Resource Access Management (RAM) allows you to manage the permissions of your Alibaba Cloud account and its RAM users separately, and grant different permissions to the RAM users. Only RAM users that are granted the required permissions can manage resources in the Function Compute console. This prevents security risks that are caused if the AccessKey pair of your Alibaba Cloud account is disclosed. This topic describes how to create a RAM user and grant permissions to the RAM user by using an Alibaba Cloud account.
Scenarios
- For security purposes, Enterprise A does not want to disclose the AccessKey pair of the Alibaba Cloud account to the employees. Enterprise A prefers to create different RAM users for the employees and grant different permissions to the RAM users.
- Only RAM users who are granted permissions can manage resources. Resource usage and costs are not calculated separately for each RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
- Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.
Step 1: Use the Alibaba Cloud account of Enterprise A to create RAM users for employees
Step 2: Grant permissions to the RAM users
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK.
- Click Complete.
What to do next
After the RAM user is created by using the Alibaba Cloud account, Enterprise A can allocate the username and password or AccessKey pair of the RAM user to an employee. The employee can use the RAM user to log on to the console or call API operations by performing the following steps:
- Console
- Open the RAM Account Login page in a browser.
- On the RAM Account Login page, enter the name of the RAM user, click Next, enter the password, and then click Log On.
Note The name of the RAM user is in the <$username>@<$AccountAlias> format or the <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the alias of the RAM user. If no alias is set, use the ID of the Alibaba Cloud account. - API
Use the AccessKey ID and AccessKey secret of the RAM user in the code to make an API request to access Function Compute.