Create an AccessKey pair - Resource Access Management - Alibaba Cloud Documentation Center

This topic describes what an AccessKey pair is and how to create one for a Resource Access Management (RAM) user or an Alibaba Cloud account.

What is an AccessKey pair?

An AccessKey pair is a long-term security credential that Alibaba Cloud provides to a user. It consists of an AccessKey ID and an AccessKey secret.

AccessKey ID: The unique public identifier for the AccessKey pair.
AccessKey secret: The secret part of the AccessKey pair. It is used to sign API requests to verify the authenticity and integrity of the request. You must keep your AccessKey secret strictly confidential.

Important

To reduce the risk of leaks, an AccessKey secret is displayed only once when you create it. You cannot retrieve it later. Make sure to store it securely.

How to use an AccessKey pair

You cannot use an AccessKey pair to log on to the console. Instead, you can use it to make programmatic calls to Alibaba Cloud APIs using tools such as the command-line interface (CLI), software development kits (SDKs), or Terraform.

As a best practice, applications or services should avoid directly using AccessKey pairs to access Alibaba Cloud resources whenever possible. Alibaba Cloud provides multiple solutions that do not require an AccessKey pair and allow you to use more secure temporary credentials, such as Security Token Service (STS) tokens, to access resources. For specific use cases, see When do I use RAM?

If you must create and use an AccessKey pair, see the best practices for its use: Best practices for identity and access management.

How an AccessKey pair works

RAM generates the AccessKey ID and AccessKey secret using a specific algorithm. These credentials are encrypted during both storage and transmission.

When an application uses an AccessKey pair to make a request, the request includes the AccessKey ID and a signature. The signature is calculated by using the AccessKey secret to sign the request. When Alibaba Cloud receives the request, it performs identity verification and validates the legitimacy of the request. For more information about the specific signature mechanism that Alibaba Cloud uses, see Request syntax and signature method V3.

AccessKey pair categories

An AccessKey pair can belong to either an Alibaba Cloud account or a RAM user. AccessKey pairs are categorized based on their owner:

Alibaba Cloud account AccessKey pair (Not recommended)
This type of AccessKey pair is created directly by an Alibaba Cloud account. By default, it has full permissions on all resources under the account and can perform any operation. A leak of the account AccessKey pair poses an extremely high security risk. We strongly recommend that you do not create or use an AccessKey pair for your Alibaba Cloud account.
RAM user AccessKey pair (Recommended)
This is a programmatic access credential for a RAM user. You must create a RAM user before you can create an AccessKey pair for the user. The AccessKey pair of a RAM user inherits the permissions of that user, which enables least-privilege access management. We recommend that you assign a separate RAM user and AccessKey pair for each independent business application. This practice prevents you from assigning excessive permissions or increasing the risk of leaks that can result from sharing credentials.

Permission requirements

Because an Alibaba Cloud account has full access to all resources, you should avoid using it to create AccessKey pairs in a production environment. Instead, as a best practice, use a RAM user that is granted only the necessary permissions to create and manage AccessKey pairs for other RAM users.

You can attach the AliyunRAMFullAccess system policy to an administrator to allow them to create and manage AccessKey pairs for RAM users.
You can also allow RAM users to manage their own AccessKey pairs by enabling the Allow users to manage AccessKey option in the global security settings of RAM. For more information, see Manage the security settings of RAM users.
Note
Enabling this setting allows all RAM users to manage their own AccessKey pairs. This includes all related operations, such as creating, disabling, and deleting AccessKey pairs, unless an administrator attaches a policy that explicitly denies these operations.
We do not recommend enabling this setting in a production environment. To allow specific RAM users to manage their own AccessKey pairs, we recommend that you use a custom policy and set the Resource element in the policy to the user's own Alibaba Cloud Resource Name (ARN). The following sample policies are for your reference:
Allow a RAM user to create their own AccessKey pair
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateAccessKey", "ram:ListAccessKeys" ], "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME" } ] }
Allow a RAM user to manage their own AccessKey pair
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateAccessKey", "ram:ListAccessKeys", "ram:UpdateAccessKey", "ram:DeleteAccessKey", "ram:GetAccessKeyLastUsed", "ram:ListAccessKeysInRecycleBin" ], "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME" } ] }

Create an AccessKey pair for a RAM user

A RAM administrator (a user with the AliyunRAMFullAccess policy attached) can perform the following operations. If you do not have any RAM users under your account, create one first.

Console

Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
Find the target RAM user and click its username.
On the Authentication tab, in the AccessKey section, click Create AccessKey.
Note
Each RAM user can have a maximum of two AccessKey pairs. One is for regular use, and the other is created for rotation to replace the old one.
In the dialog box that appears, review the use cases and suggestions for using AccessKey pairs. We recommend that you select a more suitable credential solution. If you must create an AccessKey pair, select a use case, select I confirm that it is necessary to create an AccessKey, and click Continue. This choice is for data collection purposes and does not affect the permissions or properties of the created AccessKey pair.
Complete the security verification as prompted.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and click OK.
(Optional) Configure AccessKey Network Access Control: You can restrict the source IP addresses for API requests that use the AccessKey pair. This improves security by restricting access to the AccessKey pair to trusted network environments. We recommend that you identify the network environment where the AccessKey pair is used, and click Go to Settings. For more information, see Configure an AccessKey-level network access restriction policy for a RAM user.
Important
To reduce the risk of leaks, the AccessKey secret is displayed only once when you create it. You cannot retrieve it later. Make sure to store it securely.

API

Call the CreateAccessKey operation to create an AccessKey pair and specify the following parameter:

UserPrincipalName: The logon name of the RAM user to which the AccessKey pair belongs. The format is test@example.onaliyun.com. You can find the logon name of the RAM user in the RAM console.

Important

To reduce the risk of leaks, the AccessKey secret is displayed only when you call the CreateAccessKey operation. You cannot retrieve it later. Make sure to store it securely.

Create an AccessKey pair for an Alibaba Cloud account (Not recommended)

Warning

Unless necessary, we strongly recommend that you do not create or use an AccessKey pair for your Alibaba Cloud account. Before you proceed, evaluate whether you can use the AccessKey pair of a RAM user instead.

Log on to the RAM console with your Alibaba Cloud account.
Hover over the profile picture in the upper-right corner of the page that appears and click AccessKey.
In the Main Account AccessKey is not recommended dialog box, review the risks of creating an AccessKey pair for your Alibaba Cloud account. To proceed, select I am aware of the security risks of using a main account AccessKey, and click Use Main Account AccessKey.
On the AccessKey page, click Create AccessKey.
Note
An Alibaba Cloud account can have a maximum of two AccessKey pairs. One is for regular use, and the other is created for rotation to replace the old one.
In the Create Main Account AccessKey dialog box, review the security risks and limits again. To create the AccessKey pair, select I am aware of the security risks of using a main account AccessKey, and click Use Main Account AccessKey.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, select I have saved the AccessKey Secret, and click OK.
(Optional) Configure AccessKey Network Access Control: You can restrict the source IP addresses for API requests that use the AccessKey pair. This improves security by restricting access to the AccessKey pair to trusted network environments. We recommend that you identify the network environment where the AccessKey pair is used, and click Go to Settings. For more information, see Configure an AccessKey-level network access restriction policy for a RAM user.
Important
To reduce the risk of leaks, the AccessKey secret of an Alibaba Cloud account is displayed only when you create it. You cannot retrieve it later. Make sure to store it securely.

Resource Access Management:Create an AccessKey pair