Explore common Resource Access Management (RAM) use cases for managing identities and permissions in operations management and application development scenarios.
Operations management
1. Assign permissions to employees
Scenario:
Sharing your Alibaba Cloud account credentials with multiple employees creates security risks: no accountability and excessive permissions. You need to grant each employee only the permissions their role requires.
Solution:
Create a RAM user for each employee and attach policies based on the principle of least privilege (PoLP), granting only the permissions necessary for their role (such as network administrator or security administrator). Group users with similar responsibilities and attach policies at the group level.
Benefits:
-
Clear accountability: Each employee uses a separate identity. All actions are auditable and traceable.
-
Security and compliance: Fine-grained access controls reduce risks from over-privileged users or shared credentials, supporting compliance requirements.
Examples:
-
Assign different system policies to different O&M engineers, such as virtual machine O&M engineers and network O&M engineers. For more information, see Manage permissions for O&M engineers.
-
Define and apply custom policies. Custom policies for ECS.
-
Configure custom policies based on access conditions such as request sources or resource tags. Access Alibaba Cloud from specified IP addresses.
2. Isolate resources by project or environment
Scenario:
Your organization runs multiple projects or environments (development, production) in a single Alibaba Cloud account. You need strict separation so developers in one project cannot access another project's resources or modify production resources.
Solution:
Use resource groups to organize cloud resources by project or environment, then attach RAM policies that grant access only to specific resource groups.
Benefits:
-
Clear lines of responsibility: Using the Resource Group feature, you can divide permissions by project or environment. This ensures that team members can access only the resources for which they are responsible.
-
Fine-grained cost management: Resource groups enable accurate cost allocation and billing analysis by project or environment.
3. Authorize cross-account resource access
Scenario:
Your enterprise needs to grant partners, subsidiaries, or other third parties access to specific cloud resources without sharing long-term credentials like AccessKey pairs.
Solution:
Create a RAM role with a trust relationship to the other Alibaba Cloud account and grant it specific permissions. Users in the trusted account can then assume this role to obtain temporary credentials for accessing only the permitted resources.
Benefits:
-
Secure and controllable: RAM roles enable secure cross-account access through temporary credentials that are valid only for a short duration, eliminating the need to share long-term credentials.
-
Flexible permission management: Adjust role permissions or revoke authorization at any time to maintain control over shared resources.
-
Fine-grained access control: Create separate RAM roles for different partners with distinct permission scopes.
4. Enable passwordless console logon
Scenario:
Your team wants a more secure and convenient alternative to passwords for console logon, such as fingerprint or facial recognition.
Solution:
You can enable and use passkeys for passwordless authentication.
A passkey is a secure digital credential stored on a personal device or hardware security key that replaces traditional passwords. After you enable passkeys, team members can log on using biometric authentication (fingerprint or Face ID) or a device PIN.
Benefits:
-
Eliminating password risks: No passwords to remember or enter, eliminating risks from password leaks and weak passwords.
-
User-friendly logon experience: Using biometrics or a hardware security key makes the logon process faster and more convenient.
-
Enhanced security: Built on public-key cryptography, passkeys resist phishing attacks and are more secure than traditional passwords.
For more information, see What is a passkey?
5. Integrate an enterprise IdP for SSO
Scenario:
Your enterprise wants employees to use existing corporate credentials from an identity provider (IdP) like Active Directory, Microsoft Entra ID, or Okta to log on to Alibaba Cloud, centralizing identity management and enabling single sign-on (SSO).
Solution:
You can configure role-based SSO or user-based SSO to integrate your enterprise IdP with Alibaba Cloud.
If your enterprise uses a resource directory for multi-account management, use CloudSSO for centralized identity and access management.
Benefits:
-
Simplified logon: Employees log on to the IdP portal once to access Alibaba Cloud and other trusted applications, eliminating multiple usernames and passwords.
-
Centralized security policies: Security policies such as MFA, password rules, and IP restrictions are enforced centrally at the IdP level.
-
Centralized management and auditing: Provision and revoke access centrally during employee onboarding and offboarding through your IdP, reducing management overhead and compliance risks.
For an example, see Example: Configure role-based SSO with Microsoft Entra ID.
Application development
1. Cloud-hosted applications accessing cloud resources
Scenario:
An application on Elastic Compute Service (ECS), Container Service for Kubernetes (ACK), or Function Compute needs to access other cloud resources like Object Storage Service (OSS) or ApsaraDB RDS. Hard-coding AccessKey pairs in code or configuration files is a major security risk.
Solution:
Assign a RAM role to your compute resource. The application uses the role to obtain temporary credentials from Security Token Service (STS) for secure API calls. The attachment method varies by service:
|
Compute environment |
Recommended method |
Key mechanism |
|
ECS |
RAM roles for ECS instances |
An application retrieves STS tokens for the attached RAM role by making a request to the ECS metadata service. |
|
ACK |
RAM Roles for Service Accounts (RRSA) |
An application running in a pod uses a projected service account token (OIDC token) to assume a RAM role and obtain STS tokens. |
|
Function Compute |
RAM roles for Function Compute functions |
The Function Compute runtime environment automatically injects STS tokens for the function's RAM role into the environment variables. |
The following diagram shows how an ECS application uses a RAM role to access other cloud services:
Benefits:
-
Improved security: RAM roles eliminate long-term credential storage in applications, reducing the risk of credential leakage.
-
Simplified credential management: No need to embed or manage AccessKey pairs in code or configuration files.
-
Automated credential rotation: Temporary credentials from RAM roles are rotated automatically, eliminating manual rotation.
Examples:
If role-based access is not feasible, configure an AccessKey pair in a system environment variable. For long-term AccessKey pairs, always configure a network ACL to restrict usage to trusted IP addresses or networks.
For more information, see Best practices for accessing Alibaba Cloud OpenAPI.
2. External applications accessing cloud resources
Scenario:
An application deployed outside Alibaba Cloud (self-managed data center or another cloud platform) needs to call Alibaba Cloud APIs to access cloud resources.
Solutions:
-
If your external application authenticates with an OpenID Connect (OIDC)-compatible IdP (such as Okta or your own), configure it to assume a RAM role. The application authenticates with the IdP, receives an OIDC token, and exchanges it for temporary Alibaba Cloud credentials through the STS AssumeRoleWithOIDC operation. This avoids managing long-term AccessKey pairs on your external systems.
-
If the preceding solution is not applicable, configure an AccessKey pair in a system environment variable. For long-term AccessKey pairs, always configure a network ACL to restrict usage to trusted IP addresses or networks.
Examples:
For more information, see Network ACL policy for AccessKey pairs.