This topic describes how to create a Resource Access Management (RAM) user and grant permissions to it for fine-grained access control over your cloud resources.
Why use RAM users?
An Alibaba Cloud account is equivalent to the root user in Linux. It is the most privileged principal. When multiple employees in your enterprise need to collaborate on cloud resources, you can create multiple RAM users under your Alibaba Cloud account. Then, you can assign the minimum permissions required for each user to perform their tasks.
Item | Alibaba Cloud account | RAM user |
Identity role | The owner of resources. Has full ownership of all assets and the highest permissions. | A user of resources and services. Permissions are granted by the Alibaba Cloud account. A RAM user usually corresponds to a specific person or application. |
Owns cloud resources | Yes | No. Resources are owned by the Alibaba Cloud account. |
Default permissions | Full permissions. Cannot be restricted. | No permissions by default. Must be granted permissions by the Alibaba Cloud account. |
Recommended use | Only for key management operations, such as authorization, payment, and account management. | Daily development, O&M, deployment, and other tasks. |
Procedure
Use the quick start feature to create a RAM user with Auditing Administrator permissions.
Log on to the RAM console as the RAM user you created and complete the initial configuration.
Verify that the permissions are granted to the RAM user successfully.
Step 1: Create a RAM user
Quickly create a user and grant permissions
Log on to the RAM console with your Alibaba Cloud account.
On the Overview page, click the Get Started tab. In the Cloud functional users section, click Show All Workflows, then select a workflow.
This topic provides an example of the Auditing Administrator workflow. An Auditing Administrator has full access to Cloud Config, ActionTrail, and Simple Log Service (SLS). They can also query the status of all Alibaba Cloud resources.
View or modify the parameters.
You can view all preset parameters but can modify only some of them. The parameters that are available for modification are displayed in the console.
Click Perform.
After the configuration is complete, save the username and password of the RAM user.
You can modify the configuration of a RAM user that was created using the quick start feature. To do this, navigate to the corresponding menu in the RAM console. For more information, see Modify the basic information about a RAM user.
To create a RAM user and grant it permissions manually, see Create a RAM user and Grant permissions to a RAM user.
Set an account alias (Recommended)
The default logon name for a RAM user is <UserName>@<AccountAlias>.onaliyun.com. In this format, <AccountAlias>.onaliyun.com is the default domain name of the Alibaba Cloud account, and <AccountAlias> is the account alias. By default, the account alias is the account ID of the Alibaba Cloud account. We recommend setting an easy-to-remember alias for your Alibaba Cloud account to simplify the logon process for RAM users. This alias replaces the default 16-digit account ID in the logon name. For best results, set this alias before you create RAM users.
Follow these steps to modify the default domain name:
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, click Settings. On the Settings page, click Domain. Then, click Edit in the Actions column of the default domain name.
Only the Alibaba Cloud account or a RAM user with administrative permissions can set or modify an account alias.
After an alias is set, it takes effect immediately. The logon names of all new RAM users will use this alias by default.
Step 2: Log on as the RAM user
A RAM user can use the following links to log on to the console. Use the dedicated logon link to avoid entering the account's default domain name.
General logon URL
Use the newly created RAM user to log on to the Alibaba Cloud Management Console.
NoteThe logon page for RAM users is different from the logon page for Alibaba Cloud accounts. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Dedicated logon URL
Log on to the RAM console. On the Overview page, you can find the logon URL for RAM users. This URL allows them to log on to the Alibaba Cloud Management Console without entering the default domain name of the account.
On the RAM User Logon page, enter the RAM username and click Next.
Enter the RAM user's logon password and click Log On.
When you log on for the first time, you must bind a multi-factor authentication (MFA) device. For subsequent logons, you will be prompted to enter an MFA code. For more information, see Bind an MFA device to a RAM user.
Reset the RAM user password: RAM users created using the quick start feature are required to reset their passwords upon their first logon.
Step 3: Verify the RAM user's permissions
The Auditing Administrator has full access to Cloud Config, ActionTrail, and SLS, and can query the status of all Alibaba Cloud resources. This section uses ActionTrail and RAM as examples to verify that the permissions were granted.
After the RAM user logs on to the console, hover over the profile picture in the upper-right corner. Then, you can view the RAM user's information.
Go to the ActionTrail console and perform an operation.
For example, in the left-side navigation pane, choose to view event records for all services.
Go to the RAM console.
In the left-side navigation pane, choose to view all RAM users.
Repeat the steps in Create a RAM user. The "Access Denied" error message is displayed.
Troubleshooting
If an access denied error occurs when a RAM user tries to access a resource, see How do I troubleshoot an access denied error?