Answers common questions about RAM user login, billing, and permissions.
What is the RAM user login URL and username format?
RAM users can use the following URL to log on: RAM User Logon.
You can also log on to the RAM console with an Alibaba Cloud account and find the RAM user logon URL on the Overview page. Using this URL pre-fills the default domain name, so users only enter their username.
RAM users can log on with any of the following username formats:
-
Default domain name:
<UserName>@<AccountAlias>.onaliyun.com(example: username@company-alias.onaliyun.com).NoteThe logon name of the RAM user is in the User Principal Name (UPN) format. All logon names that are listed in the RAM console follow this format.
<UserName>indicates the username of the RAM user.<AccountAlias>.onaliyun.comindicates the default domain name. For more information, see Key concepts and Manage RAM user logon domains. -
Account alias:
<UserName>@<AccountAlias>(example: username@company-alias).Note<UserName>indicates the username of the RAM user.<AccountAlias>indicates the account alias. For more information, see Key concepts and Manage RAM user logon domains. -
Domain alias (requires configuration):
<UserName>@<DomainAlias>(example: username@example.com).Note<UserName>indicates the username of the RAM user.<DomainAlias>indicates the domain alias. For more information, see Key concepts and Create and verify a domain alias.
What are the default domain name and domain alias?
Each Alibaba Cloud account has a unique default domain name in the format <AccountAlias>.onaliyun.com, used for RAM user logon and single sign-on (SSO). For more information about how to manage the default domain name, see Manage RAM user logon domains.
A domain alias is a publicly resolvable custom domain that replaces the default domain name. For more information, see Create and verify a domain alias.
After domain ownership is verified, the domain alias replaces the default domain name in all applicable scenarios.
What permissions does a RAM user need to purchase resources?
-
To purchase pay-as-you-go services, the RAM user needs permissions to create instances or resources.
-
To purchase subscription resources, the RAM user needs both instance creation and payment permissions. Attach the
AliyunBSSOrderAccesspolicy to grant payment permissions. -
Creating a resource may require additional permissions to use or create dependent resources.
Example policy for creating ECS instances:
With this policy, a RAM user can create ECS instances from launch templates.
{ "Version": "1", "Statement": [{ "Action": [ "ecs:DescribeLaunchTemplates", "ecs:CreateInstance", "ecs:RunInstances", "ecs:DescribeInstances", "ecs:DescribeImages", "ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" } ] }Creating an ECS instance may require additional permissions for dependent resources:
Operation
Policy
Use a snapshot to create an ECS instance
ecs:DescribeSnapshotsCreate and use a VPC
-
vpc:CreateVpc -
vpc:CreateVSwitch
Create and use a security group
-
ecs:CreateSecurityGroup -
ecs:AuthorizeSecurityGroup
Assign a RAM role to an ECS instance
-
ecs:DescribeInstanceRamRole -
ram:ListRoles -
ram:PassRole
Use an AccessKey pair
-
ecs:CreateKeyPair -
ecs:DescribeKeyPairs
Create an ECS instance on a dedicated host
ecs:AllocateDedicatedHostsNote-
For more information about how to create custom policies, see Create a custom policy.
-
Why can't a RAM user access resources after being granted permissions?
-
Services with permission diagnostics show causes and solutions directly. For more information, see Troubleshoot permission denied errors
-
For services without permission diagnostics, use the following table to identify and resolve the issue.
Cause
Solution
The policy is invalid.
Verify the policy attached to the RAM user is valid and meets your requirements.
A Deny statement is configured in a custom policy.
Check for
"Effect": "Deny"in policies attached to the RAM user or their user group. A Deny statement always takes precedence over Allow. For example, if the RAM user hasAliyunECSReadOnlyAccessbut the following Deny policy is also attached, the RAM user cannot view ECS instances:{ "Statement": [{ "Action": "ecs:*", "Effect": "Deny", "Resource": "*" }], "Version": "1" }The resources do not support the related authentication method.
Authentication methods vary by service. Verify the supported method is used:
-
To obtain the services that support RAM-based authentication, refer to Services that work with RAM.
-
To obtain the services that support resource group-based authentication, refer to Services that work with Resource Group.
-
To obtain the services that support tag-based authentication, log on to the Resource Management console, choose Tag > Tag in the left-side navigation pane, click the Resource Types Supported by Tag in the upper-right corner of the page, and then find the resource types for which the value of Tag Ram Support is Support.
The access control policy of a resource directory denies access to the resources.
If the Alibaba Cloud account belongs to a resource directory and an access control policy denies access, the RAM user cannot reach the affected resources. Contact the management account owner to modify or detach the control policy.
-
Find the management account of the resource directory to which the member belongs.
View the information about the resource directory to which a member belongs.
-
Contact the owner of the management account to modify or detach the control policy.
For more information, see Modify a custom control policy or Detach a Custom Control Policy.
-
Why can a RAM user access resources without explicit permissions?
For example, a RAM user can view ECS instances even if the AliyunECSFullAccess system policy, the AliyunECSReadOnlyAccess system policy, or related custom policies are not attached to the RAM user.
-
Check policies attached to the RAM user's user group.
-
Check whether other attached policies include the required permissions.
For example,
AliyunCloudMonitorFullAccessincludes"ecs:DescribeInstances","rds:DescribeDBInstances", and"slb:DescribeLoadBalancer". A RAM user withAliyunCloudMonitorFullAccesscan view ECS, ApsaraDB RDS, and SLB instances.
How do I grant renewal permissions to a RAM user?
No universal renewal policy exists. Create a service-specific custom policy with purchase and payment permissions, then attach it to the RAM user.
For example, to allow a RAM user to renew ECS instances, attach the following custom policy and the AliyunBSSOrderAccess system policy:
{
"Version": "1",
"Statement": [{
"Action": [
"ecs:DescribeLaunchTemplates",
"ecs:RenewInstance",
"ecs:DescribeInstances",
"ecs:DescribeImages",
"ecs:DescribeSecurityGroups"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}How are RAM users billed?
-
All fees incurred by RAM users are billed to the parent Alibaba Cloud account.
-
RAM users inherit the discounts of the parent Alibaba Cloud account by default.
-
Financial configurations (consumption budget, credit limit, payment methods) apply account-wide and cannot be set per RAM user.
-
RAM users can be authorized to add funds to the parent account. Added funds belong to the Alibaba Cloud account.
-
RAM users and user groups are not billed separately.
To allocate costs within your account, use the Resource Management service. For more information, see Allocate the costs of ECS instances by resource group and Use tags for cost allocation.
Why don't my RAM permissions work immediately?
RAM replicates permission data across multiple regions and zones for high availability. This follows eventual consistency, meaning changes may not appear everywhere simultaneously.
Permission updates are distributed globally, which can cause a brief delay before all services recognize the change. This multi-region design also enables automatic failover if a zone becomes unavailable.