After you create a member in a resource directory or invite an Alibaba Cloud account to join a resource directory as a member, you can use the methods described in this topic to enable the member to log on to the Alibaba Cloud Management Console.
Logon methods
Logon method | Description | Applies To |
An identity (such as a RAM user) in the management account temporarily assumes the ResourceDirectoryAccountAccessRole in a member account to gain access. This method provides centralized access control without managing separate credentials for each member account. To do this, you can use a RAM user within the management account, grant it the necessary permissions, and use that user to assume the ResourceDirectoryAccountAccessRole of a member. |
| |
After gaining initial access to a member account (for example, by assuming a role), you can create a dedicated RAM user within that member account for direct logon. | ||
For members that are cloud accounts, you can use the usernames and logon passwords of the Alibaba Cloud accounts to log on directly to the console. | Alibaba Cloud accounts that are invited to join a resource directory. These members are cloud accounts. | |
CloudSSO provides centralized identity management and access control for multiple accounts in a resource directory. After you enable CloudSSO and grant permissions to a member in the resource directory, a CloudSSO user can log on to the CloudSSO user portal. The user can then access the member's resources based on the access configuration. | CloudSSO users |
Procedure
Log on as a RAM role
Create and grant permissions to a RAM user in the management account.
Log on to the RAM console with a management account.
Create a RAM user.
In this example, the RAM username is Alice. For more information, see Create a RAM user.
Grant permissions to the RAM user (Alice).
You must attach the following policies to the RAM user (Alice):
AliyunSTSAssumeRoleAccess: The permission to call the AssumeRole operation of Security Token Service (STS).
AliyunResourceDirectoryFullAccess: The permission to manage Resource Directory.
NoteIf the RAM user (Alice) is used as an account administrator, you can directly grant the AdministratorAccess permission. This is a high-risk permission. Grant it with caution.
For more information, see Grant permissions to a RAM user.
Use the RAM user (Alice) to log on to the member account by assuming a RAM role.
Log on to the Resource Management console as the RAM user (Alice).
In the left-side navigation pane, choose .
In the Resource Organization View or Member List View, find the member that you want to log on to and click Log On in the Actions column.
After you log on, the management account's RAM user (Alice) assumes the target member's RAM role (ResourceDirectoryAccountAccessRole). The user can then perform operations that are within the scope of this role.
Log on as a RAM user
Log on to the member account by assuming a RAM role from the management account.
For more information, see Log on as a RAM role.
Create a RAM user within the member account.
In this example, the RAM username is Tom. For more information, see Create a RAM user.
Grant permissions to the RAM user (Tom).
You must follow the principle of least privilege to grant the RAM user (Tom) permissions to access specific cloud resources. For more information, see Grant permissions to a RAM user.
Log on as the RAM user (Tom).
For more information, see Log on as a RAM user.
Log on with an Alibaba Cloud account (not recommended)
For security reasons, we do not recommend logging on with an Alibaba Cloud.
Go to the Sign In page.
Enter the username and password of the Alibaba Cloud account.
Click Sign in.
Log on as a CloudSSO user
You can configure the relevant settings in CloudSSO. For more information, see Use CloudSSO to centrally manage the identities and permissions of multiple accounts. Then, you can log on as the CloudSSO user. For more information, see Log on to the CloudSSO user portal and access Alibaba Cloud resources.