All Products
Search
Document Center

Resource Access Management:FAQ about RAM users

Last Updated:Mar 12, 2024

This topic provides answers to some frequently asked questions about the logon, billing, and permissions of Resource Access Management (RAM) users.

What are the logon URL and logon names of RAM users?

RAM users can use the following URL to log on: Logon URL of RAM users.

Note

Alternatively, you can log on to the RAM console by using an Alibaba Cloud account and find the logon URL of RAM users on the Overview page. If you use the URL on the Overview page to visit the logon page, the system automatically provides the default domain name. This way, you need to only enter the username.

You can log on to the console as a RAM user by using one of the following logon names:

  • Logon name 1: default domain name. The format of the logon name of the RAM user is <UserName>@<AccountAlias>.onaliyun.com, such as username@company-alias.onaliyun.com.

    Note

    The logon name of the RAM user is in the User Principal Name (UPN) format. All logon names that are listed in the RAM console follow this format. <UserName> indicates the username of the RAM user. <AccountAlias>.onaliyun.com indicates the default domain name. For more information, see Terms and View and modify the default domain name.

  • Logon name 2: the account alias. The format of the logon name of the RAM user is <UserName>@<AccountAlias>, such as username@company-alias.

    Note

    <UserName> indicates the username of the RAM user. <AccountAlias> indicates the account alias. For more information, see Terms and View and modify the default domain name.

  • Logon name 3: the domain alias. If you configured a domain alias, you can use this logon name. The format of the logon name of the RAM user is <UserName>@<DomainAlias>, such as username@example.com.

    Note

    <UserName> indicates the username of the RAM user. <DomainAlias> indicates the domain alias. For more information, see Terms and Create and verify a domain alias.

What are the default domain name and domain alias?

The default domain name is a unique identifier of an Alibaba Cloud account. Alibaba Cloud assigns a default domain name to each Alibaba Cloud account. The format of the default domain name is <AccountAlias>.onaliyun.com. This unique identifier can be used for RAM user logon and single sign-on (SSO). For more information about how to manage the default domain name, see View and modify the default domain name.

If you have a custom domain name that is publicly resolvable, you can use this domain name to replace the default domain name. This custom domain name is called a domain alias. A domain alias is the alias of the default domain name. For more information, see Create and verify a domain alias.

Note

A custom domain can be used as a domain alias only after the ownership of the custom domain is verified. After the ownership is verified, you can use the domain alias to replace the default domain name in all scenarios in which the default domain name is required.

What permissions are required for a RAM user to purchase Alibaba Cloud resources?

  • If a RAM user wants to purchase an Alibaba Cloud service on a pay-as-you-go basis, the permissions to create instances or resources are required.

  • If a RAM user wants to purchase an Alibaba Cloud resource on a subscription basis, both the permissions to create instances and the permissions to make payments are required. To grant the permissions to make payments, you must attach the AliyunBSSOrderAccess policy to the RAM user.

  • If a RAM user purchases a resource, the RAM user may need to use or create other resources. In this case, the permissions to read or create the resources are required.

    The following example is a policy that contains the permissions required to create Elastic Compute Service (ECS) instances.

    If the following policy is attached to a RAM user, the RAM user can create ECS instances from launch templates.

    {
        "Version": "1",
        "Statement": [{
                "Action": [
                    "ecs:DescribeLaunchTemplates",
                    "ecs:CreateInstance",
                    "ecs:RunInstances",
                    "ecs:DescribeInstances",
                    "ecs:DescribeImages",
                    "ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

    If the RAM user wants to use or create other resources when the RAM user creates an ECS instance, the specific permissions are required. The following table lists the operations on other resources and the required policies.

    Operation

    Policy

    Use a snapshot to create an ECS instance

    ecs:DescribeSnapshots

    Create and use a VPC

    • vpc:CreateVpc

    • vpc:CreateVSwitch

    Create and use a security group

    • ecs:CreateSecurityGroup

    • ecs:AuthorizeSecurityGroup

    Assign a RAM role to an ECS instance

    • ecs:DescribeInstanceRamRole

    • ram:ListRoles

    • ram:PassRole

    Use an AccessKey pair

    • ecs:CreateKeyPair

    • ecs:DescribeKeyPairs

    Create an ECS instance on a dedicated host

    ecs:AllocateDedicatedHosts

    Note

Why is a RAM user unable to access resources after the RAM user is granted the required permissions?

  • For cloud services that support permission diagnostics, you can directly view the causes of and solutions to permission issues. For more information, see How do I troubleshoot an access denied error?

  • For cloud services that do not support permission diagnostics, you can refer to the following table to identify the cause of the issue and troubleshoot the issue.

    Cause

    Solution

    The policy is invalid.

    Check the policy that is attached to the RAM user to ensure that the policy is valid and meets your business requirements.

    A Deny statement is configured in a custom policy.

    Check whether "Effect": "Deny" is configured to deny access to related resources or prohibit related operations in the policy that is attached to the RAM user and the policy that is attached to the RAM user group of the RAM user. For example, if the RAM user has the read-only permission AliyunECSReadOnlyAccess on ECS instances, but the following policy is also attached to the RAM user, the RAM user cannot view ECS instances because the Deny statement takes precedence over the Allow statement.

    {
        "Statement": [{
            "Action": "ecs:*",
            "Effect": "Deny",
            "Resource": "*"
        }],
        "Version": "1"
    }             

    The resources do not support the related authentication method.

    Authentication methods vary based on cloud services. Check whether the supported authentication method is used for the resources.

    • To obtain the services that support RAM-based authentication, refer to Services that work with RAM.

    • To obtain the services that support resource group-based authentication, refer to Services that work with Resource Group.

    • To obtain the services that support tag-based authentication, log on to the Resource Management console, choose Tag > Tag in the left-side navigation pane, click the Resource Tagging Capabilities tab, and then find the resource types for which the value of Tag Ram Support is Support.

    The access control policy of a resource directory denies access to the resources.

    If the Alibaba Cloud account to which the RAM user belongs is a member of a resource directory, and an access control policy is configured for the resource directory to deny access to the resources, the RAM user cannot access the resources. You must contact the owner of the management account of the resource directory to modify or detach the control policy.

    1. Find the management account of the resource directory to which the member belongs.

      For more information, see View the information about the resource directory to which a member belongs.

    2. Contact the owner of the management account to modify or detach the control policy.

      For more information, see Modify a custom access control policy or Detach a custom access control policy.

Why can a RAM user perform operations on resources without the required permissions?

For example, a RAM user can view ECS instances even if the AliyunECSFullAccess system policy, the AliyunECSReadOnlyAccess system policy, or related custom policies are not attached to the RAM user.

  • Check whether the policies are attached to the RAM user group to which the RAM user is added.

  • Check whether other policies attached to the RAM user contain the required permissions.

    For example, the AliyunCloudMonitorFullAccess system policy indicates full access to CloudMonitor. This policy contains the following permissions: "ecs:DescribeInstances", "rds:DescribeDBInstances", and "slb:DescribeLoadBalancer". If the AliyunCloudMonitorFullAccess policy is attached to the RAM user, the RAM user can view the information about ECS, ApsaraDB RDS, and Server Load Balancer (SLB) instances.

How do I grant a RAM user the permissions to manage renewals?

You must create a custom policy to manage the renewals of a specific cloud service and attach the policy to the RAM user. A renewal management policy for all cloud services does not exist. The permissions to purchase a specific service and make payments are required for RAM users to manage renewals.

For example, to grant a RAM user the permissions to renew ECS instances, you must attach the following custom policy and the AliyunBSSOrderAccess system policy to the RAM user.

{
    "Version": "1",
    "Statement": [{
            "Action": [
                "ecs:DescribeLaunchTemplates",
                "ecs:RenewInstance",
                "ecs:DescribeInstances",
                "ecs:DescribeImages",
                "ecs:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

How is a RAM user charged for consumed resources?

  • The fees that a RAM user is charged are billed to the parent Alibaba Cloud account.

  • By default, a RAM user can use the discounts that are applied to the parent Alibaba Cloud account.

  • Financial configurations such as the consumption budget, credit limit, and payment methods apply to all RAM users that belong to an Alibaba Cloud account. Financial configurations that apply to a single RAM user are unavailable.

  • RAM users can be authorized to add funds to the parent Alibaba Cloud account. The added funds belong to the Alibaba Cloud account.

  • RAM users and RAM user groups are not separately billed.

I have granted permissions in RAM but the permissions do not immediately take effect on cloud services. Why?

RAM is deployed in multiple regions and zones to achieve high availability. RAM copies data between different regions and uses the eventual consistency model. After you grant permissions in RAM, RAM delivers the permission data to all Alibaba Cloud regions and zones. Then, all cloud services can use the information for authentication. If a failure occurs in a region or a zone, RAM switches over to an available region or zone based on its high-availability disaster recovery mechanism.

After RAM delivers the permission data, it takes a period of time for the permissions to take effect. Therefore, if you grant or change permissions, you must wait for a period of time before the permissions take effect on cloud services.

RAM ensures the eventual consistency of permission data.