You can grant minimum permissions to RAM users to prevent security risks that are caused by the exposure of the AccessKey pair of your Alibaba Cloud account. This topic describes how to create a RAM user for an Alibaba Cloud account and grant permissions to the RAM user based on your business requirements.

Scenarios

Enterprise A wants some employees to handle routine O&M tasks. In this scenario, Enterprise A can create RAM users and grant the required permissions to the RAM users. Then, the employees can log on to the SAE console as the RAM users. SAE allows Enterprise A to use RAM users to manage permissions and split bills. Enterprise A can also manage the logon permissions on specific consoles for the RAM users.

  • For security purposes, Enterprise A does not want to disclose the AccessKey pair of the Alibaba Cloud account to the employees. Enterprise A prefers to create different RAM users for the employees and grant different permissions to the RAM users.
  • Only RAM users that are granted permissions can manage resources. Resource usage and costs are not separately calculated for each RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
  • Enterprise A can revoke the permissions of the RAM users and delete the RAM users at any time.

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Enable an MFA device for a RAM user.
    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.

Step 2: Grant permissions to the RAM user

After a RAM user is granted the required permissions, the RAM user can access the related Alibaba Cloud resources. This section describes how to grant permissions to a RAM user on the Users page in the Resource Access Management (RAM) console. For more information, see Grant permissions to the RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Search for the policy that you want to attach to the RAM user by keyword and click the policy to add it to the Selected list.
      • System policy: System policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. System policies apply when you need to implement coarse-grained access control on RAM users.
      • Custom policy: You can create, update, and delete custom policies and maintain the updates of the policies. Custom policies apply when you need to implement fine-grained access control on RAM users.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

What to do next

The employees of Enterprise A can use the following methods to access SAE as RAM users.

  • Method 1: Use the Alibaba Cloud Management Console
    1. Open the RAM User Logon page in a browser.
    2. On the RAM User Logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Log On.
      Note The logon name of a RAM user is in the <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the alias of the RAM user. If you do not specify an alias, the ID of the Alibaba Cloud account is used. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
    3. In the search box of the top navigation bar of the Alibaba Cloud Management Console, enter Serverless Application Engine to access the SAE console.
  • Method 2: Call an API operation

    Use the AccessKey ID and AccessKey secret of the RAM user to call an API operation to access SAE.