This topic describes how to create a Resource Access Management (RAM) user and grant
the permissions on Express Connect to the RAM user. To ensure data security, we recommend
that you follow the principle of least privilege (PoLP) when you grant permissions
to a RAM user.
Background information
Policies include system policies and custom policies. Before you manage the Express
Connect permissions of a RAM user, take note of the following system policies.
Policy name |
Description |
Scenario |
AliyunExpressConnectFullAccess |
Permissions to manage Express Connect. |
- RAM users can log on to the Express Connect console and perform all operations in
the console.
- RAM users can call all API operations of Express Connect.
|
AliyunExpressConnectReadOnlyAccess |
Read-only permissions on Express Connect. |
- RAM users can log on to the Express Connect console and view all pages in the console.
However, RAM users cannot perform add, create, or delete operations.
- RAM users can call the query API operations of Express Connect.
|
If the system policies cannot meet your business requirements, you can create custom
policies. For more information, see
Create a custom policy.
Step 1: Create a RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, click Create User.
- In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
Note You can click Add User to create multiple RAM users at a time.
- In the Access Mode section, select an access mode.
- Console Access: If you select Console Access, configure the console logon password, password reset
policies, and multi-factor authentication (MFA) policies.
Note If you select Custom Logon Password in the Console Password section, you must specify
a password. The password must meet the complexity requirements. For more information
about the complexity requirements, see
Configure a password policy for RAM users.
- OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM
user. The RAM user can call API operations or use other development tools to access
Alibaba Cloud resources.
Note To ensure the security of your Alibaba Cloud account, we recommend that you select
only one access mode for the RAM user. This way, the employee who uses the RAM user
cannot use an AccessKey pair to access Alibaba Cloud resources after the employee
leaves the organization.
- Click OK.
Step 2: Grant permissions to the RAM user
Method 1: Grant permissions to the RAM user on the Users page
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
Note If you select Specific Resource Group for Authorized Scope, make sure that the required
cloud service supports resource groups.
For more information, see Services that work with Resource Group.
- Specify the principal.
The principal is the RAM user to which you want to grant permissions. By default,
the current RAM user is specified. You can also specify another RAM user.
- Select a policy.
- You can select AliyunExpressConnectFullAccess or AliyunExpressConnectReadOnlyAccess. If the system policies for Express Connect in the RAM console cannot meet your business
requirements, you can create custom policies. For more information about how to create
custom policies, see Create a custom policy.
- You can attach up to five policies to a RAM user at a time. If you want to attach
more than five policies to a RAM user, perform the operation multiple times.
- Click OK. Then, click Complete.
Method 2: Grant permissions to a RAM user on the Grants page
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Grants page, click Grant Permission.
- In the Grant Permission panel, grant permissions to the RAM user.
- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
Note If you select Specific Resource Group for Authorized Scope, make sure that the required
cloud service supports resource groups.
For more information, see Services that work with Resource Group.
- Specify the principal.
The principal is the RAM user to which permissions are to be granted.
- Select a policy.
- You can select AliyunExpressConnectFullAccess or AliyunExpressConnectReadOnlyAccess. If the system policies for Express Connect in the RAM console cannot meet your business
requirements, you can create custom policies. For more information about how to create
custom policies, see Create a custom policy.
- You can attach up to five policies to a RAM user at a time. If you want to attach
more than five policies to a RAM user, perform the operation multiple times.
- Click OK. Then, click Complete.
Step 3: Use the RAM user to log on to the console or call an API operation
After you create a RAM user by using an Alibaba Cloud account, you can share the logon
name and password or the AccessKey pair of the RAM user with other users. The users
can perform the following steps to log on to the Alibaba Cloud console or call an
API operation as the RAM user.
Log on to the Alibaba Cloud console
- Log on to the Alibaba Cloud Management Console as a RAM user.
- On the RAM User Logon page, enter the username of the RAM user and click Next.
- Logon method 1: Use the default domain name. The logon name of the RAM user follows
the
<UserName>@<AccountAlias>.onaliyun.com
format. Example: username@company-alias.onaliyun.com.
- Logon method 2: Use the account alias. The logon name of the RAM user follows the
<UserName>@<AccountAlias>
format. Example: username@company-alias.
- Logon method 3: Use the domain alias. The logon name of the RAM user follows the
<UserName>@<DomainAlias>
format. Example: username@example.com.
- Enter the logon password and click Log On.
- Optional. If you enable multi-factor authentication (MFA), enter the verification
code that is provided by the virtual MFA device or configure settings to pass the
Universal 2nd Factor (U2F) authentication.
Use the AccessKey pair of the RAM user to call an API operation
When you call an API operation, specify the AccessKey ID and the AccessKey secret
of the RAM user in the code.