By using Resource Access Management (RAM) users, you can grant different permissions to RAM users and Alibaba Cloud account to avoid security risks caused by the exposure of the AccessKey pair of your Alibaba Cloud account. After you grant permissions to RAM users, you can allow only RAM users with the specified permissions to access or manage resources in the Function Compute console. This topic describes how to create and authorize RAM users by using an Alibaba Cloud account and how to manage resources for authorized RAM users.

Scenarios

Enterprise A has activated Function Compute and wants employees to manage Function Compute resources, such as creating and deleting services and functions. Employees that assume different roles require different permissions. Enterprise A has the following requirements:
  • For security purposes, Enterprise A does not want to disclose the AccessKey pair of the Alibaba Cloud account to the employees. Enterprise A prefers to create different RAM users for the employees and grant different permissions to the RAM users.
  • Only RAM users that are granted with permissions can manage resources. Resource usage and costs are not calculated separately for each RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
  • Enterprise A can revoke the permissions of RAM users and delete the created RAM users at any time.

Step 1: Use the Alibaba Cloud account of Enterprise A to create RAM users for employees

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select Console Access, configure the console logon password, password reset policies, and multi-factor authentication (MFA) policies.
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the employee who uses the RAM user cannot use an AccessKey pair to access Alibaba Cloud resources after the employee leaves the organization.
  6. Click OK.

Step 2: Grant permissions to the RAM users

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.
Note The preceding policy can be a system policy or a custom policy. For more information, see Policies and sample policies. You can create, update, and delete custom policies. For more information, see Create a custom policy.

What to do next

After the RAM user is created by using the Alibaba Cloud account, Enterprise A can allocate the username and password or AccessKey pair of the RAM user to an employee. Users can use RAM users to log on to the Alibaba Cloud console or call API operations.