Create a RAM user and grant permissions to the RAM user - Serverless App Engine

You can use Resource Access Management (RAM) to manage permissions separately from your main Alibaba Cloud account. Granting the least privilege to RAM users helps you avoid exposing your account's AccessKey pair and reduces security risks. This topic describes how to create a RAM user for an Alibaba Cloud account and grant the required permissions to the user.

Applicable scenarios

An enterprise, Enterprise A, wants to allow some of its employees to handle routine O&M tasks. In this case, Enterprise A can create RAM users and grant them the required permissions. The employees can then log on to the SAE console as RAM users. SAE allows Enterprise A to use RAM users to manage permissions. Enterprise A can also manage which consoles the RAM users are permitted to log on to. The following are common scenarios:

For security purposes, Enterprise A does not want to expose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A creates separate RAM users for its employees and grants different permissions to each user.
RAM users can manage resources only after they are granted permissions. Resource usage is not billed to individual RAM users. All expenses are charged to Enterprise A's Alibaba Cloud account.
Enterprise A can revoke the permissions of RAM users or delete RAM users at any time.

Step 1: Create a RAM user

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Tag: Click the icon and enter a tag key and a tag value. Adding tags helps you categorize and manage RAM users.
Note
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
For enhanced security, we recommend creating separate users for individuals and for applications. Choose only one access mode accordingly to maintain this separation.
- Console access
  For users who are individuals, we recommend enabling Console Access. This allows them to sign in to the Alibaba Cloud Management Console with a username and password. If you select Console Access, you must configure the following parameters:
  - Set Logon Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet complexity requirements. For more information, see Configure a password policy for RAM users.
  - Password Reset: specifies whether the RAM user is required to reset the password at the next sign-in.
  - Enable MFA: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.
- Programmatic access
  For users that represent applications, enable Using permanent AccessKey to access for the RAM user. The system will generate a permanent AccessKey ID and AccessKey Secret for API calls. For more information, see Obtain an AccessKey pair.
  Important
  The AccessKey Secret is displayed only once when it is created and cannot be retrieved later. Therefore, you must save it in a secure location.
  An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.
Click OK.

Step 2: Grant permissions to the RAM user

After you grant permissions to a RAM user, the user can access the corresponding Alibaba Cloud resources. This section uses the Users page to demonstrate how to grant permissions. For more information about other ways to grant permissions, see Grant permissions to a RAM user.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - ResourceGroup: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Configure the Policy parameter.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
4. Click Grant permissions.
Click Close.

What to do next

The employees of Enterprise A can use one of the following methods to access SAE as RAM users.

Method 1: Use the console.
1. Go to the RAM user logon portal.
2. On the Log On With RAM User page, enter the username of the RAM user, click Next, enter the password, and then click Log On.
  Note
  The logon name of a RAM user is in the <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the account alias. If you do not set an account alias, the ID of your Alibaba Cloud account is used by default. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
3. In the search box at the top of the Alibaba Cloud Management Console, enter Serverless App Engine and click the service to go to the SAE console.
Method 2: Call an API.
Use the AccessKey ID and AccessKey secret of the RAM user in your code to call API operations and access SAE.