All Products
Search
Document Center

Key Management Service:Create an AccessKey pair

Last Updated:Jun 18, 2024

This topic describes how to create an AccessKey pair for a Resource Access Management (RAM) user and an Alibaba Cloud account.

What is an AccessKey pair?

An AccessKey pair is a permanent access credential that is provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

  • The AccessKey ID is used to identify a user.

  • The AccessKey secret is used to verify the identity of the user.

The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.

You cannot use the AccessKey pair for console logons. When you use a development tool such as an API, CLI, SDK, or Terraform to access Alibaba Cloud, the initiated requests include the AccessKey ID and the signature that is generated to encrypt the requests by using the AccessKey secret. In this case, the AccessKey pair is used for identity verification and request validity verification.

Important
  • By default, an Alibaba Cloud account is an administrator and has the permissions to manage all Alibaba Cloud resources of the Alibaba Cloud account. You cannot change the permissions of the Alibaba Cloud account. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To ensure account security, we recommend that you do not create an AccessKey pair for an Alibaba Cloud account. We recommend that you create a RAM user for whom only the API access mode is enabled, and create an AccessKey pair for the RAM user. After you grant only the required permissions to the RAM user based on the principle of least privilege, the RAM user can call API operations to access Alibaba Cloud resources.

  • We recommend that you do not include AccessKey pairs in your project code. Otherwise, the AccessKey pairs may be leaked. For more information about how to use an AccessKey pair in a secure manner, see Credential security solutions.

Create an AccessKey pair for a RAM user

Prerequisites

You can use one of the following accounts to create an AccessKey pair for a RAM user:

  • An Alibaba Cloud account.

  • A RAM administrator who is attached the AliyunRAMFullAccess policy.

  • A RAM user that is granted the permissions to manage AccessKey pairs. You can use the Alibaba Cloud account to which the RAM user belongs to grant the permissions. For more information about how to grant a RAM user the permissions to manage AccessKey pairs, see Manage security settings of RAM users.

Limits

  • An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Record and keep your AccessKey secret confidential. If an AccessKey pair is leaked or lost, you must create another AccessKey pair.

  • You can create a maximum of two AccessKey pairs for a RAM user.

Procedure

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click the username of the RAM user that you want to manage.

  4. In the AccessKey section of the Authentication tab, click Create AccessKey.

    image

  5. In the Create AccessKey message, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

    image

  6. Click OK.

Create an AccessKey pair for an Alibaba Cloud account

Limits

  • Starting November 20, 2023, if you use an Alibaba Cloud account, you can view the AccessKey secret only once when you create an AccessKey pair for the account. If you use an Alibaba Cloud account and you do not sign the informed consent form for AccessKey pairs that were created before July 5, 2023, you can save and download the AccessKey secret of your AccessKey pair for the last time.

  • You can create a maximum of five AccessKey pairs for an Alibaba Cloud account.

Procedure

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. Move the pointer over the profile picture in the upper-right corner of the page that appears and click AccessKey Management.

    image

  3. In the Note message, read the security tips and click Use Current AccessKey Pair.

  4. On the AccessKey Pair page, click Create AccessKey.

    image

  5. In the Create AccessKey message, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

    image

  6. Select I have saved the AccessKey Secret.

  7. Click OK.

References