You can use an Alibaba Cloud account to purchase Realtime Compute for Apache Flink and create projects. You can also use the Alibaba Cloud account to authorize Resource Access Management (RAM) users to access Realtime Compute for Apache Flink projects that are created by the Alibaba Cloud account. This topic describes how to create a RAM user and authorize the RAM user to access Realtime Compute for Apache Flink.

What is a RAM user?

A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:

  • A RAM user can be created by an Alibaba Cloud account. In this case, the RAM user belongs to the Alibaba Cloud account. A RAM user can also be created by a RAM user or a RAM role that has administrative rights. In this case, the RAM user belongs to the Alibaba Cloud account that creates the RAM user or the RAM role.
  • A RAM user does not own resources. Resource usage fees of the RAM user are billed to the Alibaba Cloud account to which the RAM user belongs. A RAM user does not receive individual bills and cannot make payments.
  • Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After RAM users are authorized, the RAM users can access resources that are owned by the Alibaba Cloud accounts.
  • RAM users have independent passwords or AccessKey pairs for logon.
  • An Alibaba Cloud account can create multiple RAM users. RAM users can be employees, systems, and applications within an enterprise.

You can create RAM users and authorize the RAM users to access different resources. If multiple users in your enterprise need to simultaneously access resources, you can use RAM to assign the least permissions to the users. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces the security risks.

Procedure

  1. Create a RAM user.
    For more information about how to create a RAM user, see Create a RAM user.
    Note
    • You must initialize RAM when you use RAM for the first time. For more information, see Configure a password policy for RAM users and Configure security policies for RAM users.
    • To ensure account security, Realtime Compute for Apache Flink provides the account verification feature. If you do not manage a job for a long period of time, the system sends a text message and an email to you for account verification.
  2. Create a custom policy.
    For more information about how to create a custom policy in the RAM console, see Create a custom policy. The following code shows a policy of Realtime Compute for Apache Flink:
    {    
       "Version": "1",
       "Statement": [
        { 
         "Action": "stream:*", 
          "Resource": "acs:stream:*:*:*", 
          "Effect": "Allow"
        }, 
        { 
          "Action": "ram:PassRole",
          "Resource": "acs:ram:*:*:*",
          "Effect": "Allow" 
       } 
      ] 
    }
    Note The policy of Realtime Compute for Apache Flink allows you to grant permissions on different projects to different RAM users. To authorize a RAM user to access a single project, change Resource in the preceding code to "Resource":"acs:stream:*:*:projectname". projectname is the name of the project that you want to authorize the RAM user to access.
  3. Authorized RAM users or user groups.

    Attach the preceding policy to specified RAM users or RAM user groups. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

  4. Use the credentials of a RAM user to log on to the Realtime Compute for Apache Flink console.

    In the left-side navigation pane of the RAM console, click Overview and view the logon address of the RAM user in the Account Management section.