You can use Resource Access Management (RAM) to grant different permissions to different RAM users as required. Only RAM users that are granted required permissions can manage resources in the Function Compute console. You can also prevent security risks caused by exposing the AccessKey pair of the Alibaba Cloud account. This topic describes how to grant permissions to a RAM user by using an Alibaba Cloud account.

Scenario

Enterprise A has activated Function Compute and requires employees to manage Function Compute resources, such as creating and deleting services and functions. Employees with different roles require different permissions. Enterprise A has the following requirements:
  • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to the employees. Instead, Enterprise A wants to create different RAM users for the employees and grant different permissions to the RAM users.
  • A RAM user can manage resources only under authorization. Resource usage and costs are not separately calculated for the RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
  • Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.

Procedure

  1. Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and create a RAM user.
    1. Log on to the RAM console by using the Alibaba Cloud account.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, click Create User.
    4. On the Create User page, set the Logon Name and Display Name parameters in the User Account Information section.
      Note You can click Add User to create multiple RAM users at a time.
    5. In the Access Mode section, select an access mode.
      • Console Access: Set the Console Password, Password Reset, and Multi-factor Authentication parameters.
        Note If you select Custom Logon Password as Console Password, the password that you enter must meet password requirements. For more information, see Configure a password policy for RAM users.
      • Programmatic Access: If you select this access mode, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
      Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
    6. Click OK.
  2. Grant permissions to the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
    3. In the Add Permissions panel, grant permissions to the RAM user.
      1. Select the authorization scope.
        • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
        • Specific Resource Group: The authorization takes effect on a specific resource group.
        Note If you select Specific Resource Group as the authorization scope, make sure that the Alibaba Cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
      2. Specify the principal.

        The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.

      3. Select policies.
        Attach policies to the RAM user as required.
        • System policies: the policies that are created by Alibaba Cloud. You can use these policies, but cannot modify them. Alibaba Cloud maintains the version updates of the policies.
          For example, if the RAM user requires the permissions to manage Function Compute, you can perform the following steps to attach the required policy to the RAM user:
          1. On the System Policy tab, enter AliyunFCFullAccess in the Enter a policy name field.
          2. Click AliyunFCFullAccess in the Authorization Policy Name column. Then, click OK.
        • Custom policies: the policies that you can create, update, and delete. You maintain the version updates of these policies.
          For example, if the RAM user requires the permissions to create and query services in Function Compute and create and invoke functions, you can perform the following steps to attach a custom policy to the RAM user:
          1. Create a policy.
            1. In the left-side navigation pane, choose Permissions > Policies.
            2. On the Policies page, click Create Policy.
            3. On the Create Custom Policy page, set the parameters. For more information, see Policies and sample custom policies.
              The following part describes the parameters:
              • Policy Name: Enter a custom policy name.
              • Configuration Mode: Select Script. The following policy can be used to grant the permissions to create and query services in Function Compute and create and invoke functions:
                {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:CreateService",
                "fc:GetService",
                "fc:CreateFunction",
                "fc:GetFunction",
                "fc:InvokeFunction",
                "fc:ListServices",
                "fc:ListFunctions",
                "fc:ListServiceVersions",
                "fc:GetResourceTags",
                "fc:ListServiceVersions",
                "fc:ListAliases",
                "fc:ListTriggers",
                "fc:GetFunctionAsyncInvokeConfig"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
            4. Click OK.
          2. Attach the policy.
            1. In the left-side navigation pane, click Users.
            2. On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
            3. In the Select Policy section of the Add Permissions panel, click the Custom Policy tab.
            4. On the Custom Policy tab, click the name of the policy in the Authorization Policy Name column.
            5. Click OK.
        Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, attach the policies in batches.
    4. Click Complete.

What to do next

After the RAM user is created by using the Alibaba Cloud account, Enterprise A can allocate the logon name and password or AccessKey pair of the RAM user to an employee. The employee can use the RAM user to log on to the console or call an API operation of the service by performing the following steps:

  • Console
    1. Open the RAM Account Login page in a browser.
    2. On the RAM Account Login page, enter the name of the RAM user, click Next, enter the password, and then click Log On.
    Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the alias of the RAM user. If no alias is set, use the ID of the Alibaba Cloud account.
  • API

    To use the AccessKey pair of the RAM user to call an API operation, you can specify the AccessKey ID and AccessKey secret of the RAM user in the code to make an API request to access Function Compute.