Identities and permissions
Alibaba Cloud uses two categories of identities — physical entities and virtual entities — and a policy-based permission model to control who can access which resources and what operations they can perform.
Identities
RAM identities fall into two categories: physical entities that hold long-term credentials, and virtual entities (RAM roles) that issue temporary credentials on demand.
Physical entities
A physical entity has a fixed ID and a persistent credential — either a logon password or an AccessKey pair. It represents a person, a company, or an application. Alibaba Cloud supports two types:
Alibaba Cloud account: The root identity created when you sign up. It has full control over all resources purchased under the account, and all charges are billed to it. Because it carries root-level permissions, use it only for initial setup.
RAM user: A sub-identity created and authorized by the Alibaba Cloud account or an administrative user. RAM users do not own resources and are not billed independently — all charges roll up to the parent account. A RAM user is visible only within the account it belongs to.
Physical entities access cloud resources in two ways:
Console: Sign in with a username and password, or use multi-factor authentication (MFA).
API: Authenticate with an AccessKey pair.
Security best practice
Never use the Alibaba Cloud account for day-to-day resource management. Its long-term, root-level credentials make it the highest-value target if compromised. Instead:
Use the Alibaba Cloud account once to create a RAM user with administrator permissions.
Use that administrative RAM user for all subsequent account and user management.
This limits exposure of the root account and gives you a clear audit trail for every administrative action.
Use RAM user groups to categorize RAM users and assign permissions in bulk. This keeps permission management manageable as your team grows.
Virtual entities
A RAM role is a virtual entity with no fixed identity credential — no logon password, no AccessKey pair. Instead of being permanently tied to one person or application, a RAM role can be assumed by any trusted entity that needs it. When a trusted entity assumes the role, Security Token Service (STS) issues a temporary STS token scoped to that role's permissions. The token expires automatically, eliminating long-lived credentials that need to be rotated or could be accidentally exposed.
A RAM role has two required components:
Trust policy: Defines which entities are allowed to assume the role (the "who").
Permission policy: Defines what the role can do once assumed (the "what").
RAM roles are designed for three scenarios:
|
Scenario |
Trusted entity |
Use case |
|
Cross-account access |
RAM user from a trusted Alibaba Cloud account (current or another) |
Grant a team in another account access to your resources. See Create a RAM role for a trusted Alibaba Cloud account. |
|
Service-to-service access |
Alibaba Cloud service |
Allow one Alibaba Cloud service to access another on your behalf. See Create a RAM role for a trusted Alibaba Cloud service. |
|
Federated identity (SSO) |
Users of an external identity provider (IdP) |
Let employees authenticated through your corporate IdP sign in to Alibaba Cloud via role-based single sign-on (SSO). See Create a RAM role for a trusted IdP. |
When to use which identity
|
Identity |
Use when |
|
Alibaba Cloud account |
Initial setup only — create the first administrative RAM user, then stop using the root account directly. |
|
RAM user |
A specific person or application needs persistent, long-term access to cloud resources (for example, an O&M engineer or a CI/CD pipeline that cannot use role assumption). |
|
RAM role |
Access is temporary, cross-account, cross-service, or federated. Roles eliminate the need to distribute long-term credentials and are the recommended approach for most workloads. |
Permissions
Permissions control whether an identity can perform an operation on a resource — either allowing or denying access. No identity (other than the Alibaba Cloud account itself) has any permissions by default.
Permissions of physical entities
|
Identity |
Default permissions |
How to grant |
|
Alibaba Cloud account |
Full permissions on all owned resources — no additional authorization required. |
N/A |
|
RAM user |
None. Must be authorized before accessing the console or calling API operations. |
Attach a policy directly to the RAM user, or add the user to a RAM user group and attach the policy to the group. See Grant permissions to a RAM user and Grant permissions to a RAM user group. |
Permissions are implemented through policies. A policy defines which operations are allowed or denied on specified resources, along with any conditions. RAM supports two policy types:
System policies: Created and maintained by Alibaba Cloud. Attach them to identities as-is — you cannot modify them.
Custom policies: Created and maintained by you, with fine-grained control over resources, operations, and conditions. Use custom policies when system policies are too broad.
Permissions of virtual entities
RAM roles have no permissions by default. A role can access cloud resources only after a trusted entity assumes it and the role has the appropriate permissions.
To grant a RAM role permissions, see Grant permissions to a RAM role.
References
To see which Alibaba Cloud services support RAM and their available system policies, see Services that work with RAM.
To understand the structure and syntax of policies, see Policy elements and Policy structure and syntax.