All Products
Search
Document Center

Simple Log Service:AccessKey pair

Last Updated:Dec 19, 2024

An Alibaba Cloud AccessKey pair is a secure identity credential that you can use to access Alibaba Cloud resources by calling API operations. You can use an AccessKey pair to sign API requests to pass the security authentication. This topic describes how to create and obtain an AccessKey pair.

What is an AccessKey pair?

An AccessKey pair is a permanent access credential that is provided by Alibaba Cloud to a user. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

  • The AccessKey ID is used to identify a user.

  • The AccessKey secret is used to verify the identity of the user.

The AccessKey ID and AccessKey secret are generated by RAM based on algorithms. Alibaba Cloud encrypts the AccessKey ID and AccessKey secret during storage and transmission.

You cannot use the AccessKey pair for console logons. When you use a development tool such as an API, CLI, SDK, or Terraform to access Alibaba Cloud, the initiated requests include the AccessKey ID and the signature that is generated to encrypt the requests by using the AccessKey secret. In this case, the AccessKey pair is used for identity verification and request validity verification.

Important
  • By default, an Alibaba Cloud account is an administrator and has the permissions to manage all Alibaba Cloud resources of the Alibaba Cloud account. You cannot change the permissions of the Alibaba Cloud account. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To ensure account security, we recommend that you do not create an AccessKey pair for an Alibaba Cloud account. Instead, we recommend that you create a RAM user for whom only the API access mode is enabled, and create an AccessKey pair for the RAM user. After you grant only the required permissions to the RAM user based on the principle of least privilege, the RAM user can call API operations to access Alibaba Cloud resources.

  • We recommend that you do not include AccessKey pairs in your project code. If you do, the AccessKey pairs may be leaked. For more information about how to use an AccessKey pair in a secure manner, see Credential security solutions.

Create an AccessKey pair for a RAM user

Prerequisites

You can use one of the following accounts to create an AccessKey pair for a RAM user:

  • An Alibaba Cloud account.

  • A RAM administrator to whom the AliyunRAMFullAccess policy is attached.

  • A RAM user who is granted the permissions to manage AccessKey pairs. You can use the Alibaba Cloud account to which the RAM user belongs to grant the permissions. For more information about how to grant a RAM user the permissions to manage AccessKey pairs, see Manage the security settings of RAM users.

Limits

  • The AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. This helps reduce the risks of AccessKey pair leaks. Record the AccessKey secret and keep it confidential.

  • You can create a maximum of two AccessKey pairs for a RAM user.

Procedure

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click the username of the RAM user whom you want to manage.

  4. In the AccessKey section of the Authentication tab, click Create AccessKey.

    image

  5. In the Create AccessKey message, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

    image

  6. Click OK.