All Products
Search

This Product

    ApsaraMQ for RabbitMQ:Granting permissions to RAM users

    Document Center

    ApsaraMQ for RabbitMQ:Granting permissions to RAM users

    Last Updated:Mar 11, 2026

    Resource Access Management (RAM) lets you create separate user accounts instead of sharing your Alibaba Cloud account credentials. Grant each RAM user only the permissions they need to manage ApsaraMQ for RabbitMQ resources such as instances, virtual hosts (vhosts), queues, and exchanges.

    RAM provides the following controls:

    • Isolated credentials: Each team member gets a dedicated account. Your Alibaba Cloud account AccessKey pair is never exposed.

    • Fine-grained permissions: Define exactly which resources and actions each user can access.

    • Centralized billing: All resource costs are charged to your Alibaba Cloud account, regardless of which RAM user incurred them.

    • Instant revocation: Remove a user's permissions or delete their account at any time.

    Step 1: Create a RAM user

    Create a RAM user for each team member or application that needs access to ApsaraMQ for RabbitMQ.

    Important

    Select only one access mode per user. Use console access for people who manage resources through the web console, and programmatic access for applications that call APIs. This separation limits the blast radius if credentials are compromised.

    Console

    1. Log on to the RAM console with your Alibaba Cloud account or as a RAM administrator (a user with the AliyunRAMFullAccess policy attached).

    2. In the left-side navigation pane, choose Identity > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section, configure the following fields:

      Field Required Description
      Logon Name Yes Can contain letters, digits, periods (.), hyphens (-), and underscores (_). Maximum 64 characters.
      Display Name No Maximum 128 characters.
      Tag No Click the edit icon and enter a tag key and value to categorize the RAM user.
      Note

      Click Add User to create multiple RAM users at the same time.

    5. In the Access Mode section, select an access mode:

      For human users (console access)

      Select Console Access, then configure:

      • Set Logon Password: Choose Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet the account's password policy.

      • Password Reset: Specify whether the user must reset their password at next logon.

      • Enable MFA: Multi-factor authentication (MFA) is required by default. RAM users must bind an MFA device during their first logon. For details, see Bind an MFA device to a RAM user. To modify MFA settings, see Manage the security settings of RAM users.

      For applications (programmatic access)

      Select Using permanent AccessKey to access. The system automatically creates an AccessKey pair (AccessKey ID and AccessKey secret).

      Important

      The AccessKey secret is displayed only once upon creation and cannot be retrieved later. Copy and save it to a secure location immediately, or click Download CSV File to save it. If an AccessKey pair is leaked, the security of all resources in your account is at risk. For more information, see Create an AccessKey pair.

      Note

      An AccessKey pair is a long-term credential. To reduce the risk of credential leakage, use Security Token Service (STS) tokens as temporary credentials instead. For more information, see Best practices for using an access credential to call API operations.

    API

    Create a RAM user for console access

    1. Call GetDefaultDomain to get the default logon suffix for your account. The format is <AccountAlias>.onaliyun.com.

    2. Call CreateUser to create a RAM user:

      • UserPrincipalName: The logon name in the format <username>@<AccountAlias>.onaliyun.com.

      • DisplayName: A human-readable name for the user. Can differ from <username>.

    3. Call CreateLoginProfile to enable console access:

      Parameter Description
      UserPrincipalName The logon name from the previous step.
      Password Must meet your account's password complexity requirements. Call GetPasswordPolicy to check the policy.
      MFABindRequired Set to true to require MFA.
      Status Keep the default value Active.

    Create a RAM user for programmatic access

    1. Call GetDefaultDomain to get the default logon suffix (<AccountAlias>.onaliyun.com).

    2. Call CreateUser to create a RAM user:

      • UserPrincipalName: <username>@<AccountAlias>.onaliyun.com

      • DisplayName: A human-readable name for the user.

    3. Call CreateAccessKey with the UserPrincipalName from the previous step.

      Important

      The CreateAccessKey response includes the AccessKey secret. This is your only opportunity to view the secret. Save it to a secure location immediately. If an AccessKey pair is leaked, the security of all resources in your account is at risk. For more information, see Create an AccessKey pair.

    Step 2: Grant permissions to the RAM user

    Attach policies to RAM users to define what each user can do with ApsaraMQ for RabbitMQ resources.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

      To grant the same permissions to multiple users at once, select the users and click Add Permissions at the bottom of the page.

      Add Permissions

    4. In the Add Permissions panel, configure the following:

      1. Authorized Scope: Select the scope for the permissions.

        Scope Effect
        Account Permissions apply to all resources in the current Alibaba Cloud account.
        Resource Group Level Permissions apply only to resources in a specific resource group.
        Note

        Resource group-level permissions take effect only if the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Principal: Verify that the correct RAM user is selected.

      3. Policy: Select one or more policies to attach. Policies come in two types:

        Type Description
        System policies Predefined by Alibaba Cloud. You can use but not modify these policies. For available policies, see Services that work with RAM.
        Custom policies Policies you create and manage. For more information, see Create a custom policy.
        Note

        The system highlights high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching policies that grant more permissions than needed.

      4. Click Confirm New Authorization.

    5. Click Close.

    What's next

    RAM users can now access ApsaraMQ for RabbitMQ through the console or API.

    Console access

    1. Open the RAM user logon page.

    2. On the RAM User Logon page, enter the logon name and click Next, then enter the password and click Log On.

      The logon name uses the format <username>@<AccountAlias> or <username>@<AccountAlias>.onaliyun.com. If no account alias is set, the Alibaba Cloud account ID is used as the default alias.

    API access

    Authenticate API calls to ApsaraMQ for RabbitMQ with the RAM user's AccessKey ID and AccessKey secret.