risks caused by exposing Alibaba Cloud account keys.

Background information

For security purposes, you can create RAM users for your Alibaba Cloud account and grant different permissions to these RAM users as needed. This way, you can enable RAM users to perform their own duties without exposing the key of your Alibaba Cloud account. In this topic, if Enterprise A wants to allow some employees to handle routine O&M tasks, Enterprise A can create RAM users and grant the corresponding permissions to the RAM users. After that, employees can use these RAM users to log on to the console or call API operations.

Application Real-Time Monitoring Service (ARMS) provides the following system policies:

  • AliyunARMSFullAccess: the full access permissions on ARMS
  • AliyunARMSReadOnlyAccess: the read-only permissions on ARMS

Prerequisites

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 2: Grant permissions to the RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

What to do next

After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or AccessKey pair of the RAM user with other users. The users can perform the following steps to log on to the Alibaba Cloud Management Console or call API operations as the RAM user.

Log on to the Alibaba Cloud Management Console

  1. Log on to the Alibaba Cloud Management Console as a RAM user.
  2. On the RAM User Logon page, enter the username of the RAM user and click Next.
    • Logon name 1: default domain name. The format of the logon name of the RAM user is <UserName>@<AccountAlias>.onaliyun.com. Example: username@company-alias.onaliyun.com.
      Note <UserName> indicates the username of the RAM user. <AccountAlias>.onaliyun.com indicates the default domain name. For more information, see Terms and View and modify the default domain name.
    • Logon name 2: the account alias. The format of the logon name of the RAM user is <UserName>@<AccountAlias>. Example: username@company-alias.
      Note <UserName> indicates the username of the RAM user. <AccountAlias> indicates the account alias. For more information, see Terms and View and modify the default domain name.
    • Logon name 3: the domain alias. If you configured a domain alias, you can use this logon name. The format of the logon name of the RAM user is <UserName>@<DomainAlias>. Example: username@example.com.
      Note <UserName> indicates the username of the RAM user. <DomainAlias> indicates the domain alias. For more information, see Terms and Create and verify a domain alias.
  3. Enter the logon password and click Log On.
  4. Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.

Use the AccessKey pair of the RAM user to call API operations

When you call an API operation, specify the AccessKey ID and AccessKey secret of the RAM user in the code.