Using your Alibaba Cloud root account to access ApsaraDB for ClickHouse exposes all your cloud resources if credentials are compromised. Instead, create RAM users or RAM roles with only the permissions they need, and use those identities to access ClickHouse.
RAM users
RAM users are sub-identities created under your Alibaba Cloud account. A RAM user can be created by the Alibaba Cloud account owner or by any RAM user or RAM role that has administrative rights. RAM users have no permissions by default—they can log in to the console or call API operations only after you explicitly grant permissions.
You can use the RAM console or call API operations to create RAM users. If you use the RAM console, you must provide the username and password of your Alibaba Cloud account. If you call API operations, you must provide your AccessKey pair.
Best practices for RAM users:
Create a dedicated admin RAM user. Use your Alibaba Cloud account to create one RAM user with administrative rights, then use that RAM user to manage all other RAM users. This reduces how often you use the root Alibaba Cloud account credentials.
Separate individual users from service accounts. Create distinct RAM users for people and for programs (applications, scripts, pipelines). This limits the blast radius if credentials are compromised.
Apply the principle of least privilege. Grant each RAM user only the permissions required for their role. Review and revoke permissions when they are no longer needed.
Enable multi-factor authentication (MFA). For RAM users who log in through the RAM console, enable MFA to add a second verification step beyond the login password.
Enable single sign-on (SSO). Allow RAM users to authenticate through your corporate identity provider instead of managing separate Alibaba Cloud credentials.
Never embed an AccessKey ID or AccessKey secret in code. AccessKey pairs hardcoded in source code are frequently leaked through version control systems, exposing all resources in your account. Use Security Token Service (STS) tokens or environment variables to pass credentials to applications at runtime.
Related topics
RAM user groups
Group RAM users to manage permissions at scale. All members of a RAM user group inherit the group's permissions, so you can grant or revoke access for an entire team by updating the group rather than individual users.
Best practices for RAM user groups:
Apply least privilege at the group level. Assign only the permissions the group genuinely needs. Avoid broad permissions that individual members don't use.
Remove users when their role changes. If a team member moves to a different project or leaves the organization, remove them from the group to avoid permission accumulation.
Remove users when they no longer need the group's permissions. Even if a user's role has not changed, remove them from the group if they no longer require the permissions it provides.
RAM roles
A RAM role is a virtual identity with policies attached. Unlike RAM users, roles have no permanent credentials—no login password and no AccessKey pair. A role can only be used after a trusted entity assumes it.
How role assumption works:
Grant the AssumeRole permission to a trusted entity.
The trusted entity calls the AssumeRole API operation to obtain a temporary STS token.
The trusted entity uses the STS token to access Alibaba Cloud resources with the role's permissions.
The STS token expires after the session duration you configure for the role.
The maximum validity period of an STS token equals the longest session duration configured for the RAM role. We recommend that you specify an appropriate session duration for a RAM role to reduce security risks.
Best practices for RAM roles:
Avoid frequent changes to a role's trusted entity. Changing the trusted entity after a role is in use risks permission loss or unintended privilege escalation. Test all changes in a non-production environment before applying them.
Enable SSO for RAM roles. Allow roles to be assumed through your corporate identity provider to access Alibaba Cloud resources from the identity management systems of their enterprises.