All Products
Document Center

Elastic Compute Service:Grant RAM users permissions to use ECS resources

Last Updated:May 27, 2024

When multiple users use an Alibaba Cloud account to simultaneously access resources, you can create multiple Resource Access Management (RAM) users for the Alibaba Cloud account and grant the RAM users the minimum permissions to use resources on demand. This way, you can implement RAM user-based access control, prevent users from sharing account keys, improve management efficiency, and reduce the risk of information leaks. This topic describes how to grant a RAM user permissions to use Elastic Compute Service (ECS) resources to control access to the resources.


RAM is a service provided by Alibaba Cloud to manage user identities and resource access permissions. A RAM user serves as a RAM account. You can use an Alibaba Cloud account to create multiple RAM users and grant the RAM users different permissions. This way, the RAM users can access different resources. For more information, see What is RAM? and Overview of RAM users.


At least one RAM user is created in your Alibaba Cloud account. For more information, see Create a RAM user.


  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. (Optional) Create a custom policy.

    If the system policies provided by Alibaba Cloud do not meet your business requirements, create a custom policy based on the principle of least privilege for fine-grained permission management. For more information, see Create custom policies.

  3. Grant permissions to the RAM user.

    Attach a system policy or a custom policy to the RAM user to grant the RAM user permissions to access or manage relevant resources. For more information, see Grant permissions to a RAM user.

  4. After the policy is attached to the RAM user, the RAM user can log on to the ECS console to manage specific resources.

    For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.


  • You can view the permissions that are granted to a RAM user and the permissions that the RAM user inherits from RAM user groups. For more information, see View the permissions of a RAM user.

  • If a RAM user no longer requires specific permissions or the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.

  • You can view the multi-factor authentication (MFA) methods that are supported by RAM users, MFA usage notes, and MFA limits. For more information, see What is multi-factor authentication?