All Products
Search
Document Center

Resource Access Management:Get a credential report

Last Updated:Jun 04, 2026

RAM lets you generate and download a credential report that lists the status of console logon passwords, AccessKey pairs, and MFA devices for your Alibaba Cloud account and RAM users. Use the report for compliance auditing.

Limitations

You cannot generate a credential report if you have more than 3,500 RAM users.

Procedure

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, click Overview.

  3. On the Overview tab, click Download Credential Report.

  4. After the credential report is generated, click Download to save the report.

    Note

    Generation time depends on the number of RAM users. If it takes too long, click Download Later to download the most recent report. Reports can be generated in CSV format every four hours. Requests within four hours return the existing report.

Report contents

The report contains the following fields.

Field

Example value

Description

user

username@company-alias.onaliyun.com

The username.

The first row represents the Alibaba Cloud account, shown as <root>. RAM user rows use UPN format.

user_creation_time

2019-11-11T12:33:18Z

When the RAM user was created.

Note

Times are in ISO 8601 format (UTC): YYYY-MM-DDThh:mm:ssZ.

user_last_logon

2019-11-11T12:45:18Z

When the RAM user last logged on to the console.

Note

RAM users can log on with a password or user SSO. Shows a hyphen (-) if the user has never logged on.

password_exist

TRUE

Whether a console password exists.

The value is TRUE or FALSE.

  • For a RAM user, the value depends on whether a logon profile is configured.

  • For an Alibaba Cloud account, the value is always TRUE.

Note

For resource accounts created in Resource Directory, password information is retrievable but not usable. Create a member.

password_active

N/A

Whether the console password is active.

The value can be TRUE, FALSE, or N/A.

  • The value is N/A if the RAM user does not have a logon profile.

  • For an Alibaba Cloud account, the value is always N/A.

password_last_changed

2019-11-11T12:50:18Z

When the password was last changed.

The value is N/A if the RAM user does not have a logon profile.

Note

RAM tracks data only from April 5, 2016. Passwords changed before this date show N/A. For Alibaba Cloud accounts, this value may be delayed up to 24 hours after a change.

password_next_rotation

2019-11-13T12:50:18Z

When the next password change is required.

  • If the password policy is set so that passwords never expire, this value is a hyphen (-).

  • The value is N/A if the RAM user does not have a logon profile.

  • For an Alibaba Cloud account, the value is always N/A.

mfa_active

TRUE

Whether MFA is enabled.

The value can be TRUE, FALSE, or N/A. The value is N/A if the RAM user does not have a logon profile.

access_key_1_exist

TRUE

Whether the first access key exists.

The value is TRUE or FALSE.

access_key_1_active

TRUE

Whether the first access key is active.

The value can be TRUE, FALSE, or N/A. The value is N/A if the access key does not exist.

access_key_1_last_rotated

2019-11-11T12:50:18Z

When the first access key was created or last changed.

The value is N/A if the access key does not exist.

access_key_1_last_used

2019-11-13T12:50:18Z

When the first access key was last used.

  • Shows a hyphen (-) if unused since tracking began.

  • The value is N/A if the access key does not exist.

Note

Access key usage tracking started on June 1, 2019. This value may be delayed up to 2 hours.

access_key_2_exist

TRUE

Whether the second access key exists.

The value is TRUE or FALSE.

access_key_2_active

TRUE

Whether the second access key is active.

The value can be TRUE, FALSE, or N/A. The value is N/A if the second access key does not exist.

access_key_2_last_rotated

2019-11-11T12:50:18Z

When the second access key was created or last changed.

The value is N/A if the second access key does not exist.

access_key_2_last_used

2019-11-13T12:50:18Z

When the second access key was last used.

  • Shows a hyphen (-) if unused since tracking began.

  • The value is N/A if the second access key does not exist.

Note

Access key usage tracking started on June 1, 2019. This value may be delayed up to 2 hours.

Note

Each RAM user can have up to two access keys. Legacy users may have more, listed at the end of the CSV file with the prefix additional_access_key_.