Create a RAM user - MaxCompute - Alibaba Cloud Documentation Center

To ensure the security of project data, we recommend that you create Resource Access Management (RAM) users and assign their credentials to other members who participate in MaxCompute projects. This helps strictly control the permissions of personnel who participate in MaxCompute projects. This topic describes how to create a RAM user.

Prerequisites

An Alibaba Cloud account is created.

For more information, see Prepare an Alibaba Cloud account.

Precautions

RAM users belong to your Alibaba Cloud account. They do not own resources and are not separately charged.
All fees incurred by RAM users must be paid by your Alibaba Cloud account.

Procedure

Step 1: Create a RAM user
Create a RAM user using your Alibaba Cloud account. For more information, see RAM.
Step 2: Create an AccessKey pair
Create an AccessKey pair for the RAM user using your Alibaba Cloud account. This ensures that jobs submitted by the RAM user can run normally.
Step 3 (Optional): Grant permissions to the RAM user
- To allow the RAM user to create projects in DataWorks, you must attach the AliyunDataWorksFullAccess policy to the RAM user using your Alibaba Cloud account.
- To allow the RAM user to manage projects and quotas in the MaxCompute V2.0 console, you must attach the AliyunMaxComputeFullAccess policy or custom RAM policies to the RAM user using your Alibaba Cloud account. For more information, see RAM permissions.
Step 4: Assign the credentials of the RAM user to another user
Assign the credentials of the created RAM user to other users.

Step 1: Create a RAM user

Log on to the RAM console using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
Note
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select Console Access.
- Console Access: The user can log on to the console using a username and password.
- Using Permanent AccessKey To Access: An AccessKey ID and AccessKey secret are created for the user. The user can call API operations or use development tools to access Alibaba Cloud resources.
Click OK.
On the User Information page, click Download CSV File or find an existing RAM user and click Copy in the Actions column to save the logon username and password of the RAM user.

Step 2: Create an AccessKey pair

Note

If you grant the RAM user permission to manage AccessKey pairs, the RAM user can create AccessKey pairs in the RAM console. For more information about how to create an AccessKey pair, see Manage security settings for RAM users.
You can create a maximum of two AccessKey pairs for a RAM user.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click the username of the RAM user that you want to manage.
In the AccessKey section of the Authentication tab, click Create AccessKey.
Read the suggestion for each scenario and select a credential solution based on your business requirements. If you must create an AccessKey pair, select a scenario, select I confirm that it is necessary to create an AccessKey, and then click Continue. The created AccessKey pair can be used in all scenarios.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret and click OK.
An AccessKey pair-based policy for network access control can allow specific source IP addresses to use a specific AccessKey pair to call API operations. This way, only source IP addresses from a trusted network can use the AccessKey pair, enhancing the AccessKey pair security. We recommend that you click Set Network Access Control Policy to configure an AccessKey pair-based network access control policy for your trusted network. For more information, see Configure AccessKey pair-level policies for network access control for a RAM user.

Step 3 (Optional): Grant permissions to the RAM user

In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - ResourceGroup: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click the AliyunDataWorksFullAccess policy in the Authorization Policy Name column to add this permission to the list of selected permissions.
Note
If the RAM user needs to activate MaxCompute later, the Alibaba Cloud account must attach the AliyunBSSOrderAccess policy to the RAM user.
Click OK.
Click Close.

Step 4: Assign the credentials of the RAM user to another user

To assign the credentials of the RAM user to another user, you must provide the following information of the RAM user to the user:

The account information of the RAM user.
- The account and password of the RAM user, which are the logon username and password of the RAM user saved in Step 1.
- The AccessKey ID and AccessKey secret of the RAM user, which is the AccessKey pair created in Step 2.
The logon method and logon URL of the RAM user.
A RAM user can log on to the Alibaba Cloud Management Console by entering the account information in the common logon URL or logon portal for a RAM user. You can provide the logon URL to other RAM users as needed. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Domain name of the Alibaba Cloud account to which the RAM user belongs
Log on to the RAM console. In the navigation pane on the left, click Settings. On the Settings page, you can view the default domain name in the Account Domain section.

What to do next

After you prepare the RAM user, you can activate MaxCompute. For more information, see Activate MaxCompute and DataWorks.