DocsICP FilingConsole
官方文档
首页

RAM user access

更新时间:
复制 MD 格式
产品详情
我的收藏

You can use a Resource Access Management (RAM) user to access IoT Platform resources. This topic describes how to create a RAM user, grant permissions to the user, and log on to the IoT Platform console as the RAM user.

Prerequisites

You must create a Resource Access Management (RAM) user and grant the user permissions to access IoT Platform using an authorization policy. For more information about how to create a custom authorization policy, see Custom permissions.

Warning

Using root permissions or granting excessive permissions creates security risks and can lead to financial loss. A user with excessive permissions might perform unintended operations. Proceed with caution.

Create a RAM user

If you already have a RAM user, you can skip this section.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

    image

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

    Note

    You can click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy.

      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

      • Enable MFA: Specify whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device. For more information, see Bind an MFA device.

    • OpenAPI Access

      If the RAM user represents an application, you can use a permanent AccessKey pair to access Alibaba Cloud. Selecting this option automatically creates an AccessKey pair (an AccessKey ID and an AccessKey secret) for the RAM user. For more information, see Create an AccessKey pair.

      Important

      • An AccessKey secret for a RAM user is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

      • An AccessKey pair is a long-term credential for programmatic access. A leaked AccessKey pair compromises all resources in your account. To reduce this risk, we strongly recommend using temporary credentials, such as an STS token, instead. For more information, see Best practices for using access credentials to call Alibaba Cloud OpenAPI.

  6. Click OK.

  7. Complete the security verification as prompted.

After the RAM user is created, the user can log on to the Alibaba Cloud website and console using the RAM user logon link.

A RAM user cannot access your Alibaba Cloud resources until you grant the required permissions. You must grant the RAM user permissions to access IoT Platform.

Grant a RAM user permissions to access IoT Platform

In the Resource Access Management (RAM) console, you can grant permissions to a single RAM user on the Users page or grant the same permissions to a user group on the User Groups page. For more information, see Grant permissions to a RAM user group. This topic describes how to grant permissions to a single RAM user.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.


    1. Select the authorization scope.

      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.

      • Specific Resource Group: The permissions take effect in a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. Select the IoT Platform authorization policy that you want to attach to the RAM user.

      Note

      You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.

  5. Click OK.

  6. Click Close.

After the permissions are granted, the RAM user can access the resources and perform the operations that are defined in the authorization policy.

Previous:Custom permissionsNext:Advanced STS usage