This topic describes how to create a Resource Access Management (RAM) user. A RAM user is an entity that you create in RAM to represent an O&M engineer or application. After you create a RAM user and grant the relevant permissions to the RAM user, the RAM user can access the required Alibaba Cloud resources.


An Alibaba Cloud account is created and real-name verification is complete. To create an Alibaba Cloud account, visit the Alibaba Cloud official website. For more information about how to create an Alibaba Cloud account, see Create an Alibaba Cloud account.

Create a RAM user

  • We recommend that you set Logon Name to vod in Step 5. In this topic, vod is used as an example.
  • We recommend that you set Access Mode to OpenAPI Access in Step 6.
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.
Important After you click OK, the system generates the logon password and the Accesskey pair of the RAM user. Keep the logon password and AccessKey pair secure.

Grant permissions to a RAM user

  1. Log on to the RAM console and click Identities > Users. On the page that appears, find the RAM user you create and click Add Permissions in the Actions column. This topic describes how to grant permissions to the vod user as an example.
  2. In the Add Permissions panel, grant permissions to the RAM user.
    Note We recommend that you attach the system policy AliyunVODFullAccess to the vod user so that the vod user has the permissions to manage and operate all ApsaraVideo VOD resources. You can enter AliyunVODFullAccess in the search box to search for the system policy. For more information about definitions and permissions of system policies in ApsaraVideo VOD, see Overview.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
  3. Click OK.
  4. Click Complete.

What to do next

For more information about how to grant RAM users the permissions to log on to the console, see Enable console logon for a RAM user.