After you invite an Alibaba Cloud account to join your resource directory and the owner of the Alibaba Cloud account accepts the invitation, the Alibaba Cloud account becomes a member of the cloud account type in the resource directory. By default, the root user of an Alibaba Cloud account is enabled and has full permissions. If the account and password of the root user are leaked, irreparable losses will occur. For security purposes, we recommend that you switch the cloud account to a resource account.
- A RAM user or RAM role is created within the management account of your resource directory, and the AliyunResourceDirectoryFullAccess policy is attached to the RAM user or RAM role. You must use such a RAM user or RAM role to perform operations described in this topic. This ensures that the system can record the operators of management operations.
- The cloud account that you want to switch to a resource account must meet the following
- The real-name information of the cloud account is the same as that of the management account of the resource directory.
- Security information, such as a mobile phone number or an email address, is specified for the cloud account.
- The cloud account does not have AccessKey pairs in use.
If the cloud account has an AccessKey pair in use, go to the AccessKey Management page to disable the AccessKey pair.
- Log on to the Resource Management console.
- In the left-side navigation pane, choose .
- Click the Organization or Members tab.
- Find the cloud account that you want to switch and click Switch to Resource Account in the Actions column.
- In the Switch to Resource Account dialog box, read the risk warning, select the risk warning check box, and then click OK.
- In the Security Verification dialog box, click Get verification code to obtain a verification code, enter the verification code in the Verification code field, and then click OK.
After the cloud account is switched to a resource account, you cannot use the root user of the resource account to log on to the Alibaba Cloud Management Console. You can use the management account of the resource directory to create a RAM user and grant the RAM user the minimum required permissions to access the member.