If you want to call API operations or use SDKs of OpenSearch LLM-Based Conversational Search Edition as a Resource Access Management (RAM) user based on AccessKey pair authentication or log on to the OpenSearch LLM-Based Conversational Search Edition console as a RAM user, you must grant required permissions to the RAM users. If multiple users in your enterprise need to use OpenSearch LLM-Based Conversational Search Edition, you can create multiple RAM users and grant only the required permissions to each RAM user. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account. This way, the management efficiency is improved and information leakage risks are reduced. This topic describes how to create a RAM user and grant the RAM user the permissions to perform operations on OpenSearch LLM-Based Conversational Search Edition, such as viewing instances and instance details.
Prerequisites
At least one RAM user is created within your Alibaba Cloud account. For more information, see Create a RAM user.
Procedure
Log on to the RAM console by using the administrator account.
RAM supports the following two types of policy:
System policy: System policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them.
Custom policy: You can create, modify, delete, and upgrade custom policies to meet your business requirements.
(Optional) Create a custom policy.
If the system policies provided by Alibaba Cloud cannot meet your requirements, you can create custom policies to implement the principle of least privilege based on the authorization rules of applications. For more information, see Create custom policies.
Examples of common minimum permission set
Grant permissions to the RAM user.
Attach system policies or custom policies that you created to the RAM user to grant the RAM user the permissions to access or perform operations on resources. For more information, see Grant permissions to a RAM user. After you configure or update permissions for a RAM user, the permissions take effect after 5 minutes.
After the permissions are granted to the RAM user, you can log on to the OpenSearch console as the RAM user.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
References
You can view the permissions that are granted to a RAM user and the permissions that the RAM user inherits from RAM user groups. For more information, see View the permissions of a RAM user.
If a RAM user no longer requires specific permissions or the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.
You can view the multi-factor authentication (MFA) methods that are supported by RAM users, as well as the usage notes and limits of MFA. For more information, see What is multi-factor authentication?