All Products
Search

This Product

    ApsaraMQ for Kafka:Grant permissions to RAM users

    Document Center

    ApsaraMQ for Kafka:Grant permissions to RAM users

    Last Updated:Mar 11, 2026

    When multiple team members need to manage ApsaraMQ for Kafka resources -- instances, topics, and consumer groups -- sharing a single Alibaba Cloud account AccessKey pair creates a security risk. Resource Access Management (RAM) lets you create individual user identities with scoped permissions, so each person or application accesses only the resources they need.

    With RAM users you get:

    • Scoped access -- each RAM user has an independent identity and limited permissions.

    • Centralized billing -- all resource costs are billed to the Alibaba Cloud account, not to individual RAM users.

    • Full control -- revoke permissions or delete any RAM user at any time.

    Step 1: Create a RAM user

    1. Log on to the RAM console with your Alibaba Cloud account or a RAM user that has administrative privileges.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

      Create User button

    4. In the User Account Information section, configure the following fields:

      Click Add User to create multiple RAM users at a time.
      FieldDescription
      Logon NameUp to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_).
      Display NameUp to 128 characters.
      TagClick the edit icon and enter a tag key-value pair. Tags help you organize and filter RAM users.

    5. In the Access Mode section, select an access mode. For security, assign only one access mode per RAM user to keep human and programmatic identities separate. Console Access -- for team members who operate through the Alibaba Cloud console Using permanent AccessKey to access -- for applications that call APIs programmatically The system generates an AccessKey ID and AccessKey secret automatically. For details, see Obtain an AccessKey pair.

      Important

      - The AccessKey secret is displayed only once, at creation time. Save it immediately -- you cannot retrieve it later. - An AccessKey pair is a permanent credential. If it is leaked, all resources under the account are at risk. For production workloads, use Security Token Service (STS) tokens instead.

      ParameterDescription
      Set Console PasswordChoose Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet the complexity requirements defined in your password policy.
      Password ResetWhether the RAM user must reset the password at next logon.
      Enable MFAWhether to enable multi-factor authentication (MFA). After you enable MFA, bind an MFA device to the RAM user.

    6. Click OK.

    7. Complete the security verification as prompted.

    Step 2: Grant permissions to the RAM user

    You can attach policies from either the Users page or the Grants page. Both paths open the same Grant Permission panel.

    From the Users page

    1. In the RAM console, choose Identities > Users.

    2. Find the target RAM user and click Add Permissions in the Actions column. > Tip: Select multiple RAM users and click Add Permissions at the bottom of the page to grant permissions in bulk.

      Add Permissions on Users page

    From the Grants page

    1. In the RAM console, choose Permissions > Grants.

    2. On the Permission page, click Grant Permission.

      Grant Permission on Grants page

    Configure the Grant Permission panel

    In the Grant Permission panel, fill in the following fields:

    1. Resource Scope -- choose the scope of the authorization:

      ScopeEffect
      AccountThe policy applies to the entire Alibaba Cloud account.
      ResourceGroupThe policy applies to a specific resource group only. The target cloud service must support resource groups. For an example, see Use a resource group to grant permissions for a specific ECS instance.

    2. Principal -- the RAM user or users to authorize. If you started from the Users page, the current user is pre-selected. From the Grants page, you can select multiple users.

    3. Policy -- select one or more policies to attach.

      Important

      The console flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Do not attach these unless the RAM user requires full administrative access.

      TypeDescription
      System policyPre-built by Alibaba Cloud and read-only. Alibaba Cloud maintains version updates. See Services that work with RAM.
      Custom policyCreated and maintained by you. Define fine-grained access rules for specific resources. See Create a custom policy.

    4. Click Grant permissions.

    5. Click Close.

    Log on as a RAM user

    After permissions are granted, RAM users can access ApsaraMQ for Kafka in the following ways:

    Console access

    1. Open the RAM User Logon page.

    2. Enter the logon name, click Next, enter the password, and click Log On. The logon name follows one of these formats: <$AccountAlias> is the account alias. If no alias is set, use the Alibaba Cloud account ID.

      • <$username>@<$AccountAlias>

      • <$username>@<$AccountAlias>.onaliyun.com

    API access

    Use the RAM user's AccessKey ID and AccessKey secret in your application code to authenticate API requests to ApsaraMQ for Kafka.