After you create a member in a resource directory or invite an Alibaba Cloud account to join a resource directory as a member, you can use the RAM role, RAM user, or root user of the member to log on to the Alibaba Cloud Management Console. For security purposes, we recommend that you use the RAM role or RAM user of a member, instead of the root user of a member, to log on to the Alibaba Cloud Management Console.

Logon methods

If you create a member in a resource directory, the member is of the resource account type. The member has a username but has no password. If you want to use the member to log on to the Alibaba Cloud Management Console, you can use only Method 1 or Method 2 that is described in this section. If you invite an Alibaba Cloud account to join a resource directory as a member, the member is of the cloud account type. The member has a root user, and a username and a password. If you want to use the member to log on to the Alibaba Cloud Management Console, you can use one of the methods that are described in this section. Method 3 is not recommended.

  • Method 1: Use a RAM user that belongs to the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console

    The system automatically creates a RAM role named ResourceDirectoryAccountAccessRole for each member in a resource directory. The trusted entity of the RAM role is the management account of the resource directory. This way, you can use the management account to assume the RAM role of a member and log on to the Alibaba Cloud Management Console. However, for security purposes, you cannot use the root user of the management account to assume the RAM role of a member. Instead, you can create a RAM user that belongs to the management account and grant the administrative permissions to the RAM user. Then, you can use the RAM user to assume the RAM role ResourceDirectoryAccountAccessRole of the member and log on to the Alibaba Cloud Management Console.

    For more information about how to use a RAM role to log on to the Alibaba Cloud Management Console, see Use a RAM role to log on to the Alibaba Cloud Management Console.

  • Method 2: Log on to the Alibaba Cloud Management Console as the RAM user created for a member

    After you use a RAM user that belongs to the management account of a resource directory to assume the RAM role of a member and log on to the Alibaba Cloud Management Console, you can create a RAM user for the member and grant the required permissions to the RAM user. Then, you can log on to the Alibaba Cloud Management Console as the RAM user created for the member.

    For more information about how to log on to the Alibaba Cloud Management Console as a RAM user, see Log on to the Alibaba Cloud Management Console as a RAM user.

  • Method 3: Log on to the Alibaba Cloud Management Console as the root user of a member

    If you want to use a member of the cloud account type in a resource directory to log on to the Alibaba Cloud Management Console, you can use the username and password of the root user of the member. However, for security purposes, we recommend that you do not use this method.

    For more information about how to log on to the Alibaba Cloud Management Console as the root user of a member, see Log on to the Alibaba Cloud Management Console as the root user of a member.

Use a RAM role to log on to the Alibaba Cloud Management Console

  1. Use the management account of a resource directory to create a RAM user and grant the required permissions to the RAM user.
    1. Use the management account of a resource directory to log on to the Resource Access Management (RAM) console.
    2. Create a RAM user.
      In this example, the RAM user named Alice is created. For more information, see Create a RAM user.
    3. Grant permissions to RAM user Alice.

      You must attach the following policies to RAM user Alice:

      • AliyunSTSAssumeRoleAccess: defines the permissions to call the AssumeRole operation of Security Token Service (STS).
      • AliyunResourceDirectoryFullAccess: defines the permissions to manage a resource directory.
      Note If you want to use RAM user Alice as an administrator, you can attach the AdministratorAccess policy to RAM user Alice.

      For more information, see Grant permissions to the RAM user.

  2. Use RAM user Alice to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console.
    1. Log on to the Resource Management console as RAM user Alice.
    2. In the left-side navigation pane, choose Resource Directory > Overview.
    3. On the Resource Directory page, click the Organization or Members tab.
    4. Find the member that you want to access and click Logon Account in the Actions column.

      Then, you can perform the operations that are defined for the RAM role ResourceDirectoryAccountAccessRole in the Alibaba Cloud Management Console.

Log on to the Alibaba Cloud Management Console as a RAM user

  1. Use a RAM user that belongs to the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console.
  2. Create a RAM user for the member.
    In this example, the RAM user Tom is created. For more information, see Create a RAM user.
  3. Grant permissions to the RAM user Tom.
    If you want to access all the resources of a member, grant the AdministratorAccess permission to Tom. In other cases, grant permissions to the RAM user Tom based on your business requirements. For more information, see Grant permissions to the RAM user.
  4. Log on to the Alibaba Cloud Management Console as the RAM user Tom.

Log on to the Alibaba Cloud Management Console as the root user of a member

  1. Log on to the Alibaba Cloud Management Console.
    Note If you have logged on to the Alibaba Cloud Management Console by using another account, log off from the console first.
  2. Enter the username and password of the root user of the desired member in a resource directory.
  3. Click Sign in.