This topic describes how to create a Resource Access Management (RAM) user and grant the permissions on Express Connect to the RAM user. To ensure data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to a RAM user.

Background information

Policies include system policies and custom policies. Before you manage the Express Connect permissions of a RAM user, take note of the following system policies.
Policy name Description Scenario
AliyunExpressConnectFullAccess Permissions to manage Express Connect.
  • RAM users can log on to the Express Connect console and perform all operations in the console.
  • RAM users can call all API operations of Express Connect.
AliyunExpressConnectReadOnlyAccess Read-only permissions on Express Connect.
  • RAM users can log on to the Express Connect console and view all pages in the console. However, RAM users cannot perform add, create, or delete operations.
  • RAM users can call the query API operations of Express Connect.
If the system policies cannot meet your business requirements, you can create custom policies. For more information, see Create a custom policy.

Procedure

In the following example, system policies of Express Connect are attached to a RAM user.

  1. Step 1: Create a RAM user
  2. Step 2: Grant permissions to the RAM user
  3. Step 2: Grant permissions to the RAM user

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select Console Access, configure the console logon password, password reset policies, and multi-factor authentication (MFA) policies.
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the employee who uses the RAM user cannot use an AccessKey pair to access Alibaba Cloud resources after the employee leaves the organization.
  6. Click OK.

Step 2: Grant permissions to the RAM user

Method 1: Grant permissions to the RAM user on the Users page

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select a policy.
      • You can select AliyunExpressConnectFullAccess or AliyunExpressConnectReadOnlyAccess. If the system policies for Express Connect in the RAM console cannot meet your business requirements, you can create custom policies. For more information about how to create custom policies, see Create a custom policy.
      • You can attach up to five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK. Then, click Complete.

Method 2: Grant permissions to a RAM user on the Grants page

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Grant Permission panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted.
    3. Select a policy.
      • You can select AliyunExpressConnectFullAccess or AliyunExpressConnectReadOnlyAccess. If the system policies for Express Connect in the RAM console cannot meet your business requirements, you can create custom policies. For more information about how to create custom policies, see Create a custom policy.
      • You can attach up to five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK. Then, click Complete.

Step 3: Use the RAM user to log on to the console or call an API operation

After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or the AccessKey pair of the RAM user with other users. The users can perform the following steps to log on to the Alibaba Cloud console or call an API operation as the RAM user.

Log on to the Alibaba Cloud console

  1. Log on to the Alibaba Cloud Management Console as a RAM user.
  2. On the RAM User Logon page, enter the username of the RAM user and click Next.
    • Logon method 1: Use the default domain name. The logon name of the RAM user follows the <UserName>@<AccountAlias>.onaliyun.com format. Example: username@company-alias.onaliyun.com.
    • Logon method 2: Use the account alias. The logon name of the RAM user follows the <UserName>@<AccountAlias> format. Example: username@company-alias.
    • Logon method 3: Use the domain alias. The logon name of the RAM user follows the <UserName>@<DomainAlias> format. Example: username@example.com.
  3. Enter the logon password and click Log On.
  4. Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.

Use the AccessKey pair of the RAM user to call an API operation

When you call an API operation, specify the AccessKey ID and the AccessKey secret of the RAM user in the code.

References