DocsICP FilingConsole
官方文档
首页

Grant permissions to a RAM user

更新时间:
复制 MD 格式
产品详情
我的收藏

EventBridge allows an Alibaba Cloud account to grant resource-level permissions to RAM users. This practice helps you avoid the security risks of exposing your Alibaba Cloud account's AccessKey pair. Only authorized RAM users can manage resources in the EventBridge console or publish events by using an SDK or API.

Use cases

A company, Enterprise A, subscribes to the EventBridge service. The company's employees need to manage the service's resources, such as event rules and event buses. Because employees have different job responsibilities, they require different permissions.

This scenario includes the following requirements:

  • For security reasons, Enterprise A wants to avoid sharing its Alibaba Cloud account's AccessKey pair directly with employees. Instead, the company prefers to create a separate RAM user for each employee.

  • Individual RAM users are not billed for usage. All costs are charged to Enterprise A's Alibaba Cloud account.

  • Enterprise A can revoke the permissions of a RAM user or delete the RAM user at any time.

In this scenario, the Alibaba Cloud account can grant fine-grained permissions to employees, ensuring they access only the resources required for their jobs.

Grant permissions to a RAM user

Console

The RAM console provides two entry points for granting permissions. Both support single and batch authorization:

  • Users page: The principal is auto-selected based on the users you choose. Best for user-centric workflows.

  • Grants page: You manually select principals and can view all authorization records across your account. Best for permission-centric workflows.

Note

Tip: For large-scale management, add RAM users with identical responsibilities to the same user group, then grant permissions to the group instead of individual users. Navigate to Identities > User Groups to manage groups.

From the Users page

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the target RAM user and click Actions column > Attach Policy.

    You can also select multiple RAM users and click Attach Policy below the user list for batch authorization.

  4. In the Grant Permission panel, configure the following settings:

    • Resource scope:

      • Account level: Permissions apply to all resources in your Alibaba Cloud account.

      • Resource group level: Permissions apply only within the specified resource group. The RAM user must switch to the authorized resource group in the top navigation bar after logging on to the console.

        Note

        1. The system marks high-risk system policies (such as AdministratorAccess and AliyunRAMFullAccess) with a warning indicator. These policies typically grant full control over all cloud resources or full management of RAM. Grant these policies with caution.

        2. For resource group authorization examples, see Control access to ECS instances with resource groups.

    • Principal:

      The principal is the RAM user to receive permissions. When initiated from the Users page, the system auto-selects the current RAM user. When initiated from the Grants page, you must manually select the RAM user. Batch selection is supported.

    • Permission policy:

      • System policy: Search and select directly. Use the search box to filter by product name (e.g., ECS, OSS), access level (e.g., ReadOnly, FullAccess), or full policy name.

      • Custom policy: You must Create a custom policy before you can grant it.

    • (Optional) Description: Enter the authorization reason or scenario for audit purposes.

    • Click Confirm.

  5. Review the authorization result and click Close.

From the Grants page

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Grants page, click Grant Permission.

  4. In the Grant Permission panel, select the principal and configure the same settings as described above.

  5. Review the authorization result and click Close.

OpenAPI

Grant a custom policy

  1. Call CreatePolicy to create a custom policy. For policy syntax, see Permission policy elements and Overview of sample policies.

  2. Call AttachPolicyToUser to grant the policy at the account level (set PolicyType to Custom).

    Alternatively, call AttachPolicy to grant the policy at the resource group level.

Grant a system policy

More information

What is RAM?

Next steps

After you create a RAM user by using your Alibaba Cloud account, you can distribute the RAM user's logon name and password, or its AccessKey pair, to other users. They can then use these credentials to log on to the console or call API operations.

  • Log on to the console.

    1. Open the RAM user logon portal in a web browser.

    2. On the RAM User Logon page, enter the RAM user logon name and click Next. Then, enter the password and click Login.

      Note

      The logon name for a RAM user is in the format <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the ID of your Alibaba Cloud account is used by default.

    3. On the Alibaba Cloud console, click a service that you have permission to access.

  • Use the RAM user's AccessKey pair to call API operations.

    Include the RAM user's AccessKey ID and AccessKey secret in your code.

Previous:Custom permission policy referenceNext:Delegate access across Alibaba Cloud accounts