Resource Access Management (RAM) is a service provided by Alibaba Cloud. It allows you to manage user identities and resource access permissions.

Functions and features

RAM allows you to create and manage multiple identities for an Alibaba Cloud account, and grant multiple permissions to a single identity or a group of identities. This way, you can authorize different identities to access different Alibaba Cloud resources. RAM provides the following features:

  • You can manage RAM users and their passwords in a centralized manner. You can also manage each RAM user and its AccessKey pair, and bind multi-factor authentication (MFA) devices to RAM users.
  • You can manage the permissions of RAM users to access Alibaba Cloud resources.
  • You can manage resource access channels. This ensures that RAM users can access specific Alibaba Cloud resources by using secure channels at the specified time and from the specified IP addresses.
  • You can manage instances and data that are created by RAM users in a centralized manner. For an enterprise, RAM ensures that the instances and data that are created by RAM users are still available even if the users leave the enterprise.
  • You can use single sign-on (SSO) services. Alibaba Cloud provides two types of SSO service for identity providers (IdPs): user-based SSO and role-based SSO.


RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users on Alibaba Cloud resources. RAM allows you to keep your Alibaba Cloud account and password strictly confidential in the scenario in which multiple users in your enterprise need to collaboratively manage cloud resources. RAM also allows you to grant the users the minimum required permissions to ensure high security.

Common scenarios

Scenario Description
Use RAM to manage user permissions and resources Enterprise A wants to migrate a project named Project-X to Alibaba Cloud. The enterprise has purchased several types of Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Several employees are required to manage these cloud resources. Employees require different permissions to fulfill their duties.
Use an STS token for authorizing a mobile app to access Alibaba Cloud resources Enterprise A develops a mobile app and activates OSS. The mobile app runs on mobile devices. These mobile devices are not controlled by the enterprise. The enterprise must grant the necessary permissions to the mobile app. Then, the mobile app can upload data to and download data from OSS.
Use a RAM role to grant permissions across Alibaba Cloud accounts Enterprise A purchases multiple types of Alibaba Cloud resources, such as ECS instances, ApsaraDB RDS instances, SLB instances, and OSS buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.
Use RAM for authorizing applications to access Alibaba Cloud resources Enterprise A purchases ECS instances and wants to deploy its applications on these ECS instances. The applications need to use AccessKey pairs to call the operations of other Alibaba Cloud services.

Learning path

You can use the RAM learning path to learn more about RAM and basic operations. You can also perform custom development by using diverse API operations, SDKs, and other easy-to-use tools.