ApsaraMQ for RocketMQ uses Alibaba Cloud Resource Access Management (RAM) for access control. Instead of using your Alibaba Cloud account for daily operations, create RAM identities with scoped permissions to reduce the blast radius of credential compromise.
Three identity types are available:
| Identity type | Credential type | Best for |
|---|---|---|
| RAM user | Password (console) or AccessKey pair (API) | Individual team members or applications that need direct access |
| RAM user group | Individual member credentials; shared permissions from group policies | Teams that share the same permission set |
| RAM role | Temporary Security Token Service (STS) token | Applications and federated identity (SSO) |
Prefer RAM roles with temporary STS credentials over RAM users with permanent AccessKey pairs. Temporary credentials expire automatically, which limits the blast radius if they are compromised.
RAM users
A RAM user is an identity within your Alibaba Cloud account that represents a person or application. RAM users can be created by using Alibaba Cloud accounts or by using RAM users and RAM roles that have administrative rights. After you grant the required permissions, the RAM user can access the Alibaba Cloud Management Console or call API operations to manage resources within the Alibaba Cloud account to which the RAM user belongs.
Console access and API access
When you create a RAM user, set the Access Mode parameter to one or both of the following:
Console Access -- The RAM user logs on to the Alibaba Cloud Management Console with a username and password. Enable multi-factor authentication (MFA) for all console-access RAM users.
Using permanent AccessKey to access -- The RAM user makes API calls with an AccessKey pair.
Secure your RAM users
Create a dedicated admin user. Use your Alibaba Cloud account to create one RAM user with administrative rights. Then use that RAM user to create and manage all other RAM users. Avoid using your Alibaba Cloud account for routine tasks.
Separate human and programmatic identities. Create distinct RAM users for people (console access) and applications (API access). This separation limits the impact of credential leaks and simplifies auditing.
Apply least privilege. Grant only the permissions required for the specific task. Least-privilege permissions improve data security and prevent permission abuse. For ApsaraMQ for RocketMQ permission details, see System policies for ApsaraMQ for RocketMQ 5.0 and Custom policies for ApsaraMQ for RocketMQ.
Keep credentials out of code. Never embed an AccessKey ID or AccessKey secret in source code. Use STS tokens or environment variables instead. See Credential security solutions.
Enable single sign-on (SSO) to let RAM users authenticate through your enterprise identity provider. See Overview of user-based SSO.
For more information, see Overview of RAM users.
RAM user groups
A RAM user group lets you manage permissions for multiple RAM users at once. Assign the same permissions to all members of a group instead of configuring each user individually.
Manage group permissions
Apply least privilege at the group level. Grant only the permissions the group needs.
Remove users whose responsibilities change. If a team member moves to a different role, remove them from the group promptly.
Revoke unused permissions. Periodically review group permissions and remove any that are no longer needed.
For more information, see Overview of a RAM user group.
RAM roles
A RAM role is a virtual identity with no permanent credentials -- no password and no AccessKey pair. To use a RAM role, a trusted entity assumes the role and receives a temporary STS token. The trusted entity then uses the STS token to access Alibaba Cloud resources.
Assume a RAM role
A trusted entity (RAM user, Alibaba Cloud service, or external identity provider) calls the AssumeRole operation.
STS returns a temporary token with a limited validity period.
The trusted entity uses the token to access resources as the RAM role.
Secure your RAM roles
Avoid changing the trusted entity after creation. Changing the trusted entity may cause permission loss that affects your workloads. Adding a trusted entity may lead to privilege escalation. Test all changes thoroughly before applying them.
Set an appropriate session duration. The maximum validity period of an STS token equals the maximum session duration configured for the RAM role. Keep this value as short as practical to limit exposure if a token is compromised. See Specify the maximum session duration for a RAM role.
Enable SSO for RAM roles to allow federated users to access Alibaba Cloud resources through your enterprise identity provider. See Role-based SSO.
For more information, see RAM role overview and Assume a RAM role.