RAM lets you generate and download a credential report that lists the status of console logon passwords, AccessKey pairs, and MFA devices for your Alibaba Cloud account and RAM users. Use the report for compliance auditing.
Limitations
You cannot generate a credential report if you have more than 3,500 RAM users.
Procedure
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, click Overview.
-
On the Overview tab, click Download Credential Report.
-
After the credential report is generated, click Download to save the report.
NoteGeneration time depends on the number of RAM users. If it takes too long, click Download Later to download the most recent report. Reports can be generated in CSV format every four hours. Requests within four hours return the existing report.
Report contents
The report contains the following fields.
|
Field |
Example value |
Description |
|
user |
username@company-alias.onaliyun.com |
The username. The first row represents the Alibaba Cloud account, shown as |
|
user_creation_time |
2019-11-11T12:33:18Z |
When the RAM user was created. Note
Times are in ISO 8601 format (UTC): YYYY-MM-DDThh:mm:ssZ. |
|
user_last_logon |
2019-11-11T12:45:18Z |
When the RAM user last logged on to the console. Note
RAM users can log on with a password or user SSO. Shows a hyphen ( |
|
password_exist |
TRUE |
Whether a console password exists. The value is
Note
For resource accounts created in Resource Directory, password information is retrievable but not usable. Create a member. |
|
password_active |
N/A |
Whether the console password is active. The value can be
|
|
password_last_changed |
2019-11-11T12:50:18Z |
When the password was last changed. The value is Note
RAM tracks data only from April 5, 2016. Passwords changed before this date show |
|
password_next_rotation |
2019-11-13T12:50:18Z |
When the next password change is required.
|
|
mfa_active |
TRUE |
Whether MFA is enabled. The value can be |
|
access_key_1_exist |
TRUE |
Whether the first access key exists. The value is |
|
access_key_1_active |
TRUE |
Whether the first access key is active. The value can be |
|
access_key_1_last_rotated |
2019-11-11T12:50:18Z |
When the first access key was created or last changed. The value is |
|
access_key_1_last_used |
2019-11-13T12:50:18Z |
When the first access key was last used.
Note
Access key usage tracking started on June 1, 2019. This value may be delayed up to 2 hours. |
|
access_key_2_exist |
TRUE |
Whether the second access key exists. The value is |
|
access_key_2_active |
TRUE |
Whether the second access key is active. The value can be |
|
access_key_2_last_rotated |
2019-11-11T12:50:18Z |
When the second access key was created or last changed. The value is |
|
access_key_2_last_used |
2019-11-13T12:50:18Z |
When the second access key was last used.
Note
Access key usage tracking started on June 1, 2019. This value may be delayed up to 2 hours. |
Each RAM user can have up to two access keys. Legacy users may have more, listed at the end of the CSV file with the prefix additional_access_key_.