Resource Access Management (RAM) allows you to manage permissions and control access to Alibaba Cloud resources. You can create RAM users and grant them permissions on resources without having to share your Alibaba Cloud account or its AccessKey pair. This greatly improves the safety of your Alibaba Cloud account.

Scenarios

The following examples describe how to use RAM to implement access control.

  • Grant permissions to a RAM user

    Enterprise A wants to migrate a project named Project-X to Alibaba Cloud. The enterprise has purchased several types of Alibaba Cloud services, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Multiple employees need to perform operations on these cloud resources. Different employees require different permissions to fulfill their duties. Enterprise A has the following requirements:

    • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A wants to create different RAM user accounts for the employees and grant different permissions to these accounts.
    • The RAM users can perform operations on resources only after they are granted the corresponding permissions. Enterprise A can revoke the permissions granted to RAM users and delete RAM users at any time.
    • No bills are generated for a RAM user. Instead, the resources used by a RAM user are metered and billed as a part of the resources used by the Alibaba Cloud account of Enterprise A.

    The authorization management feature of RAM can be used to grant different permissions to RAM users and manage resources in a centralized manner.

  • Use a RAM role to access resources that belong to another Alibaba Cloud account

    Account A is created for Enterprise A. Account B is created for Enterprise B. Enterprise A has purchased a variety of cloud resources for business use, such as ECS instances and SLB instances.

    • Enterprise A wants to entrust tasks such as cloud resource O&M, monitoring, and management to Enterprise B.
    • Enterprise B is allowed to grant access permissions on the NLB resources owned by Enterprise A to one or more employees. Enterprise B can implement fine-grained control on the cloud resources of Enterprise A.
    • If either party terminates the entrustment agreement, Enterprise A can revoke the permissions of Enterprise B at any time.

    Account B can assign RAM roles to its RAM users so that the RAM users are authorized to access the resources of Account A.

Permission policy

The system policies that NLB supports include AliyunNLBFullAccess and AliyunNLBReadOnlyAccess.
Policy namePurposeScenario
AliyunNLBFullAccessGrants full permissions on Network Load Balancer (NLB) to a RAM user.
  • Authorizes the RAM user to perform all operations in the NLB console.
  • Authorizes the RAM user to perform all API operations of NLB.
AliyunNLBReadOnlyAccessGrants read-only permissions on Network Load Balancer (NLB) to a RAM user.
  • Authorizes the RAM user to view all pages in the NLB console. However, the RAM user cannot create or delete instances.
  • Authorizes the RAM user to perform query operations of NLB.

References