Create an Alibaba Cloud AccessKey - Resource Access Management

What is an AccessKey?

An AccessKey pair is a long-term security credential that Alibaba Cloud issues for programmatic access. It consists of an AccessKey ID and an AccessKey secret.

AccessKey ID: The public, unique identifier for an AccessKey pair.
AccessKey secret: The private key used to sign programmatic requests. This signature verifies the authenticity and integrity of the request. You must keep your AccessKey secret strictly confidential.

Important

To reduce the risk of compromise, the AccessKey secret is displayed only when you create it. You cannot retrieve it later. Be sure to store it securely.

How to use an AccessKey

AccessKey pairs authenticate programmatic calls to Alibaba Cloud APIs through the CLI, SDKs, or Terraform. They cannot be used to sign in to the console.

Avoid using AccessKey pairs directly in applications. Alibaba Cloud provides AccessKey-free solutions that use temporary security credentials (STS tokens) instead. Application development scenarios.

If you must use an AccessKey pair, follow the guidance in Properly store and use unavoidable AccessKey pairs.

How an AccessKey works

RAM generates the AccessKey ID and AccessKey secret using a cryptographic algorithm. Alibaba Cloud encrypts them during storage and transmission.

When an application sends a request, it includes the AccessKey ID and a signature derived from the AccessKey secret. Alibaba Cloud uses these to verify the sender's identity and request integrity. V3 request body & signature mechanism.

AccessKey types

AccessKey pairs are categorized by owner:

Alibaba Cloud account AccessKey pair (Not recommended)

The Alibaba Cloud account owner creates this type. By default, it has full permissions for all operations and resources within the account. If compromised, the security risk is extremely high. Do not create or use an AccessKey pair for your Alibaba Cloud account.
RAM user AccessKey pair (Recommended)

This type belongs to a RAM user and inherits that user's permissions, enabling least-privilege access. Create a RAM user before creating an AccessKey pair for it. Assign a unique RAM user and AccessKey pair to each application to prevent excessive permissions and reduce compromise risk from shared credentials.

Permissions required

Avoid using an Alibaba Cloud account to create AccessKey pairs due to its excessive permissions. Instead, use a RAM user with the required permissions to create and manage AccessKey pairs for RAM users.

You can attach the AliyunRAMFullAccess (RAM administrator) system policy to an administrator to allow them to create and manage AccessKey pairs for RAM users.
You can also enable Allow users to manage AccessKey in the RAM global security settings to allow users to manage their own AccessKey pairs. Manage security settings for RAM users.
Note
Enabling this setting allows all RAM users to manage their own AccessKey pairs, including operations like creating, disabling, and deleting them, unless an administrator attaches a policy that explicitly denies these actions.

Do not enable this setting in production. To allow a specific user to manage their own AccessKey pair, use a custom policy and restrict the Resource to that user. Sample policies:
Allow self-service creation
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateAccessKey", "ram:ListAccessKeys" ], "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME" } ] }
Allow self-service management
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateAccessKey", "ram:ListAccessKeys", "ram:UpdateAccessKey", "ram:DeleteAccessKey", "ram:GetAccessKeyLastUsed", "ram:ListAccessKeysInRecycleBin" ], "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME" } ] }

Create a RAM user AccessKey

Complete these steps as a RAM administrator (with the AliyunRAMFullAccess policy). If you do not have a RAM user, create one first.

Note

A RAM user follows the steps in Create an Alibaba Cloud account AccessKey (Not recommended) to create their own AccessKey pair.

Console

Sign in to the RAM console. In the left-side navigation pane, choose Identities > Users.
On the user list, find the target RAM User and click their username.
On the AccessKey tab, click Create AccessKey.

Note
Each RAM user can have a maximum of two AccessKey pairs. One is for active use, and the other can be created for rotation to replace the old one.
In the dialog box, review the use cases and recommendations. If you must create an AccessKey pair, select a use case, select I confirm that it is necessary to create an AccessKey, and then click Continue. The selected use case does not affect the created AccessKey pair.
Complete the security verification as prompted.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and then click OK.

Configure a network access control policy for the AccessKey pair (Optional): Restrict source IP addresses for OpenAPI requests to confine calls to trusted networks. Click Configure network access policy to set up restrictions. Configure an AccessKey-level network access control policy for a RAM user.

Important
To reduce the risk of compromise, the AccessKey secret is displayed only when you create it. You cannot retrieve it later. Be sure to store it securely.

OpenAPI

Call the CreateAccessKey operation and specify the following parameter:

UserPrincipalName: The logon name of the user who owns the AccessKey pair, in the format test@example.onaliyun.com. You can view the logon name of the user in the RAM console.

Important

To reduce the risk of compromise, the AccessKey secret is returned only in the response of the CreateAccessKey operation. You cannot retrieve it later. Be sure to store it securely.

Create an Alibaba Cloud account AccessKey (Not recommended)

Warning

Unless absolutely necessary, do not create or use an AccessKey pair for your Alibaba Cloud account. Before you proceed, evaluate whether you can use a RAM user AccessKey pair instead.

Sign in to the Alibaba Cloud Console with your Alibaba Cloud account.
Hover over your profile icon in the upper-right corner and click AccessKey.
In the Cloud Account AccessKey Pair Not Recommended dialog box, read the risks associated with creating an AccessKey pair for your Alibaba Cloud account. To proceed, select I am aware of the security risks of using a main account AccessKey., and then click Use Cloud Account AccessKey.
On the AccessKey page, click Create AccessKey.

Note
An Alibaba Cloud account can have a maximum of two AccessKey pairs. One is for active use, and the other can be created for rotation to replace the old one.
In the Create Main Account AccessKey dialog box, read the risks and limitations again. If you are sure you want to create an AccessKey pair for your Alibaba Cloud account, select I am aware of the security risks of using a main account AccessKey., and then click Use Cloud Account AccessKey.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, select I have saved the AccessKey Secret, and then click OK.

Configure a network access control policy for the AccessKey pair (Recommended): Restrict source IP addresses for OpenAPI requests to confine calls to trusted networks. Click Configure network access policy to set up restrictions. Configure an AccessKey-level network access control policy for an Alibaba Cloud account.

Important
To reduce the risk of compromise, the AccessKey secret for an Alibaba Cloud account is displayed only when you create it. You cannot retrieve it later. Be sure to store it securely.

Resource Access Management:Create an AccessKey