Create Resource Access Management (RAM) users and grant each one only the ARMS permissions they need. This avoids sharing your Alibaba Cloud account credentials and reduces the risk of key exposure, while letting team members handle day-to-day operations independently.
Application Real-Time Monitoring Service (ARMS) provides two system policies:
| Policy | Permissions | Scope |
|---|---|---|
AliyunARMSFullAccess | View, edit, and delete instances across all ARMS sub-services | Full access |
AliyunARMSReadOnlyAccess | View instance information for each sub-service (no modify or delete) | Read-only |
If you attach AliyunARMSFullAccess, you do not need to also attach AliyunARMSReadOnlyAccess.
To grant read-only access to all ARMS features within a specific resource group, attach both the AliyunARMSReadOnlyAccess policy and the ReadTraceApp permission. Without ReadTraceApp, ARMS cannot display the application list for that resource group.
Prerequisites
Before you begin, ensure that you have:
ARMS activated. See Activate ARMS
RAM activated. See Activate RAM
Step 1: Create a RAM user
Log on to the RAM console with an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section, configure the following parameters:
Parameter Description Logon Name Up to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_). Display Name Up to 128 characters. Tag Click the 
icon to add one or more tag key-value pairs for easier management.NoteClick Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
For security, select only one access mode per RAM user to separate human access from programmatic access.
Console Access
Best for individual users who log on through the console. Configure these parameters:
Parameter Description Set Console Password Select Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet complexity requirements. For details, see Configure a password policy for RAM users. Password Reset Specify whether the RAM user must reset the password on next logon. Enable MFA Enable multi-factor authentication (MFA). After enabling, bind an MFA device to the RAM user. For details, see Bind an MFA device to a RAM user. Using permanent AccessKey to access
Best for programmatic access. The system automatically generates an AccessKey ID and AccessKey secret. For details, see Obtain an AccessKey pair.
ImportantThe AccessKey secret is displayed only at creation time and cannot be retrieved later. Back it up immediately.
An AccessKey pair is a permanent credential. If leaked, all account resources are at risk. For better security, use Security Token Service (STS) tokens instead. For details, see Best practices for using access credentials to call API operations.
Click OK.
Complete the security verification as prompted.
Step 2: Grant permissions to the RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
Find the target RAM user and click Add Permissions in the Actions column.
NoteTo grant permissions to multiple RAM users at once, select them and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following parameters:
Resource Scope -- Select the scope of authorization:
Account: The current Alibaba Cloud account
ResourceGroup: A specific resource group
ImportantIf you select ResourceGroup, make sure the cloud service supports resource groups. For details, see Services that work with Resource Group. For a step-by-step example, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Principal -- The RAM user to authorize. Automatically set to the current RAM user.
Policy -- Select one or more policies:
System policies -- Predefined by Alibaba Cloud. These policies cannot be modified and are maintained by Alibaba Cloud. For details, see Services that work with RAM.
NoteThe system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless absolutely necessary.
Custom policies -- Create and manage your own policies based on business requirements. For details, see Create a custom policy.
Click Grant permissions.
Click Close.
Share credentials and log on
After creating the RAM user, share the logon credentials (username and password, or AccessKey pair) with the intended user.
Log on to the console
Go to the RAM user logon page.
Enter the RAM user logon name in one of the following formats, then click Next.
Format Example Details <UserName>@<AccountAlias>.onaliyun.com(default domain)username@company-alias.onaliyun.com See Terms and View and modify the default domain name. <UserName>@<AccountAlias>(account alias)username@company-alias See Terms and View and modify the default domain name. <UserName>@<DomainAlias>(domain alias)username@example.com Only available if a domain alias is configured. See Terms and Create and verify a domain alias. Enter the password and click Log On.
(Optional) If MFA is enabled, complete the MFA verification. For details, see MFA overview and Bind an MFA device to a RAM user.
Call API operations with an AccessKey pair
To authenticate API requests, specify the RAM user's AccessKey ID and AccessKey secret in your code. For details, see Best practices for using access credentials to call API operations.