All Products
Search

This Product

    ApsaraMQ for RabbitMQ:Granting permissions to RAM users

    Document Center

    ApsaraMQ for RabbitMQ:Granting permissions to RAM users

    Last Updated:Mar 07, 2026

    Resource Access Management (RAM) lets you manage permissions for Alibaba Cloud accounts and RAM users separately. You can grant different permissions to RAM users based on your business needs. This helps prevent security risks that can occur if the AccessKey pair for your Alibaba Cloud account is leaked.

    Background information

    Enterprise A has activated ApsaraMQ for RabbitMQ. The enterprise requires its employees to manage ApsaraMQ for RabbitMQ resources, such as instances, virtual hosts (vhosts), queues, and exchanges. Because employees have different job responsibilities, they require different permissions. Enterprise A has the following requirements:

    • For security reasons, Enterprise A does not want to expose its Alibaba Cloud account's AccessKey pair to employees. Instead, the enterprise wants to create a separate user account for each employee.

    • User accounts can manage resources only after they are granted the required permissions. The resource usage of each user account is not independently metered for billing. All costs are charged to the enterprise's Alibaba Cloud account.

    • The enterprise can revoke a user account's permissions or delete the user account at any time.

    Step 1: Create a RAM user

    Log on to the RAM console using the Alibaba Cloud account of Enterprise A and create a RAM user for an employee.

    Procedure

    Console

    1. Log on to the RAM console using your Alibaba Cloud account or as a RAM administrator (such as the AliyunRAMFullAccess policy).

    2. In the left-side navigation pane, choose Identity > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, configure the basic information for the user.

      • Logon Name (required): The logon name can contain letters, digits, periods (.), hyphens (-), and underscores (_). It can be up to 64 characters in length.

      • Display Name (optional): The display name can be up to 128 characters in length.

      • Tag (optional): Click the edit icon and enter a tag key and a tag value. Tags help you categorize and manage RAM users.

      Note

      Click Add User to create multiple RAM users at the same time.

    5. In the Access Mode section, select an access mode based on the user type.

      Important

      • As a security best practice, we recommend selecting only one access mode per user. This creates a clear separation between human users who require console access and applications that require programmatic access.

      • An AccessKey pair is a long-term credential for programmatic access. If an AccessKey pair is leaked, the security of all resources in your account is at risk. We recommend that you use Security Token Service (STS) tokens as temporary credentials to reduce the risk of credential leakage. For more information, see Best practices for using an access credential to call API operations.

      Console access

      For human users, such as employees, select Console Access.

      • Set Logon Password: Choose one of the following password options:

      • Password Reset: Specifies whether the RAM user must reset the password at the next logon.

      • Enable MFA: By default, multi-factor authentication (MFA) is required for logon. To modify this setting, see Manage the security settings of RAM users. RAM users must bind an MFA device during their first logon. For more information, see Bind an MFA device to a RAM user.

      Programmatic access

      For applications or systems, select Using permanent AccessKey to access.

      After you enable this option, the system automatically creates an AccessKey ID and an AccessKey secret for the RAM user.

      Important

      The AccessKey secret is displayed only once upon creation and cannot be retrieved later. This is your only opportunity to view and save the secret. You must copy and save it to a secure location immediately or click Download CSV File to download the file. If an AccessKey pair is leaked, it compromises the security of all resources in your account. For more information, see Create an AccessKey pair.

    API

    Create a RAM user for console access

    1. Call GetDefaultDomain to obtain the default logon suffix for your account. The format is <AccountAlias>.onaliyun.com.

    2. Call CreateUser to create a RAM user. The required parameters are as follows:

      1. UserPrincipalName: The logon name of the RAM user. The format is <username>@<AccountAlias>.onaliyun.com. <username> is the name of the RAM user, and <AccountAlias>.onaliyun.com is the default logon suffix.

      2. DisplayName: The display name of the RAM user. It can be different from the <username>.

    3. Call CreateLoginProfile to create a login profile for the user, which enables console access. The recommended settings for some parameters are as follows:

      1. UserPrincipalName: The logon name of the RAM user that you created in the previous step.

      2. Password: Set a password that meets the password complexity requirements of your account. You can call GetPasswordPolicy to query the password policy for RAM users.

      3. MFABindRequired: We recommend that you require MFA for the RAM user. To do this, set this parameter to true.

      4. Status: Specifies whether to enable password-based logon to the console. Keep the default value Active.

    Create a RAM user for programmatic access

    1. Call GetDefaultDomain to obtain the default logon suffix for your account in the format <AccountAlias>.onaliyun.com.

    2. Call CreateUser to create a RAM user. The required parameters are as follows:

      1. UserPrincipalName: The logon name of the RAM user. The format is <username>@<AccountAlias>.onaliyun.com. <username> is the name of the RAM user, and <AccountAlias>.onaliyun.com is the default logon suffix.

      2. DisplayName: The display name of the RAM user. It can be different from the <username>.

    3. Call CreateAccessKey to create an AccessKey pair. You only need to specify the UserPrincipalName for the RAM user that you created in the previous step.

      Important

      The CreateAccessKey API operation returns an AccessKey ID and an AccessKey secret. This is your only opportunity to view and save the secret. You must copy and save it to a secure location immediately. If an AccessKey pair is leaked, it compromises the security of all resources in your account. For more information, see Create an AccessKey.

    Step 2: Grant permissions to the RAM user

    Grant different permissions to different RAM users.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      image

      You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

    4. In the Add Permissions panel, grant permissions to the RAM user.

      1. Select an Authorized Scope.

        • Account: The permissions take effect on the current Alibaba Cloud account.

        • Resource Group Level: The permission is scoped to a specific resource group.

          Note

          Permissions on a specific resource group take effect only if the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Specify a principal.

        The principal is the RAM user to which you want to grant permissions.

      3. Select a Policy.

        An access policy is a collection of access permissions. There are two types:

        • System policies: Policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Alibaba Cloud maintains the policy versions. For more information, see Services that work with RAM.

        • Custom policies: policies that you manage. You can create, update, and delete custom policies to maintain their versions. For more information, see Create a custom policy.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching high-risk policies that grant unnecessary permissions.

      4. Click Confirm New Authorization.

    5. Click Close.

    What to do next

    After Enterprise A grants permissions to a RAM user, the employee who uses the RAM user can access ApsaraMQ for RabbitMQ in one of the following ways.

    • Console

      1. In a browser, open the RAM user logon page.

      2. On the RAM User Logon page, enter the RAM user name, click Next, enter the RAM user password, and then click Log On.

        Note

        The RAM user logon name is in the <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used by default.

    • API

      In your code, use the AccessKey ID and AccessKey secret of the RAM user to call an API to access ApsaraMQ for RabbitMQ.