Resource Access Management (RAM) allows you to manage the permissions of your Alibaba Cloud account and its RAM users separately. You can grant different permissions to different RAM users to avoid security risks caused by disclosure of the AccessKey pair of your Alibaba Cloud account.

Background information

Enterprise A has activated Message Queue for Apache Kafka and wants to grant different permissions to its employees with different duties to perform operations on Message Queue for Apache Kafka resources, such as instances, topics, and consumer groups. Employees with different duties require different permissions. Enterprise A has the following requirements:

  • For security purposes, the enterprise does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, it prefers to create different RAM users for employees and grant different permissions to these RAM users.
  • Only RAM users who are granted permissions can manage resources. Resource usage and costs are not calculated separately for each RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
  • Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.

Step 1: Create RAM users

Enterprise A uses its Alibaba Cloud account to log on to the RAM console and create RAM users.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 2: Grant permissions to RAM users

Enterprise A grants different permissions to different RAM users.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, click System Policy or Custom Policy. In the search box, enter the keyword of the name of the policy that you want to attach to the RAM user. Find the policy from the displayed policies, click it to add it to the Selected list, and then click OK.
    Note For more information about the policies that grant RAM users the permissions to access Message Queue for Apache Kafka, see RAM policies.
  5. In the Add Permissions panel, check the authorization information and click Complete.

What to do next

Employees of Enterprise A can use RAM users to access Message Queue for Apache Kafka by using the following methods:

  • Console
    1. Open the RAM User Logon page in a browser.
    2. On the RAM User Logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Log On.
      Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the alias of the RAM user. If no alias is set, use the ID of the Alibaba Cloud account.
  • API

    Use the AccessKey ID and AccessKey secret of the RAM user in code to make an API request to access Message Queue for Apache Kafka.