Resource Access Management (RAM) allows you to separately manage the permissions of your Alibaba Cloud account and its RAM users. You can grant different permissions to different RAM users to avoid security risks caused by disclose of the AccessKey pair of your Alibaba Cloud account.

Background information

Enterprise A has activated ApsaraMQ for RabbitMQ and wants to grant permissions on ApsaraMQ for RabbitMQ resources, such as instances, queues, vhosts, and exchanges, to employees. Employees with different duties require different permissions. Enterprise A has the following requirements:

  • For security purposes, the enterprise does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, it prefers to create different RAM users for the employees and grant different permissions to these RAM users.
  • A RAM user can use resources only under authorization. Resource usage and costs are not separately calculated for each RAM user. All expenses are billed to the Alibaba Cloud account of the enterprise.
  • The enterprise can revoke the permissions granted to RAM users and delete RAM users at any time.

Step 1: Create a RAM user

Use the Alibaba Cloud account of the enterprise to log on to the RAM console and create a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.
    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.

Step 2: Grant permissions to the RAM user

Grant different permissions to RAM users.

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, click System Policy or Custom Policy. Enter the keyword of the policy that you want to add in the search box, click the displayed policy to add it to the Selected list, and then click OK.
    Note For more information about the policies that can be used to access ApsaraMQ for RabbitMQ, see RAM policies.
  5. In the Add Permissions panel, view the authorization information and click Complete.

What to do next

Employees of Enterprise A can use RAM users to access ApsaraMQ for RabbitMQ by using the following methods:

  • Console
    1. Open the RAM Account Login page in your browser.
    2. On the RAM Account Login page, specify Username and click Next. Then, specify Password and click Login.
      Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used.
  • API operation

    Use the AccessKey ID and AccessKey secret of the RAM user in code to make an API request to access ApsaraMQ for RabbitMQ.