You can generate and download a user credential report to audit the status of all credentials in your account. The report lists details about your Alibaba Cloud account and RAM users, including their console passwords, AccessKey pairs, and multi-factor authentication (MFA) devices, which can be used for compliance and auditing purposes.
Limits
You cannot generate a credential report if your account has more than 3,500 RAM users.
Procedure
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, click Overview.
On the Overview tab, click Download User Credential Report.
After the user credential report is generated, click Download to save the report to your computer.
NoteReport generation time depends on the number of RAM users in your account. You can generate a new CSV report once every four hours. If you request a report within four hours of the previous one, you will receive the most recently generated report.
Report fields
The fields in the user credential report are described below.
Field | Example | Description |
user | username@company-alias.onaliyun.com | The name of the user. The first row always represents the Alibaba Cloud account, displayed as <root>. Subsequent rows represent RAM users, displayed in the User Principal Name (UPN) format. |
user_creation_time | 2019-11-11T12:33:18Z | The time at which the RAM user was created. Note The timestamp is in ISO 8601 format and UTC. |
user_last_logon | 2019-11-11T12:45:18Z | The time at which the RAM user last logged on to the Alibaba Cloud Management Console. Note The logon method could be a password or user-based SSO. If the RAM user has never logged on, this field shows a hyphen ( |
password_exist | TRUE | Indicates whether a console password is set for the user. Valid values:
Note For member accounts created in a Resource Directory, this field may show password information, but the password cannot be used to sign in to the console. For more information, see Create a member. |
password_active | N/A | Indicates whether the console password is active. Valid values:
|
password_last_changed | 2019-11-11T12:50:18Z | The time at which the password was last changed. The value is Note RAM only records changes made after April 5, 2016. If the password was last changed on or before this date, the value is |
password_next_rotation | 2019-11-13T12:50:18Z | The date when the password is scheduled to be rotated according to the account's password policy.
|
mfa_active | TRUE | Indicates whether an MFA device is enabled. Valid values: The value is |
access_key_1_exist | TRUE | Indicates whether the first AccessKey pair exists. Valid values: |
access_key_1_active | TRUE | Indicates whether the first AccessKey pair is active. Valid values: The value is |
access_key_1_last_rotated | 2019-11-11T12:50:18Z | The time at which the first AccessKey pair was created or last rotated. The value is |
access_key_1_last_used | 2019-11-13T12:50:18Z | The time at which the first AccessKey pair was last used.
Note Last used data is available for actions since June 1, 2019, and can have a delay of up to two hours. |
access_key_2_exist | TRUE | Indicates whether the second AccessKey pair exists. Valid values: |
access_key_2_active | TRUE | Indicates whether the second AccessKey pair is active. Valid values: The value is |
access_key_2_last_rotated | 2019-11-11T12:50:18Z | The time at which the second AccessKey pairwas created or last rotated. The value is |
access_key_2_last_used | 2019-11-13T12:50:18Z | The time at which the second AccessKey pair was last used.
Note Last used data is available for actions since June 1, 2019, and can have a delay of up to two hours. |
A RAM user can have a maximum of two AccessKey pairs. For legacy reasons, some users may have more than two. These are listed at the end of the report with field names prefixed with additional_access_key_.