Before you can use Secrets Manager to manage Resource Access Management (RAM) secrets, you must authorize Secrets Manager to manage AccessKey pairs of RAM users. To perform the authorization, you can assign a RAM role with the required permissions to Secrets Manager. This topic describes how to authorize Secrets Manager to manage AccessKey pairs of RAM users.

Step 1: Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Set the Policy Name parameter to AliyunKMSManagedRAMCrendentialsRolePolicy.
  5. Set the Configuration Mode parameter to Script and enter the following script in the Policy Document section:
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ram:ListAccessKeys",
                    "ram:CreateAccessKey",
                    "ram:DeleteAccessKey",
                    "ram:UpdateAccessKey"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
  6. Click OK.

Step 2: Create a RAM role and attach the policy to the RAM role

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. Create a RAM role.
    1. On the Roles page, click Create Role.
    2. In the Create Role panel, select Alibaba Cloud Service as the trusted entity and click Next.
    3. Set the Role Type parameter to Normal Service Role.
    4. Set the RAM Role Name parameter to AliyunKMSManagedRAMCrendentialsRole.
    5. Select Key Management Service as the trusted service.
    6. Click OK.
  4. Grant permissions to the RAM role.
    1. In the Create Role panel, click Add Permissions to RAM Role in the Finish step. In the Add Permissions panel, the Principal parameter is automatically configured.
    2. In the Select Policy section, click Custom Policy and select the AliyunKMSManagedRAMCrendentialsRolePolicy policy.
    3. Click OK.
    4. Click Complete.