Resource Access Management (RAM) lets you grant fine-grained permissions to RAM users, avoiding the security risks of sharing your Alibaba Cloud account AccessKey pair.
Scenarios
Common scenarios for using RAM to implement access control:
-
Use RAM users to manage permissions
Enterprise A migrates a project to the cloud and purchases multiple Alibaba Cloud services, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Different employees need different levels of access to these resources. Enterprise A has the following requirements:
-
Enterprise A does not want to share its Alibaba Cloud account AccessKey pair with employees. Instead, it creates RAM users for employees and grants each user only the required permissions.
-
RAM users can operate resources only after they are granted the required permissions. Enterprise A can revoke permissions or delete RAM users at any time.
-
RAM users incur no separate charges. Resources consumed by a RAM user are metered and billed to the Alibaba Cloud account of Enterprise A.
RAM authorization management addresses this need by granting per-user permissions and centralizing resource management.
-
-
Use a RAM role to access resources that belong to another Alibaba Cloud account
Enterprise A and Enterprise B use separate Alibaba Cloud accounts. Enterprise A has purchased ECS instances, ApsaraDB RDS instances, SLB instances, and OSS buckets, and has the following requirements:
-
Enterprise A wants to delegate O&M, monitoring, and management of its cloud resources to Enterprise B.
-
Enterprise B can grant one or more of its employees fine-grained access to Enterprise A's cloud resources.
-
If either party terminates the delegation, Enterprise A can revoke Enterprise B's permissions at any time.
RAM roles enable cross-account access control by letting Enterprise A grant permissions to Enterprise B's RAM users.
-