You can create Resource Access Management (RAM) users and grant permissions to the RAM users to access different resources. If multiple users in your enterprise need to simultaneously access resources, you can use RAM to assign the least permissions to the users. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account and reduces security risks. Alibaba Cloud provides a quick configuration method that is developed based on best practices for common scenarios. The method presets relevant system policies for RAM users. This helps you create a RAM user and grant permissions to the RAM user in an efficient manner. You can also manually create a RAM user and grant permissions to the RAM user based on your business requirements.
Quick configuration
Step 1: Create a RAM user and grant permissions to the RAM user
Log on to the RAM console by using an Alibaba Cloud account.
On the Overview page, click the Get Started tab.
Select a scenario based on your business requirements.
For example, you can select Network Administrator. The network administrator is responsible for building and managing the network architecture of your enterprise. The network administrator can activate, purchase, and create network-related services, and has permissions on Elastic Compute Service (ECS) security groups and all permissions on network services.
View or modify the parameters.
You can view all parameters but modify only specific parameters. The parameters displayed in the console prevail.
Click Perform.
View the configuration progress. After the configuration is complete, save the username and password of the RAM user.
You can modify the configurations of the account administrator that is created by using the quick configuration method in the RAM console.
Step 2: Log on to the Alibaba Cloud Management Console as the RAM user
Log on to the
Alibaba Cloud Management Console with the account administrator.NoteThe logon portal for a RAM user is different from the logon portal for an Alibaba Cloud account. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
On the RAM User Logon page, enter the username of the account administrator and click Next.
Enter the logon password and click Log On.
Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.
Manual configuration
Step 1: Create a RAM user
Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
Console Access
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user.
OpenAPI Access
If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
ImportantAn AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
Click OK.
Complete security verification as prompted.
Step 2: (Optional) Create a custom policy
RAM provides system policies and custom policies. System policies are provided by Alibaba Cloud and cannot be modified. If system policies cannot meet your business requirements, you can create a custom policy to implement fine-grained access control.
You can create a custom policy by using different methods. In this example, a custom policy is created on the Visual editor tab. For more information, see Create a custom policy.
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the Visual editor tab.
Configure the policy and click Next to edit policy information.
In the Effect section, select Allow or Deny.
In the Service section, select an Alibaba Cloud service.
NoteThe Alibaba Cloud services that you can select are displayed in the Service section.
In the Action section, select All action(s) or Select action(s).
The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.
In the Resource section, select All resource(s) or Specified resource(s).
The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.
NoteThe resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.
In the Condition section, click Add condition to configure a condition.
Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need to only select a condition key and configure the Operator and Value parameters.
Click Add statement and repeat the preceding steps to configure multiple custom policy statements.
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Step 3: Grant permissions to the RAM user
When you grant permissions to a RAM user, we recommend that you grant only the required permissions to the RAM user based on the principle of least privilege.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
Step 4: Log on to the Alibaba Cloud Management Console as the RAM user
Log on to the
Alibaba Cloud Management Console with the account administrator.NoteThe logon portal for a RAM user is different from the logon portal for an Alibaba Cloud account. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
On the RAM User Logon page, enter the username of the account administrator and click Next.
Enter the logon password and click Log On.
Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.