Learn about the user identities and permission model that govern access to Alibaba Cloud resources.
Identities
Alibaba Cloud supports two types of user identities: entity user identities and virtual user identities.
Entity user identities
An entity user identity has a fixed ID and credentials (logon password or AccessKey pair) tied to a person, enterprise, or application. Entity user identities include Alibaba Cloud accounts and Resource Access Management (RAM) users. You can access cloud resources in two ways:
-
Log on to the console with a username, password, and multi-factor authentication (MFA).
-
Call APIs with an AccessKey pair.
Alibaba Cloud accounts and RAM users differ in scope and permissions.
Virtual user identities
A virtual user identity has no fixed credentials. A RAM role is a virtual identity assumed by a trusted entity, which receives a temporary Security Token Service (STS) token to access authorized resources.
RAM roles support these trusted entity types.
|
Trusted entity |
Scenario |
References |
|
Alibaba Cloud account |
Cross-account access and temporary authorization. Only RAM users under the trusted Alibaba Cloud account (current or another account) can assume the role. |
|
|
Alibaba Cloud service |
Cross-service resource access. Only trusted Alibaba Cloud services can assume the role. |
|
|
Identity provider |
SSO integration. Only users from the trusted identity provider can assume the role. |
Permissions
A permission specifies whether to allow or deny operations on specific resources under certain conditions.
Entity user identity permissions
|
Entity user identity |
Default permission |
Requires authorization |
Authorization details |
|
Alibaba Cloud account |
Has all permissions on its resources. |
No |
|
|
RAM user |
No permissions |
Yes. No permissions until explicitly granted. |
Grant permissions by attaching access policies to identities in RAM. An access policy defines the authorized resources, allowed actions, and conditions. RAM supports two types of access policies:
Attach an access policy to a RAM user or RAM user group to grant permissions. Manage permissions for a RAM user. Grant permissions to a RAM user group. |
Virtual user identity permissions
A RAM role has no permissions by default.
After you specify a trusted entity, attach an access policy so the role can access resources through the console and API.
Attach an access policy to a RAM role to grant permissions. Manage permissions for a RAM role.
References
-
RAM-supported Alibaba Cloud services and their system policies: Alibaba Cloud services that support RAM.
-
Access policy elements, syntax, and structure: Basic elements of a RAM policy and Policy structure and syntax.