This topic describes how to create an AccessKey pair for a Resource Access Management (RAM) user and an Alibaba Cloud account.
What is an AccessKey pair
An AccessKey pair is a permanent access credential provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
An AccessKey ID is used to identify a user.
An AccessKey secret is a secret key used to cryptographically sign requests.
The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.
You cannot use an AccessKey pair to log on to the console. Instead, you use it for programmatic access to Alibaba Cloud through development tools like an API, CLI, SDK, or Terraform. These tools use the AccessKey pair to sign requests, which verifies your identity and the validity of the request.
AccessKey pair classification
Alibaba Cloud account AccessKey pair
An AccessKey pair created by an Alibaba Cloud account has all permissions of the account by default and can perform all operations. If the AccessKey pair is leaked, the risk is extremely high. We strongly recommend that you do not create or use an AccessKey pair for your Alibaba Cloud account.
RAM user AccessKey pair
To manage user permissions by using RAM, you must create RAM users. Then, you need to grant different permissions to each RAM user. A RAM user AccessKey pair provides programmatic access for a RAM user. Before creating an AccessKey pair, you must first create a RAM user. The permissions of the AccessKey pair are inherited from the user's assigned policies, allowing you to follow the principle of least privilege. To minimize risk, assign a unique RAM user and AccessKey pair to each application instead of sharing credentials.
Best practices for AccessKey pairs
An AccessKey pair is a permanent credential designed for programmatic access. If an AccessKey pair of an account is leaked, the resources that belong to the account are exposed to potential risks.
We recommend that you do not create AccessKey pairs for Alibaba Cloud accounts.
To reduce the risk of credential leaks, we recommend using Security Token Service (STS) tokens for temporary access instead of long-term AccessKey pairs whenever possible.
Keep AccessKey pairs confidential. Do not share AccessKey pairs or commit them to public repositories.
Do not hard-code AccessKey pairs in plaintext in your application code.
If you do not need an AccessKey pair, disable or delete it immediately.
Rotate AccessKey pairs on a regular basis. Each RAM user can have up to two AccessKey pairs, allowing you to rotate keys without downtime.
Grant only the required permissions to a RAM user based on the principle of least privilege.
For more information, see Best practices for using an access credential to call API operations.
Create an AccessKey pair for a RAM user
Prerequisites.
You can use one of the following accounts to create an AccessKey pair for a RAM user:
An Alibaba Cloud account.
A RAM administrator.
A RAM user that is granted the permissions to manage AccessKey pairs. For more information about how to grant a RAM user the permissions to manage AccessKey pairs, see Manage security settings of RAM users.
Limits
To reduce the risk of leaks, the AccessKey secret for a RAM user is displayed only at the time of creation. It cannot be retrieved later. You must record the secret and store it securely.
You can create a maximum of two AccessKey pairs for a RAM user.
Procedure
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, click the username of the RAM user that you want to manage.
In the AccessKey section of the Authentication tab, click Create AccessKey.
Read the suggestion for each scenario and select a credential solution based on your business requirements. If you must create an AccessKey pair, select a scenario, select I confirm that it is necessary to create an AccessKey, and then click Continue. The created AccessKey pair can be used in all scenarios.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and click OK.
To enhance security, you can configure a network access policy to restrict API requests made with this AccessKey pair to specific source IP addresses. This ensures the AccessKey pair is only used from trusted network environments. You can click Configure Network Access Policy to configure the access policies. For more information, see Configure an AccessKey-level network access restriction policy for a RAM user.
Create an AccessKey pair for an Alibaba Cloud account
Limits
To reduce the risk of leaks, the AccessKey secret for an Alibaba Cloud account is displayed only at the time of creation. It cannot be retrieved later. You must record the secret and store it securely.
You can create a maximum of five AccessKey pairs for an Alibaba Cloud account.
Procedure
Log on to the RAM console with your Alibaba Cloud account.
Move the pointer over the profile picture in the upper-right corner of the page that appears and click AccessKey.
In the Main Account AccessKey is not recommended dialog box, read the risks that arise from using the AccessKey pair of an Alibaba Cloud account, select I am aware of the security risks of using a main account AccessKey, and then click use Main Account AccessKey.
On the AccessKey page, click Create AccessKey.
In the Create Main Account AccessKey dialog box, read the risks that arise from creating an AccessKey pair for an Alibaba Cloud account and the limits on using the AccessKey pair of an Alibaba Cloud account, select I am aware of the security risks of using a main account AccessKey, and then click use Main Account AccessKey.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, select I have saved the AccessKey Secret, and then click OK.
To enhance security, you can configure a network access policy to restrict API requests made with this AccessKey pair to specific source IP addresses. This ensures the AccessKey pair is only used from trusted network environments. You can click Configure Network Access Policy to configure the access policies. For more information, see Configure an AccessKey-level network access restriction policy for an Alibaba Cloud account.
