To secure your Alibaba Cloud account, we recommend that you follow the principle of least privilege by creating separate RAM users for employees, systems, and applications. You can then grant these users only the permissions that they need to perform their tasks. Creating RAM users is free of charge. Your Alibaba Cloud account is billed for the resources that are used by the RAM users. This topic describes how to create a RAM user in the RAM console and by calling an API operation.
Procedure
Console
Log on to the RAM console using your Alibaba Cloud account or RAM administrator account (such as the
AliyunRAMFullAccesspolicy).In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the basic information for the user.
Logon Name (required): The logon name can contain letters, digits, periods (.), hyphens (-), and underscores (_). It can be up to 64 characters in length.
Display Name (optional): The display name can be up to 128 characters in length.
Tag (optional): Click the
icon and enter a tag key and a tag value. Tags help you categorize and manage RAM users.
NoteClick Add User to create multiple RAM users at the same time.
In the Access Mode section, select an access mode based on the user type.
ImportantAs a security best practice, we recommend selecting only one access mode per user. This creates a clear separation between human users who require console access and applications that require programmatic access.
An AccessKey pair is a long-term credential for programmatic access. If an AccessKey is leaked, the security of all resources in your account is at risk. We recommend that you use Security Token Service (STS) tokens as temporary credentials to reduce the risk of credential leakage. For more information, see Best practices for using an access credential to call API operations.
Console access
For human users, such as employees, select Console Access.
Set Logon Password: Choose one of the following password options:
Automatically Regenerate Default Password
Reset Custom Password. Your custom password must meet the password complexity requirements.
For more information, see Configure a password policy for RAM users.
Password Reset: Specifies whether the RAM user must reset the password at the next logon.
Enable MFA: By default, multi-factor authentication (MFA) is required for logon. To modify this setting, see Manage the security settings of RAM users. RAM users must bind an MFA device during their first logon. For more information, see Bind an MFA device to a RAM user.
Programmatic access
For applications or systems, select Using permanent AccessKey to access.
After you enable this option, the system automatically creates an AccessKey ID and an AccessKey secret for the RAM user.
ImportantThe AccessKey secret is displayed only once upon creation and cannot be retrieved later. This is your only opportunity to view and save the secret. You must copy and save it to a secure location immediately or click Download CSV File to download the file. If an AccessKey pair is leaked, it compromises the security of all resources in your account. For more information, see Create an AccessKey pair.
OpenAPI
Create a RAM user for console access
Call GetDefaultDomain to obtain the default domain name for your account. The format is
<AccountAlias>.onaliyun.com.Call CreateUser to create a RAM user. The required parameters are as follows:
UserPrincipalName: The logon name of the RAM user. The format is<username>@<AccountAlias>.onaliyun.com.<username>is the name of the RAM user, and<AccountAlias>.onaliyun.comis the default domain name.DisplayName: The display name of the RAM user. It can be different from the<username>.
Call CreateLoginProfile to create a login profile for the user, which enables console access. The recommended settings for some parameters are as follows:
UserPrincipalName: The logon name of the RAM user that you created in the previous step.Password: Set a password that meets the password complexity requirements of your account. You can call GetPasswordPolicy to query the password policy for RAM users.MFABindRequired: We recommend that you require MFA for the RAM user. To do this, set this parameter totrue.Status: Specifies whether to enable password-based logon to the console. Keep the default valueActive.
Create a RAM user for programmatic access
Call GetDefaultDomain to obtain the default domain name for your account in the format
<AccountAlias>.onaliyun.com.Call CreateUser to create a RAM user. The required parameters are as follows:
UserPrincipalName: The logon name of the RAM user. The format is<username>@<AccountAlias>.onaliyun.com.<username>is the name of the RAM user, and<AccountAlias>.onaliyun.comis the default domain name.DisplayName: The display name of the RAM user. It can be different from the<username>.
Call CreateAccessKey to create an AccessKey pair. To create the AccessKey pair, you only need to specify the
UserPrincipalNamefor the RAM user that you created in the previous step.ImportantThe
CreateAccessKeyAPI operation returns an AccessKey ID and an AccessKey secret. This is your only opportunity to view and save the secret. You must copy and save it to a secure location immediately. If an AccessKey pair is leaked, it compromises the security of all resources in your account. For more information, see Create an AccessKey.
What to do next
Grant permissions to the RAM user.
A newly created RAM user has no permissions. You must grant permissions to the user so that the user can access the required cloud resources. For more information, see Grant permissions to a RAM user.
Log on to the Alibaba Cloud Management Console as the RAM user or call an Alibaba Cloud API operation.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user and RAM API overview.
Modify the logon domain name for the RAM user if necessary. For more information, see View and modify the default domain name.