A Resource Access Management (RAM) user can be used to access the resources of IoT Platform. This topic describes how to create a RAM user, authorize a RAM user to access the resources of IoT Platform, and use a RAM user to log on to the IoT Platform console.
Prerequisites
To use a RAM user to access IoT Platform, you must create a RAM user and attach a policy that contains the access permissions on IoT Platform to the RAM user. For more information about how to create custom policies, see Custom permissions.
If you grant root permssions or excessive permissions to an operator, security risks or financial losses may occur due to unexpected operations that are performed by the operator. Proceed with caution.
Create a RAM user
If RAM users are available, skip the following steps.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, click Create User.
- In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Optional:Tag: You can click the icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
Note You can click Add User to create multiple RAM users at a time. - In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
- Console Access
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
- Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
- Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
- Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Enable an MFA device for a RAM user.
- OpenAPI Access
If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.
- Console Access
- Click OK.
After you create a RAM user, you can use the RAM user to log on to the Alibaba Cloud official website and the IoT Platform console. For more information about the portal of the IoT Platform console and how to log on to the console as a RAM user, see Logon portals and Log on to the console as a RAM user.
Only authorized RAM users can access your Alibaba Cloud resources. To allow a RAM user to access the resources of IoT Platform, you must grant the RAM user the access permissions on IoT Platform.
Grant permissions to a RAM user to access IoT Platform
In the RAM console, you can grant permissions to a single RAM user on the Users page. You can also grant the same permissions to all members in a RAM user group on the Groups page. For more information, see Grant permissions to a RAM user group. The following example shows how to grant permissions to a single RAM user.
- Log on to the RAM console with an Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
- Select the authorization scope.
- Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
- Specific Resource Group: The permissions take effect in a specific resource group. Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
- Specify the principal. The principal is the RAM user to which you want to grant permissions.
Select an IoT Platform RAM policy that you want to attach to the RAM user.
Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
- Select the authorization scope.
- Click OK.
- Click Complete.
After authorization is complete, the RAM user can access resources and perform operations that are defined in the policies that are attached to the RAM user.
Log on to the console as a RAM user
If you use an Alibaba Cloud account, you can log on to the IoT Platform console from the Alibaba Cloud official website. If you are a RAM user, you must log on to the console from the RAM User Logon page. For more information about the portal, see Logon portals.
- Log on to the Alibaba Cloud Management Console as a RAM user.
- On the RAM User Logon page, enter the username of the RAM user and click Next.
- Logon name 1: default domain name. The format of the logon name of the RAM user is
<UserName>@<AccountAlias>.onaliyun.com
. Example: username@company-alias.onaliyun.com.Note<UserName>
indicates the username of the RAM user.<AccountAlias>.onaliyun.com
indicates the default domain name. For more information, see Terms and View and modify the default domain name. - Logon name 2: the account alias. The format of the logon name of the RAM user is
<UserName>@<AccountAlias>
. Example: username@company-alias.Note<UserName>
indicates the username of the RAM user.<AccountAlias>
indicates the account alias. For more information, see Terms and View and modify the default domain name. - Logon name 3: the domain alias. If you configured a domain alias, you can use this logon name. The format of the logon name of the RAM user is
<UserName>@<DomainAlias>
. Example: username@example.com.Note<UserName>
indicates the username of the RAM user.<DomainAlias>
indicates the domain alias. For more information, see Terms and Create and verify a domain alias.
- Logon name 1: default domain name. The format of the logon name of the RAM user is
- Enter the logon password and click Log On.
- Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.
For more information, see multi-factor authentication (MFA) and Enable an MFA device for a RAM user.
In the upper-right corner of the Alibaba Cloud Management Console, enter IoT Platform in the search box and click IoT Platform in the recommended results to go to the IoT Platform console.
After you log on to the IoT Platform console as a RAM user, you can use the RAM user to perform authorized operations in the console.