All Products
Search
Document Center

Key Management Service:Create an AccessKey

Last Updated:Jan 04, 2025

This topic explains how to create an AccessKey pair for a RAM user or an Alibaba Cloud account.

What is an AccessKey

An AccessKey pair is a set of permanent access credentials provided by Alibaba Cloud to a user, consisting of an AccessKey ID and an AccessKey secret.

  • AccessKey ID: Identifies the user.

  • AccessKey Secret: The password that verifies the user's identity.

Resource Access Management (RAM) generates the AccessKey ID and AccessKey secret using algorithms, and Alibaba Cloud encrypts them for storage and transmission.

The AccessKey pair cannot be used for console logons. For programmatic access to Alibaba Cloud via APIs, CLI, SDK, or Terraform, requests include the AccessKey ID and a signature created using the AccessKey secret to authenticate identity and validate request authenticity.

AccessKey best practices

AccessKeys are long-term valid credentials for programmatic access and can pose security risks if leaked.

  • We strongly advise against creating an AccessKey pair for an Alibaba Cloud account. By default, an Alibaba Cloud account has administrator permissions to manage all resources and cannot have its permissions altered. If its AccessKey pair is leaked, all resources are at risk. For enhanced security, create a RAM user with API access enabled and assign only the necessary permissions based on the principle of least privilege.

    By default, an Alibaba Cloud account serves as an administrator with the authority to manage all associated Alibaba Cloud resources. The permissions tied to the Alibaba Cloud account cannot be altered. If an AccessKey pair associated with an Alibaba Cloud account is compromised, the resources of the account are at risk. For enhanced security, it is advisable not to create an AccessKey pair for an Alibaba Cloud account. Instead, create a RAM user with API access mode enabled and generate an AccessKey pair for this user. By granting the RAM user only necessary permissions in accordance with the principle of least privilege, they can perform API operations to access Alibaba Cloud resources.

  • Limit the creation of permanent AccessKeys and prefer using the Security Token Service (STS) token for temporary credentials to mitigate the risk of leaks.

  • Keep the AccessKey ID and AccessKey secret confidential and do not share or record them in public documents.

  • Avoid storing plaintext AccessKey information in code.

  • Disable the AccessKey when it is no longer needed.

  • Regularly rotate the AccessKey to enhance security.

  • Grant only the necessary minimum permissions to the RAM user.

For more information, see the referenced document.

Create an AccessKey for a RAM user

Prerequisites

To create an AccessKey pair for a RAM user, you can use:

  • An Alibaba Cloud account.

  • A RAM administrator with the AliyunRAMFullAccess policy attached.

  • A RAM user granted permissions to manage AccessKey pairs. For details on setting up self-management of AccessKey pairs, see Manage RAM user security settings.

Limits

  • The AccessKey secret for a RAM user is only displayed after creation and cannot be retrieved later. Record and keep it confidential to prevent leaks.

  • A maximum of two AccessKey pairs can be created for a RAM user.

Procedure

  1. To begin, log on to the RAM console.

  2. In the left-side navigation pane, click on Identity Management > Users.

  3. Navigate to the Users page and click on the name of the desired RAM user.

  4. Navigate to the Authentication Management tab and, within the AccessKey section, click on Create Accesskey.

    image

  5. Select the most suitable credential solution for your usage scenario. If creating an AccessKey is necessary, choose I Confirm That I Must Create An Accesskey and then click Continue To Create.

  6. In the Create AccessKey dialog box, make sure to save the AccessKey ID and AccessKey Secret. Then, click OK.

    image

Create an AccessKey for an Alibaba Cloud account

Limits

  • The AccessKey secret for an Alibaba Cloud account is only displayed after creation and cannot be retrieved later. Record and keep it confidential to prevent leaks.

  • A maximum of five AccessKey pairs can be created for an Alibaba Cloud account.

Procedure

  1. Log on to the Alibaba Cloud Management Console using an Alibaba Cloud account.

  2. Hover over the account icon in the upper-right corner and click AccessKey.

    image

  3. In the Not Recommended To Use Cloud Account AccessKey dialog box, acknowledge the security risks of creating an AccessKey for the primary account. If necessary, select I Confirm That I Am Aware Of The Security Risks Of The Cloud Account AccessKey, and then click Continue To Use The Cloud Account AccessKey.

    image

  4. On the AccessKey page, click Create AccessKey.

    image

  5. In the Create Cloud Account AccessKey dialog box, review the risks and usage limits of creating an AccessKey for the primary account. If you decide to proceed, select I Confirm That I Am Aware Of The Security Risks Of The Cloud Account AccessKey, and then click Continue To Use The Cloud Account AccessKey.

    image

  6. In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, select I Have Saved The AccessKey Secret, and click OK.

    image

References