You can create different permissions for different RAM users, and avoid security risks caused by exposing the accesskey of your Alibaba cloud account.

Background information

For security reasons, you can create RAM users (sub-accounts) for your Alibaba Cloud account (primary account) and Grant different permissions to these sub-accounts as needed. In this way, the Ram user can assign their own responsibilities without exposing the CMK. This article assumes that Enterprise A wants to have its employees perform routine O&M work. Then, enterprise A can create A RAM user and grant this RAM user the necessary permissions. Employees can then use the RAM users to log on to the console or call API operations.

The following table describes the system policies that are supported by Tracing Analysis.

Policy Type Description
AliyunTracingAnalysisFullAccess System Full permissions on Tracing Analysis
AliyunTracingAnalysisReadOnlyAccess System Read-only permissions on Tracing Analysis

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 2: Grant permissions to the RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

What to do next

After creating RAM users with an Alibaba Cloud account, you can distribute the logon names and passwords of the RAM users or AccessKey pair information to other RAM users. Other employees can log on to the console or call an API operation with the RAM user through the following steps.

  • Log on to the console
    1. Open in browser the logon page for RAM users.
    2. In RAM user logon page, enter the RAM user logon name, and click next Step, and enter the RAM user password, and then click login.
      Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the value defaults to the ID of the Alibaba cloud account.
    3. On the homepage of the Alibaba Cloud console, click a product with the permission to access the console.
  • Call an API operation with the RAM user's AccessKey

    Use the AccessKeyId and AccessKeySecret of the RAM user in the code.