DocsICP FilingConsole
官方文档
首页

Use RAM to implement account-based access control

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to use Resource Access Management (RAM) to control the access of Alibaba Cloud accounts to Cloud Storage Gateway (CSG). To implement access control, you must create RAM users or groups, and grant required permissions to the users or groups.

Background information

RAM is an Alibaba Cloud access control service that allows you to implement shared access without exposing the AccessKey pair of an Alibaba Cloud account. You can grant users the minimum permissions as needed, which helps improve data security. For more information, see What is RAM

  • RAM users: If multiple users in your organization need to access your gateways, you can create a policy to allow specified users to access the gateways. This prevents leakage risks that arise from sharing your AccessKey pair and improves account security.

  • RAM user groups: You can create multiple user groups and grant different permissions to each user group. This allows you to manage users in the same group at the same time.

Create a RAM user

  1. Use your Alibaba Cloud account to log on to the RAM console.

  2. In the left-side navigation pane, choose key > key, and then click Create User.

  3. Configure user account information.

  4. In the Access Mode section, select Console Access or OpenAPI Access.

  5. Select Reset Custom Password, enter an initial password, and select Required at Next Logon.

  6. (Optional) Enable a multi-factor authentication (MFA) device, and then click {op}.

  7. Save the user name, password, and AccessKey pair of the account.

    Note

    We recommend that you immediately save the AccessKey pair and keep it strictly confidential.

Create a group

If you have multiple RAM users within your Alibaba Cloud account, you can create RAM user groups to classify and authorize these RAM users. This simplifies the management of RAM users and permissions.

  1. Use your Alibaba Cloud account to log on to the RAM console.

  2. In the left-side navigation pane, choose key > key, and then click Create User Group.

  3. Enter a user group name and a display name, and then click {op}.

Grant permissions to the RAM user or group

By default, a RAM user or group does not have permissions. You must use the console or call related API operations to grant permissions to the RAM user or group before you use the user or group to manage resources. The following example describes how to grant permissions to a RAM user.

  1. On the Users page, find the RAM user that you want to authorize, and then click Add Permissions in the Actions column.

  2. On the key page, attach the required policies to the RAM user, and then click key .

    To access on-premises gateways, you need to attach only the AliyunHCSSGWFullAccess and AliyunOSSFullAccess policies to the user. To access gateways deployed on Alibaba Cloud, you must attach the following policies to the RAM user:

    • AliyunHCSSGWFullAccess: provides full access to CSG.

    • AliyunOSSFullAccess: provides full access to Object Storage Service (OSS).

    • AliyunVPCFullAccess: provides full access to Virtual Private Cloud (VPC).

    • AliyunECSFullAccess: provides full access to Elastic Compute Service (ECS).

    On the Add Permissions page, set Principal to Account Level. In the Policies section, search for and select the required policies, and then click OK.

Previous:Operation logsNext:CloudMonitor integration