Avoid using your Alibaba Cloud account directly to access Function Compute. Instead, use a Resource Access Management (RAM) entity — a RAM user or RAM role — to control access and enforce least privilege.
When to use RAM users vs. RAM roles
| Identity type | Has permanent credentials | Suitable for |
|---|---|---|
| RAM user | Yes (password or AccessKey pair) | Human operators, automated programs with long-lived credentials |
| RAM role | No (temporary STS token only) | Function code accessing other services, cross-account access, federated identity |
RAM users
A RAM user is a permanent identity with its own credentials. RAM users can be created by Alibaba Cloud accounts, or by RAM users and RAM roles that have administrative rights. Once granted permissions, a RAM user can access Alibaba Cloud resources through the Alibaba Cloud Management Console or by calling API operations.
When creating a RAM user, set the Access Mode to one of the following options:
| Access mode | How it works | When to use |
|---|---|---|
| Console Access | Logs in with a username and password | Human operators accessing the console |
| Using permanent AccessKey to access | Makes API calls with an AccessKey pair | Programs and automated processes |
| Both | Supports both methods | Rarely needed — keep human and program identities separate |
Security practices for RAM users
Start with an admin RAM user. Use your Alibaba Cloud account to create a RAM user with administrative rights first. Then use that RAM user to create and manage other RAM users.
Separate human and program identities. Create dedicated RAM users for individuals and separate RAM users for applications to limit the blast radius of unintended operations.
Enable MFA for console users. Multi-factor authentication (MFA) adds a second layer of verification for RAM users with console access.
Apply least privilege. Grant only the permissions required to perform a specific task. Least-privilege permissions reduce the risk of permission abuse and limit exposure if credentials are compromised.
Never embed credentials in code. Hardcoding an AccessKey ID or AccessKey secret in your code risks exposing all resources under your account if the code is leaked. Use Security Token Service (STS) tokens or environment variables instead.
Enable SSO when applicable. Single sign-on (SSO) lets RAM users log in from your enterprise identity management system without managing separate Alibaba Cloud credentials.
Related topics
RAM user groups
Group RAM users to simplify permission management at scale. All users in the same group share the same permissions, so you can grant or revoke access for an entire team with a single operation.
Security practices for RAM user groups
Apply least privilege at the group level, not per user.
Remove a user from the group when their role changes.
Revoke permissions from the group when those permissions are no longer needed.
Related topics
RAM roles
A RAM role is a virtual identity with policies attached — but no permanent credentials (no password, no AccessKey pair). A trusted entity assumes the RAM role and receives a temporary STS token to access Alibaba Cloud resources on behalf of that role.
This model is well-suited for:
Function Compute code accessing other Alibaba Cloud services — attach a role to your function so it gets temporary credentials at runtime, without storing any keys in code.
Cross-account access — grant an entity in another Alibaba Cloud account permissions to operate on resources in your account.
Federated identity — allow users from an external identity provider to assume a role through SSO.
How it works
Grant a trusted entity permission to call the AssumeRole operation.
The trusted entity calls
AssumeRoleand receives a short-lived STS token.The trusted entity uses the STS token to access resources as the RAM role.
The STS token expires after the configured validity period.
Note: The maximum validity period of an STS token equals the maximum session duration set for the RAM role. Set the validity period to an appropriate value to reduce security risks.
Security practices for RAM roles
Set an appropriate STS token validity period. Shorter-lived tokens reduce exposure if a token is compromised.
Avoid changing the trusted entity after creation. Changing the trusted entity can cause permission loss that affects your workloads. Adding a new trusted entity may introduce privilege escalation risks. Test all changes thoroughly before applying them.
Enable SSO when applicable. SSO lets users in your enterprise identity management system assume RAM roles without managing separate credentials.
Related topics