How to create and grant permissions to a RAM user for ApsaraVideo VOD - ApsaraVideo VOD

To secure your Alibaba Cloud account, we recommend that you follow the principle of least privilege by creating separate RAM users for employees, systems, and applications. You can then grant these users only the permissions that they need to perform their tasks. Creating RAM users is free of charge. Your Alibaba Cloud account is billed for the resources that are used by the RAM users. This topic describes how to create a RAM user in the RAM console and by calling an API operation.

Prerequisites

An Alibaba Cloud account is created and identity verification is complete. To create an Alibaba Cloud account, visit the Alibaba Cloud official website. For more information, see Create an Alibaba Cloud account.

Create a RAM user

Note

In Step 4, set Logon Name to vod. This topic uses vod as an example logon name.
In Step 5, select OpenAPI Access for Access Mode.

Procedure

Console

Log on to the RAM console using your Alibaba Cloud account or as a RAM administrator (such as the AliyunRAMFullAccess policy).
In the left-side navigation pane, choose Identity > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the basic information for the user.
- Logon Name (required): The logon name can contain letters, digits, periods (.), hyphens (-), and underscores (_). It can be up to 64 characters in length.
- Display Name (optional): The display name can be up to 128 characters in length.
- Tag (optional): Click the icon and enter a tag key and a tag value. Tags help you categorize and manage RAM users.
Note
Click Add User to create multiple RAM users at the same time.
In the Access Mode section, select an access mode based on the user type.
Important
- As a security best practice, we recommend selecting only one access mode per user. This creates a clear separation between human users who require console access and applications that require programmatic access.
- An AccessKey pair is a long-term credential for programmatic access. If an AccessKey pair is leaked, the security of all resources in your account is at risk. We recommend that you use Security Token Service (STS) tokens as temporary credentials to reduce the risk of credential leakage. For more information, see Best practices for using an access credential to call API operations.
Console access
For human users, such as employees, select Console Access.
- Set Logon Password: Choose one of the following password options:
  - Automatically Regenerate Default Password
  - Reset Custom Password: The custom password you set must meet the password complexity requirements.
    For more information, see Configure a password policy for a RAM user.
- Password Reset: Specifies whether the RAM user must reset the password at the next logon.
- Enable MFA: By default, multi-factor authentication (MFA) is required for logon. To modify this setting, see Manage the security settings of RAM users. RAM users must bind an MFA device during their first logon. For more information, see Bind an MFA device to a RAM user.
Programmatic access
For applications or systems, select Using permanent AccessKey to access.
After you enable this option, the system automatically creates an AccessKey ID and an AccessKey secret for the RAM user.
Important
The AccessKey secret is displayed only once upon creation and cannot be retrieved later. This is your only opportunity to view and save the secret. You must copy and save it to a secure location immediately or click Download CSV File to download the file. If an AccessKey pair is leaked, it compromises the security of all resources in your account. For more information, see Create an AccessKey pair.

API

Create a RAM user for console access

Call GetDefaultDomain to obtain the default logon suffix for your account. The format is <AccountAlias>.onaliyun.com.
Call CreateUser to create a RAM user. The required parameters are as follows:
1. UserPrincipalName: The logon name of the RAM user. The format is <username>@<AccountAlias>.onaliyun.com. <username> is the name of the RAM user, and <AccountAlias>.onaliyun.com is the default logon suffix.
2. DisplayName: The display name of the RAM user. It can be different from the <username>.
Call CreateLoginProfile to create a login profile for the user, which enables console access. The recommended settings for some parameters are as follows:
1. UserPrincipalName: The logon name of the RAM user that you created in the previous step.
2. Password: Set a password that meets the password complexity requirements of your account. You can call GetPasswordPolicy to query the password policy for RAM users.
3. MFABindRequired: We recommend that you require MFA for the RAM user. To do this, set this parameter to true.
4. Status: Specifies whether to enable password-based logon to the console. Keep the default value Active.

Create a RAM user for programmatic access

Call GetDefaultDomain to obtain the default logon suffix for your account in the format <AccountAlias>.onaliyun.com.
Call CreateUser to create a RAM user. The required parameters are as follows:
1. UserPrincipalName: The logon name of the RAM user. The format is <username>@<AccountAlias>.onaliyun.com. <username> is the name of the RAM user, and <AccountAlias>.onaliyun.com is the default logon suffix.
2. DisplayName: The display name of the RAM user. It can be different from the <username>.
Call CreateAccessKey to create an AccessKey pair. You only need to specify the UserPrincipalName for the RAM user that you created in the previous step.
Important
The CreateAccessKey API operation returns an AccessKey ID and an AccessKey secret. This is your only opportunity to view and save the secret. You must copy and save it to a secure location immediately. If an AccessKey pair is leaked, it compromises the security of all resources in your account. For more information, see Create an AccessKey.

Important

After you click OK, the system generates a logon password and an AccessKey pair (AccessKey ID and AccessKey secret) for the RAM user. Save the logon password and AccessKey pair in a secure location. You cannot retrieve them later.

Grant permissions to a RAM user

In the RAM console, go to the Users page. Find the vod user that you created and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
Note
We recommend that you attach the AliyunVODFullAccess system policy to the vod user. This policy grants the user full permissions to manage all ApsaraVideo VOD resources. To find the policy, enter AliyunVODFullAccess in the search box. For more information about the definitions and permissions of system policies for ApsaraVideo VOD, see System authorization policies.
- Select a Resource Scope:
  - Account-level: The permissions apply to all resources that belong to the current Alibaba Cloud account.
  - Resource group-level: The permissions apply only to a specified resource group. If you grant permissions at the resource group level, the RAM user must switch to that resource group in the top navigation bar after logging on to the console. Otherwise, the user cannot access or manage resources in the group.
    Note
    The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. These policies typically grant full control over all cloud resources or full management permissions for RAM. Grant these permissions with caution.
    For an example of how to authorize a RAM user by resource group, see Restrict a RAM user to manage specific ECS instances using a resource group.
- Select an Authorized Entity:
  The authorized entity is the RAM user to whom the permissions are granted. If you perform this operation on the Users page, the system automatically selects the current RAM user. If you perform this operation on the Authorization page, you must manually select one or more RAM users.
- Select a Permission Policy:
  - System policy: Search for and select a system policy. Search tip: Use the search box to quickly find policies. You can search by product name (such as ECS or OSS), permission level (such as ReadOnly or FullAccess), or the full policy name.
  - Custom policy: You must first create a custom policy. For more information, see Create a custom policy.
- Click Confirm Authorization.
Review the authorization result and click Close.

What to do next

To grant console logon permissions to the RAM user at a later time, see Manage RAM user logon settings.