This topic describes how to create an AccessKey pair for a Resource Access Management (RAM) user and an Alibaba Cloud account.
What is an AccessKey pair?
An AccessKey pair is a permanent access credential that is provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
The AccessKey ID is used to identify a user.
The AccessKey secret is used to verify the identity of the user.
The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.
You cannot use the AccessKey pair for console logons. When you use a development tool such as an API, CLI, SDK, or Terraform to access Alibaba Cloud, the initiated requests include the AccessKey ID and the signature that is generated to encrypt the requests by using the AccessKey secret. In this case, the AccessKey pair is used for identity verification and request validity verification.
Best practices for AccessKey pairs
An AccessKey pair is a permanent credential that is designed for programs. If an AccessKey pair of an account is leaked, the resources that belong to the account are exposed to potential risks.
We recommend that you do not create AccessKey pairs for Alibaba Cloud accounts.
By default, an Alibaba Cloud account is an administrator and has the permissions to manage all Alibaba Cloud resources of the Alibaba Cloud account. You cannot change the permissions of the Alibaba Cloud account. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To ensure account security, we recommend that you do not create an AccessKey pair for an Alibaba Cloud account. We recommend that you create a RAM user for whom only the API access mode is enabled, and create an AccessKey pair for the RAM user. After you grant only the required permissions to the RAM user based on the principle of least privilege, the RAM user can call API operations to access Alibaba Cloud resources.
We recommend that you create Security Token Service (STS) tokens instead of AccessKey pairs to reduce credential leaks.
Keep AccessKey pairs confidential. Do not share AccessKey pairs or include AccessKey pairs in public documents.
Do not include plaintext AccessKey pairs in code.
If you do not need an AccessKey pair, disable the AccessKey pair at the earliest opportunity.
Rotate AccessKey pairs on a regular basis. After a RAM user enables an AccessKey pair, the other AccessKey pair is used only for rotation.
Grant only the required permissions to a RAM user based on the principle of privilege.
For more information, see Best practices for using an access credential to call API operations.
Create an AccessKey pair for a RAM user
Prerequisites
You can use one of the following accounts to create an AccessKey pair for a RAM user:
An Alibaba Cloud account.
A RAM administrator.
A RAM user that is granted the permissions to manage AccessKey pairs. You can use the Alibaba Cloud account to which the RAM user belongs to grant the permissions. For more information about how to grant a RAM user the permissions to manage AccessKey pairs, see Manage security settings of RAM users.
Limits
The AccessKey secret of a RAM user is displayed only when you create the AccessKey pair for the RAM user. You cannot query the AccessKey secret in subsequent operations. This helps reduce the risks of AccessKey pair leaks. Record the AccessKey secret and keep it confidential.
You can create a maximum of two AccessKey pairs for a RAM user.
Procedure
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, click the username of the RAM user that you want to manage.
In the AccessKey section of the Authentication tab, click Create AccessKey.
Read the suggestion for each scenario and select a credential solution based on your business requirements. If you must create an AccessKey pair, select a scenario, select I confirm that it is necessary to create an AccessKey, and then click Continue. The created AccessKey pair can be used in all scenarios.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and click OK.
Create an AccessKey pair for an Alibaba Cloud account
Limits
The AccessKey secret of an Alibaba Cloud account is displayed only when you create the AccessKey pair for the Alibaba Cloud account. You cannot query the AccessKey secret in subsequent operations. This helps reduce the risks of AccessKey pair leaks. Record the AccessKey secret and keep it confidential.
You can create a maximum of five AccessKey pairs for an Alibaba Cloud account.
Procedure
Log on to the Alibaba Cloud Management Console with an Alibaba Cloud account.
Move the pointer over the profile picture in the upper-right corner of the page that appears and click AccessKey.
In the Main Account AccessKey is not recommended dialog box, read the risks that arise from using the AccessKey pair of an Alibaba Cloud account, select I am aware of the security risks of using a main account AccessKey, and then click use Main Account AccessKey.
On the AccessKey page, click Create AccessKey.
In the Create Main Account AccessKey dialog box, read the risks that arise from creating an AccessKey pair for an Alibaba Cloud account and the limits on using the AccessKey pair of an Alibaba Cloud account, select I am aware of the security risks of using a main account AccessKey, and then click use Main Account AccessKey.
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, select I have saved the AccessKey Secret, and then click OK.
