Identity, credentials, and authorization

Identity

An identity is a user's unique identifier in a system. The system uses this identity to recognize the user and determine their access permissions. Alibaba Cloud has three main identity types: Alibaba Cloud accounts, Resource Access Management (RAM) users, and RAM roles.

• Alibaba Cloud account

  An Alibaba Cloud account is the basic entity for resource ownership, usage metering, and billing. The Alibaba Cloud account pays for its resources and has full control over them. Except for scenarios that require an Alibaba Cloud account, use a RAM user or RAM role to access the console and call OpenAPI.

• RAM user

  A RAM user is an identity type in Resource Access Management (RAM). It has a fixed identity ID and permanent identity credentials. A RAM user usually corresponds to a specific person or application. For more information, see RAM user overview.

• RAM role

  A RAM role is a virtual identity to which policies can be attached. Unlike a RAM user, a RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token and use the STS token to access Alibaba Cloud resources as the RAM role.

  For example, Alibaba Cloud account A creates a RAM role named a_rr1. This role is granted the FullAccess policy for OSS. The role is configured to be assumed by b_ru1, a RAM user under Alibaba Cloud account B. A developer can then log on as the RAM user b_ru1, assume the role a_rr1, and manage the OSS resources of account A.

  For more information, see RAM role overview.

Credentials

Credentials are the information a user provides to prove their identity. To log on to a system, a user must provide the correct credentials for identity verification. Common credential types include the following:

• Permanent AccessKey (AK) credentials are used for Alibaba Cloud accounts and RAM users. An AccessKey is a key pair that consists of an AccessKey ID and an AccessKey secret.

  Warning

  An AccessKey for an Alibaba Cloud account grants full control over all resources. A leaked AccessKey poses a significant security threat. Use an AccessKey for a RAM user instead and rotate it regularly. To create an AccessKey for a RAM user, see Create an AccessKey.

• Temporary STS access tokens, also known as STS tokens, are used for Alibaba Cloud RAM roles. An STS token is a temporary identity credential with a custom validity period and access permissions. For more information, see What is STS?.

  Note

  Temporary identity credentials are valid only for a specific period. If a credential expires, you must call STS again to obtain a new STS token.

• A Bearer Token is a token type for identity verification and authorization. Currently, only Cloud Call Center (CCC) CCC supports credential initialization using a Bearer Token. In the Authentication Method Configuration, select the Bearer Token method.

Leaked credentials can pose major security threats to your cloud resources and business. Pay close attention to the secure use of credentials during daily operations management. For more information, see Secure use of credentials.

Authorization

Authorization is the process by which a system administrator or resource owner grants a user permissions to access resources. After a user is authenticated, the system authorizes their access to resources based on the permissions that are granted to their identity.

In Alibaba Cloud OpenAPI, each API operation requires a minimum access policy. Before you call an API operation, confirm that the caller has the required permissions. You can automatically generate and obtain the minimum access policy for each API operation from the API reference page in the OpenAPI Portal. The following figure provides an example using the RunInstances API operation for Alibaba Cloud ECS.

• Alibaba Cloud account

  An Alibaba Cloud account has full control over all of its cloud resources. It does not require authorization, and this authorization cannot be modified. However, if the account is part of a resource directory, it may be restricted by a control policy. For more information, see Overview of control policies.

• RAM user

  You can grant the access policy obtained from the API reference to a RAM user. For more information about how to grant permissions to a RAM user, see Manage RAM user permissions.

• RAM role

  Granting permissions to a RAM role involves one more step than granting permissions to a RAM user:

  1. Define the trusted entity. You can allow an Alibaba Cloud account, or a RAM user or RAM role under an Alibaba Cloud account, to assume this role.

  2. Grant permissions. For information about specific authorization operations, see RAM role overview.

  When you grant permissions to a RAM role, pay special attention to the following two scenarios:

  Scenario 1: Chained role assumption

  A RAM user named aRamUser1 under account A can assume a RAM role named bRamRole1 under account B. The role bRamRole1 can assume a RAM role named cRamRole1 under account C. Even though account A is not directly authorized to assume cRamRole1, the user aRamUser1 can access the resources of account C by first assuming bRamRole1 and then using bRamRole1 to assume cRamRole1.

  Scenario 2: Implicit authorization

  When you create a RAM role under an Alibaba Cloud account, if you select the current account as the trusted entity, any RAM user or RAM role that has the assumeRole permission is allowed to assume this new role by default. If the new RAM role is granted high-level permissions, a RAM user or RAM role that only has the assumeRole permission can obtain these high-level permissions.