You can create different permissions for different RAM users, and avoid security risks caused by exposing the accesskey of your Alibaba cloud account.
Background information
For security reasons, you can create RAM users (sub-accounts) for your Alibaba Cloud account (primary account) and Grant different permissions to these sub-accounts as needed. In this way, the Ram user can assign their own responsibilities without exposing the CMK. This article assumes that Enterprise A wants to have its employees perform routine O&M work. Then, enterprise A can create A RAM user and grant this RAM user the necessary permissions. Employees can then use the RAM users to log on to the console or call API operations.
The following table describes the system policies that are supported by Tracing Analysis.
Policy | Type | Description |
---|---|---|
AliyunTracingAnalysisFullAccess | System | Full permissions on Tracing Analysis |
AliyunTracingAnalysisReadOnlyAccess | System | Read-only permissions on Tracing Analysis |
Step 1: Create a RAM user
Step 2: Grant permissions to the RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK.
- Click Complete.
What to do next
After creating RAM users with an Alibaba Cloud account, you can distribute the logon names and passwords of the RAM users or AccessKey pair information to other RAM users. Other employees can log on to the console or call an API operation with the RAM user through the following steps.
- Log on to the console
- Open in browser the logon page for RAM users.
- In RAM user logon page, enter the RAM user logon name, and click next Step, and enter the RAM user password, and then click login.
Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the value defaults to the ID of the Alibaba cloud account.
- On the homepage of the Alibaba Cloud console, click a product with the permission to access the console.
- Call an API operation with the RAM user's AccessKey
Use the AccessKeyId and AccessKeySecret of the RAM user in the code.