A user credential report contains the details of your Alibaba Cloud account and Resource Access Management (RAM) users. The details include logon passwords, AccessKey pairs, and multi-factor authentication (MFA) devices. User credential reports can be generated and downloaded in the RAM console. You can use the user credential reports for compliance checks and auditing.
Procedure
Result
The following table describes the fields that are included in the user credential report.
Field | Example | Description |
---|---|---|
user | username@company-alias.onaliyun.com | The usernames of the Alibaba Cloud account and the RAM users. The value in the first row of the CSV file is <root>, which indicates the Alibaba Cloud account. The values in the remaining rows are the usernames of the RAM users within your Alibaba Cloud account, and the values are in the User Principal Name (UPN) format. |
user_creation_time | 2019-11-11T12:33:18Z | The time at which the RAM users were created.
Note The time follows the ISO 8601 standard in the YYYY-MM-DDThh:mm:ssZ format. The time
is displayed in UTC.
|
user_last_logon | 2019-11-11T12:45:18Z | The time at which the RAM users last logged on to the RAM console.
Note The RAM users may log on to the RAM console by using passwords or single sign-on (SSO).
If a RAM user has never logged on to the RAM console, the value of this field is a
hyphen (
- ).
|
password_exist | TRUE | Indicates whether a password for logging on to the RAM console is available. Valid
values: TRUE and FALSE .
Note If you use a resource account that is created on the Resource Directory page of the
Resource Management console, you can view the password. However, the password cannot
be used to log on to the RAM console.
|
password_active | N/A | Indicates whether a password is active. Valid values: TRUE , FALSE , and N/A .
|
password_last_changed | 2019-11-11T12:50:18Z | The time at which a password is last changed. If the logon configurations for a RAM
user are unavailable, the value for the RAM user is N/A .
Note RAM records the changes that were made after April 5, 2016. If a password was changed
on this date or earlier, the value for this field is
N/A . The user credential report may not include the changes that were made in an interval
leading up to the report generation time. The interval is about 24 hours, but the
actual time may vary based on the scenario.
|
password_next_rotation | 2019-11-13T12:50:18Z | The time at which a new password must be configured in compliance with the password
rotation policy.
|
mfa_active | TRUE | Indicates whether an MFA device is enabled. Valid values: TRUE , FALSE , and N/A . If the logon configurations for a RAM user are unavailable, the value for the RAM
user is N/A .
|
access_key_1_exist | TRUE | Indicates whether the first AccessKey pair exists. Valid values: TRUE and FALSE .
|
access_key_1_active | TRUE | Indicates whether the first AccessKey pair is active. Valid values: TRUE , FALSE , and N/A . If no AccessKey pairs are created, the value is N/A .
|
access_key_1_last_rotated | 2019-11-11T12:50:18Z | The time at which the first AccessKey pair is created or last changed. If no AccessKey
pairs are created, the value is N/A .
|
access_key_1_last_used | 2019-11-13T12:50:18Z | The time at which the first AccessKey pair is last used.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The
user credential report may not include the usage records of the AccessKey pairs in
an interval leading up to the report generation time. The interval is about two hours,
but the actual time may vary based on the scenario.
|
access_key_2_exist | TRUE | Indicates whether the second AccessKey pair exists. Valid values: TRUE and FALSE .
|
access_key_2_active | TRUE | Indicates whether the second AccessKey pair is active. Valid values: TRUE , FALSE , and N/A . If no AccessKey pairs are created, the value is N/A .
|
access_key_2_last_rotated | 2019-11-11T12:50:18Z | The time at which the second AccessKey pair is created or last changed. If no AccessKey
pairs are created, the value is N/A .
|
access_key_2_last_used | 2019-11-13T12:50:18Z | The time at which the second AccessKey pair was last used.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The
user credential report may not include the usage records of the AccessKey pairs in
an interval leading up to the report generation time. The interval is about two hours,
but the actual time may vary based on the scenario.
|
Note A maximum of two AccessKey pairs can be created for each Alibaba Cloud account or
RAM user in the RAM console. Before this limit takes effect, more than two AccessKey
pairs can be created. Therefore, an Alibaba Cloud account or a RAM user may have more
than two AccessKey pairs. The information about the additional AccessKey pairs is
listed in the last columns of the CSV file. The names of these columns start with
additional_access_key_
.