DocsICP FilingConsole
官方文档
首页

Grant permissions to RAM users

更新时间:
复制 MD 格式
产品详情
我的收藏

SOFAStack lets you grant permissions for resources to Resource Access Management (RAM) users. This practice avoids the security risk of exposing your Alibaba Cloud account's AccessKey. Only authorized RAM users can perform operations on resources in the SOFAStack console and using the software development kit (SDK) or an API.

Scenarios

Company A purchases the containerized application service from SOFAStack. Its employees need to manage the service's resources, such as nodes, application service instances, and storage resources. For example, some employees create applications, while others manage nodes or storage. Because their job responsibilities differ, they require different permissions.

The scenarios are as follows:

  • For security reasons, Company A does not want to provide its employees with its Alibaba Cloud account's AccessKey. Instead, the company wants to create separate RAM user accounts for them.

  • These RAM users can operate on resources only with the permissions they are granted. Billing is not handled separately for these user accounts. All costs are charged to Company A's Alibaba Cloud account.

  • Company A can revoke a user's permissions or delete a user account at any time.

  • In this scenario, Company A can use its Alibaba Cloud account to grant fine-grained permissions to employees for the resources they need to manage.

    Note

    SOFAStack does not currently support fine-grained access policies at the resource level. Policy definitions for different resource dimensions will be available in a future release. For more information, see Access policies.

Procedure

  1. Company A uses its Alibaba Cloud account to create a Resource Access Management (RAM) user.

    For more information, see Create a RAM user.

  2. Grant permissions to the RAM user.

    For more information, see Grant permissions to a RAM user.

What to do next

After you create a RAM user with your Alibaba Cloud account, provide the user with their logon name and password or AccessKey information. The user can then follow these steps to log on to the console or call an API.

  • Log on to the console.

    1. In a browser, open the RAM user logon portal.

    2. On the RAM User Logon page, enter the RAM user logon name, click Next, enter the RAM user password, and then click Log On.

      Note

      The logon name for a RAM user is in the format <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If you do not set an account alias, the ID of the Alibaba Cloud account is used by default.

    3. From the User Center page, click a product to access its console.

  • Use the RAM user's AccessKey to call an API.

    Use the RAM user's AccessKeyId and AccessKeySecret in your code.

More information

Previous:Fine-grained access controlNext:Cross-account authorization