To ensure the security of project data, we recommend that you create a Resource Access
Management (RAM) user and assign the credentials of the RAM user to other members
who participate in a MaxCompute project. This helps strictly control the permissions
of the personnel who participate in the MaxCompute project. This topic describes how
to create a RAM user.
Usage notes
- RAM users belong to your Alibaba Cloud account. They do not own resources and are
not separately charged.
- All the fees incurred by the RAM users must be paid by your Alibaba Cloud account.
Step 1: Create a RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, click Create User.
- In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
Note You can click Add User to create multiple RAM users at a time.
- In the Access Mode section, select Console Access.
- Console Access: If you select this option, you must complete the logon security settings. These
settings specify whether to use a system-generated or custom logon password, whether
the password must be reset upon the next logon, and whether to enable multi-factor
authentication (MFA).
- API Call-based Access: If you select this option, an AccessKey pair is automatically created for the RAM
user. The RAM user can call API operations or use other development tools to access
Alibaba Cloud resources.
- Click OK.
- On the Create User page, click Download CSV File or find an existing RAM user and click Copy in the Actions column to save the logon username and password of the RAM user.
Step 2: Create an AccessKey pair
Note
- If you grant the RAM user the permission to manage an AccessKey pair, the RAM user
can create an AccessKey pair in the RAM console. For more information about how to
create an AccessKey pair, see Configure security policies for RAM users.
- You can create a maximum of two AccessKey pairs for a RAM user.
- In the left-side navigation pane, choose .
- On the Users page, find the specific RAM user and click its name.
- In the User AccessKeys section, click Create AccessKey.
- In the Create AccessKey dialog box, view the AccessKey ID and AccessKey secret.
You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.
- Click Close.
You can also view the status of the created AccessKey pair in the
User AccessKeys section, and disable or delete the AccessKey pair.
Notice
- To ensure the security of the AccessKey pair, we recommend that you do not share this
information with others. If your AccessKey pair is susceptible to data leakage, disable
or update it immediately.
- The AccessKey pair is displayed only when you create the pair and unavailable for
subsequent queries. We recommend that you record the AccessKey pair and keep it confidential
for subsequent user.
- After you disable an AccessKey pair, the service that uses the AccessKey pair fails
to run and an error is reported. Proceed with caution when you perform this operation.
If the status of the AccessKey pair changes, check the status of the services that
use the AccessKey pair in a timely manner.
Step 3: (Optional) Grant permissions to RAM users
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect on a specific resource group.
- Specify the principal.
The principal is the RAM user to which permissions are to be granted. By default,
the current RAM user is specified. You can also specify another RAM user.
- Select policies.
Note You can attach a maximum of five policies to a RAM user at a time. If you need to
attach more than five policies to a RAM user, perform the operation multiple times.
- In the Authorization Policy Name column, click the AliyunDataWorksFullAccess policy to add this policy to the list of selected policies.
Note If the RAM user needs to activate MaxCompute later, the Alibaba Cloud account must
attach the AliyunBSSOrderAccess policy to the RAM user.
- Click OK.
- Click Complete.
Step 4: Assign the credentials of the RAM user to other users
To assign the credentials of the RAM user to other users, you must provide the following
information of the RAM user to each user:
- RAM user logon link
Log on to the RAM console. In the Account Management section in the upper-right corner of the Overview page, the URL under RAM user logon is the logon link of the RAM user.
- Domain name of the Alibaba Cloud account to which the RAM user belongs
Log on to the RAM console. In the left-side navigation pane, click Settings under Identities. On the Settings page, click the Advanced tab. Then, you can view Default Domain and Domain Alias.
- The account and password of the RAM user, which are the logon username and password
of the RAM user in Step 1.
- The AccessKey pair of the RAM user, which is the AccessKey pair created in Step 2.
What to do next
After the RAM user is created, you can activate MaxCompute. For more information,
see Activate MaxCompute and DataWorks.