A user credential report contains the details of your Alibaba Cloud account and Resource Access Management (RAM) users. The details include logon passwords, AccessKey pairs, and multi-factor authentication (MFA) devices. User credential reports can be generated and downloaded in the RAM console. You can use the user credential reports for compliance checks and auditing.
Limits
If the number of RAM users exceeds 3,500, no user credential reports can be generated.
Procedure
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, click Overview.
On the Overview tab, click Download User Credential Report.
After the user credential report is generated, click Download to save the report to your computer.
NoteThe time period required to generate the user credential report is affected by the number of RAM users within the current Alibaba Cloud account. If a long period of time is required to generate the report, you can click Download Later. A new user credential report in the CSV format can only be generated every four hours. When you send a request to download a report, RAM first checks whether a report has been generated within the last four hours. If the latest report is generated within the last four hours, the latest report is downloaded. If the latest report is generated four hours or more earlier, or if no previous report has been generated, RAM generates a new report.
Result
The following table describes the fields that are included in the user credential report.
Field | Example | Description |
user | username@company-alias.onaliyun.com | The usernames of the Alibaba Cloud account and the RAM users. The value in the first row of the CSV file is <root>, which indicates the Alibaba Cloud account. The values in the remaining rows are the usernames of the RAM users within your Alibaba Cloud account, and the values are in the User Principal Name (UPN) format. |
user_creation_time | 2019-11-11T12:33:18Z | The time at which the RAM users were created. Note The time follows the ISO 8601 standard in the YYYY-MM-DDThh:mm:ssZ format. The time must be in UTC. |
user_last_logon | 2019-11-11T12:45:18Z | The time at which the RAM users last logged on to the RAM console. Note The RAM users may log on to the RAM console by using passwords or single sign-on (SSO). If a RAM user has never logged on to the RAM console, the value of this field is a hyphen ( |
password_exist | TRUE | Indicates whether a password for logging on to the RAM console is available. Valid values:
Note If you use a resource account that is created on the Resource Directory page of the Resource Management console, you can view the password. However, the password cannot be used to log on to the RAM console. For more information, see Create a member. |
password_active | N/A | Indicates whether a password is active. Valid values:
|
password_last_changed | 2019-11-11T12:50:18Z | The time at which a password is last changed. If the logon configurations for a RAM user are unavailable, the value for the RAM user is Note RAM records the changes that were made after April 5, 2016. If a password was changed on this date or earlier, the value for this field is |
password_next_rotation | 2019-11-13T12:50:18Z | The time at which a new password must be configured in compliance with the password rotation policy.
|
mfa_active | TRUE | Indicates whether an MFA device is enabled. Valid values: |
access_key_1_exist | TRUE | Indicates whether the first AccessKey pair exists. Valid values: |
access_key_1_active | TRUE | Indicates whether the first AccessKey pair is active. Valid values: |
access_key_1_last_rotated | 2019-11-11T12:50:18Z | The time at which the first AccessKey pair is created or last changed. If no AccessKey pairs are created, the value is |
access_key_1_last_used | 2019-11-13T12:50:18Z | The time at which the first AccessKey pair was last used.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The user credential report may not include the usage records of the AccessKey pairs in an interval leading up to the report generation time. The interval is about two hours, but the actual time may vary based on the scenario. |
access_key_2_exist | TRUE | Indicates whether the second AccessKey pair exists. Valid values: |
access_key_2_active | TRUE | Indicates whether the second AccessKey pair is active. Valid values: |
access_key_2_last_rotated | 2019-11-11T12:50:18Z | The time at which the second AccessKey pair is created or last changed. If no AccessKey pairs are created, the value is |
access_key_2_last_used | 2019-11-13T12:50:18Z | The time at which the second AccessKey pair was last used.
Note RAM started to track the last usage time of AccessKey pairs from June 1, 2019. The user credential report may not include the usage records of the AccessKey pairs in an interval leading up to the report generation time. The interval is about two hours, but the actual time may vary based on the scenario. |
A maximum of two AccessKey pairs can be created for each Alibaba Cloud account or RAM user in the RAM console. Before this limit takes effect, more than two AccessKey pairs can be created. Therefore, an Alibaba Cloud account or a RAM user may have more than two AccessKey pairs. The information about the additional AccessKey pairs is listed in the last columns of the CSV file. The names of these columns start with additional_access_key_.