Identity management

更新时间:
复制 MD 格式

Using your Alibaba Cloud account directly to access MaxCompute exposes all your cloud resources if those credentials are ever compromised. Use RAM users or RAM roles instead to scope access to only what each operator or workload needs.

RAM users

RAM users are identities created by an Alibaba Cloud account or by RAM users and RAM roles that have administrative rights. A RAM user can log on to the console or call API operations only after it has been granted the required permissions.

Human accounts vs. program accounts

Treat human operators and automated programs as distinct identity types with different security requirements:

Account type Typical credential MFA required Recommended access method
Human operator Password Yes RAM console; enable MFA
Automated program STS token (temporary) Not applicable STS temporary token; no long-lived AccessKey pair

This separation matters because a compromised program account is limited to that account's permissions and its STS token expires automatically. A compromised human account with a long-lived AccessKey pair puts every resource in the account at risk.

Best practices

  • Create a RAM user with administrative rights using your Alibaba Cloud account. Use that RAM user to create and manage all other RAM users, so the root account stays out of day-to-day operations.

  • You can create RAM users via the RAM console (requires your Alibaba Cloud account username and password) or by calling API operations (requires your AccessKey pair). Separate RAM users for individuals from RAM users for programs to prevent human errors.

  • Grant permissions based on the principle of least privilege to reduce the risk of accidental or malicious misuse.

  • Never embed an AccessKey ID or AccessKey secret in code. Get access permissions through Security Token Service (STS) tokens or environment variables instead.

  • Enable multi-factor authentication (MFA) for RAM users who access the RAM console.

  • Enable single sign-on (SSO) to let RAM users authenticate through your organization's identity management system.

Related topics

RAM user groups

Group RAM users to simplify permission management. All users in a group inherit the group's permissions, so you can update access for an entire team by modifying a single group policy.

Best practices

  • Grant permissions to groups based on the principle of least privilege.

  • Remove a RAM user from a group when their role changes.

  • Remove a RAM user from a group as soon as they no longer need the group's permissions.

Related topics

RAM roles

A RAM role is a virtual identity with attached policies but no permanent credentials — no logon password, no AccessKey pair. To use a RAM role, a trusted entity assumes the role and receives a temporary STS token. The trusted entity then uses that token to access Alibaba Cloud resources as the role.

Best practices

  • Set an appropriate STS token validity period. A shorter period limits the exposure window if a token is compromised.

    Note

    The maximum validity period of an STS token equals the longest session duration configured for the RAM role. Set the session duration to the minimum value your workload requires.

  • Call the AssumeRole operation to obtain an STS token for a RAM role.

  • Avoid changing the trusted entity of a RAM role after it is created. Changing the trusted entity can cause permission loss that affects running workloads; adding a new trusted entity introduces privilege escalation risks. Test any changes thoroughly before applying them.

  • Enable SSO to let RAM roles authenticate through your organization's identity management system.

Related topics