RAM users who use Resource Access Management can achieve the purpose of permission division. At the same time, you can give different permissions to sub-accounts as needed, and avoid the security risks caused by exposing the key of Alibaba Cloud account (master account).
For security reasons, you can create RAM users (sub accounts) for Alibaba Cloud accounts (master accounts) and assign different permissions to these sub accounts as needed. In this way, the sub-account can perform its duties without exposing the key of the main account.
Assuming that Enterprise A wants some employees to handle daily operation and maintenance work, Enterprise A can create RAM users and give them corresponding permissions, and then employees can use these RAM users to log in to the console. Advisor supports RAM users to achieve decentralization, that is, to enable console login permissions for this sub-account, and grant the following permissions as required:
AliyunAdvisorFullAccess:The permissions for Advisor include the permissions for editing/setting operations.
AliyunAdvisorReadOnlyAccess:Read only.
Precondition
Step 1: Create a RAM user
First, you need to log in to the RAM console and create a RAM user using the Alibaba Cloud account (master account).Before using RAM users, you need to add corresponding permissions for them. For specific operation steps, see Grant permissions to the RAM user.
Following steps:
After creating a RAM user with an Alibaba Cloud account (master account), you can distribute the RAM user's login name and password or AccessKey information to other users. Other users can log in to the Advisor console using RAM users according to the following steps:
On the RAM user login page, enter the RAM user login name, click Next, enter the RAM user password, and then click Login.
Tips:
The format of RAM user login name is <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias>is the account alias. If no account alias is set, the default value is the ID of the AliCloud account (master account).
Click Advisor on the Sub-User User Center page to access the Advisor console