To ensure the security of project data, we recommend that you create a Resource Access Management (RAM) user and assign the credentials of the RAM user to other members who participate in a MaxCompute project. This helps strictly control the permissions of the personnel who participate in the MaxCompute project. This topic describes how to create a RAM user.

Prerequisites

An Alibaba Cloud account is created.

For more information about how to create an Alibaba Cloud account, see Create an Alibaba Cloud account.

Usage notes

  • RAM users belong to your Alibaba Cloud account. They do not own resources and are not separately charged.
  • All the fees incurred by the RAM users must be paid by your Alibaba Cloud account.

Procedure

  1. Step 1: Create a RAM user

    Create a RAM user by using your Alibaba Cloud account. For more information, see RAM.

  2. Step 2: Create an AccessKey pair

    Create an AccessKey pair for the RAM user by using your Alibaba Cloud account. This ensures that the jobs submitted by the RAM user run normally.

  3. Step 3: (Optional) Grant permissions to RAM users

    To allow the RAM user to create projects in DataWorks, you must attach the AliyunDataWorksFullAccess policy to the RAM user by using your Alibaba Cloud account.

  4. Step 4: Assign the credentials of the RAM user to other users

    Assign the credentials of the created RAM user to other users.

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select Console Access.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
    • API Call-based Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
  6. Click OK.
  7. On the Create User page, click Download CSV File or find an existing RAM user and click Copy in the Actions column to save the logon username and password of the RAM user.

Step 2: Create an AccessKey pair

Note
  • If you grant the RAM user the permission to manage an AccessKey pair, the RAM user can create an AccessKey pair in the RAM console. For more information about how to create an AccessKey pair, see Configure security policies for RAM users.
  • You can create a maximum of two AccessKey pairs for a RAM user.
  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the specific RAM user and click its name.
  3. In the User AccessKeys section, click Create AccessKey.
  4. In the Create AccessKey dialog box, view the AccessKey ID and AccessKey secret.
    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.
  5. Click Close.
    You can also view the status of the created AccessKey pair in the User AccessKeys section, and disable or delete the AccessKey pair.
    Notice
    • To ensure the security of the AccessKey pair, we recommend that you do not share this information with others. If your AccessKey pair is susceptible to data leakage, disable or update it immediately.
    • The AccessKey pair is displayed only when you create the pair and unavailable for subsequent queries. We recommend that you record the AccessKey pair and keep it confidential for subsequent user.
    • After you disable an AccessKey pair, the service that uses the AccessKey pair fails to run and an error is reported. Proceed with caution when you perform this operation. If the status of the AccessKey pair changes, check the status of the services that use the AccessKey pair in a timely manner.

Step 3: (Optional) Grant permissions to RAM users

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  3. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  4. In the Authorization Policy Name column, click the AliyunDataWorksFullAccess policy to add this policy to the list of selected policies.
    Note If the RAM user needs to activate MaxCompute later, the Alibaba Cloud account must attach the AliyunBSSOrderAccess policy to the RAM user.
  5. Click OK.
  6. Click Complete.

Step 4: Assign the credentials of the RAM user to other users

To assign the credentials of the RAM user to other users, you must provide the following information of the RAM user to each user:
  • RAM user logon link

    Log on to the RAM console. In the Account Management section in the upper-right corner of the Overview page, the URL under RAM user logon is the logon link of the RAM user.

  • Domain name of the Alibaba Cloud account to which the RAM user belongs

    Log on to the RAM console. In the left-side navigation pane, click Settings under Identities. On the Settings page, click the Advanced tab. Then, you can view Default Domain and Domain Alias.

  • The account and password of the RAM user, which are the logon username and password of the RAM user in Step 1.
  • The AccessKey pair of the RAM user, which is the AccessKey pair created in Step 2.

What to do next

After the RAM user is created, you can activate MaxCompute. For more information, see Activate MaxCompute and DataWorks.