With the RAM user feature of Resource Access Management (RAM), you can split permissions, grant different permissions to RAM users as needed, and avoid security risks caused by the exposure of Alibaba Cloud account keys.
Background information
For security purposes, you can create RAM users for your Alibaba Cloud account and grant different permissions to these RAM users as needed. This way, you can enable RAM users to perform their own duties without exposing the key of your Alibaba Cloud account. In this topic, if Enterprise A wants to allow some employees to handle routine O&M tasks, Enterprise A can create RAM users and grant the corresponding permissions to the RAM users. After that, employees can use these RAM users to log on to the console or call API operations.
Application Real-Time Monitoring Service (ARMS) provides two system policies to grant full permissions or read-only permissions. You can select a system policy based on your business requirements.
AliyunARMSFullAccess: grants full permissions to RAM users on ARMS. RAM users can view, edit, or delete instances of all sub-services.
NoteAfter you attach the AliyunARMSFullAccess policy to a RAM user, you do not need to attach the AliyunARMSReadOnlyAccess policy to the RAM user.
AliyunARMSReadOnlyAccess: grants read-only permissions to RAM users on ARMS. RAM users can view the instance information of each sub-service, and cannot modify or delete the information.
ImportantTo grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.
Prerequisites
ARMS is activated. For more information, see Activate ARMS.
RAM is activated. For more information, see Activate RAM.
Step 1: Create a RAM user
Procedure
Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
Console Access
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.
Using permanent AccessKey to access
If the RAM user represents a program, you can select Using permanent AccessKey to access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
ImportantAn AccessKey secret for a RAM user is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.
Click OK.
Complete security verification as prompted.
Step 2: Grant permissions to the RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
What to do next
After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or AccessKey pair of the RAM user with other users. The users can perform the following steps to log on to the Alibaba Cloud Management Console or call API operations as the RAM user.
Log on to the Alibaba Cloud Management Console
Log on to the Alibaba Cloud Management Console as a RAM user.
On the RAM User Logon page, enter the username of the RAM user and click Next.
Logon name 1: default domain name. The format of the logon name of the RAM user is
<UserName>@<AccountAlias>.onaliyun.com
, such as username@company-alias.onaliyun.com.Note<UserName>
indicates the username of the RAM user.<AccountAlias>.onaliyun.com
indicates the default domain name. For more information, see Terms and View and modify the default domain name.Logon name 2: the account alias. The format of the logon name of the RAM user is
<UserName>@<AccountAlias>
, such as username@company-alias.Note<UserName>
indicates the username of the RAM user.<AccountAlias>
indicates the account alias. For more information, see Terms and View and modify the default domain name.Logon name 3: the domain alias. If you configured a domain alias, you can use this logon name. The format of the logon name of the RAM user is
<UserName>@<DomainAlias>
, such as username@example.com.Note<UserName>
indicates the username of the RAM user.<DomainAlias>
indicates the domain alias. For more information, see Terms and Create and verify a domain alias.
Enter the logon password and click Log On.
Optional. If multi-factor authentication (MFA) is enabled, pass the authentication.
For more information, see MFA and Bind an MFA device to a RAM user.
Use the AccessKey pair of the RAM user to call API operations
When you call an API operation, specify the AccessKey ID and the AccessKey secret of the RAM user in the code.