Create a RAM user

Create independent RAM users for employees, systems, or applications and grant only the permissions they need. RAM users are free to create; the associated Alibaba Cloud account pays for resources they consume.

Procedure

Console

Sign in to the RAM console using your Alibaba Cloud account or as a RAM user with administrative permissions (a user to which the AliyunRAMFullAccess policy is attached).
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
On the Create User page, in the User Account Information section, configure the user's basic information.
- Logon Name (required): Up to 64 characters. Allows letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name (optional): The name can be up to 128 characters long.
- Tag (optional): Click , then enter a tag key and tag value to categorize and manage users.
Note
Click Add User to create multiple RAM users in bulk.
In the Access Mode section, select an access mode based on the user type.
Important
- As a security best practice, select only one access mode per user to separate human console access from programmatic application access.
- A leaked AccessKey pair compromises your account. Use Security Token Service (STS) tokens (temporary credentials) instead to reduce risk. Best practices for using access credentials to call Alibaba Cloud APIs.
Console access

Select Console Access.
- Set Logon Password: Auto-generate or set a custom password. Custom passwords must meet the configured complexity requirements. Set a password policy for RAM users.
- Password Reset: Specify whether the user must reset their password at next sign-in.
- Enable MFA: MFA is required for all users by default. To change this setting, see Manage security settings for RAM users. Users must bind an MFA device at first sign-in. Bind an MFA device.
Programmatic access

Select Using permanent AccessKey to access.

The system automatically creates an AccessKey ID and AccessKey secret for the RAM user.

Important
The AccessKey secret is shown only at creation and cannot be retrieved later. You must immediately download or copy and save the AccessKey secret. A leaked AccessKey pair compromises all resources under your account. Create an AccessKey pair.

OpenAPI

Create a RAM user for console access

Call GetDefaultDomain to obtain the default logon suffix of an account. The format is <AccountAlias>.onaliyun.com.
Call the CreateUser operation to create a RAM user. The following parameters are required:
1. UserPrincipalName: The logon name for a RAM user. The format is <username>@<AccountAlias>.onaliyun.com, where <username> is the RAM username and <AccountAlias>.onaliyun.com is the default logon suffix.
2. DisplayName: The display name for the RAM user. It can be different from the <username> above.
Call the CreateLoginProfile operation to create a login profile and configure access mode and MFA. Recommended settings:
1. UserPrincipalName: The information of the user created in the previous step.
2. Password: Set per the account's password strength requirements. Call the GetPasswordPolicy operation to query the current password policy.
3. MFABindRequired: Set to true to require MFA for RAM users.
4. Status: Enables or disables console password logon. Default: Active.

Create a RAM user for programmatic access

Call GetDefaultDomain to obtain the default logon suffix for an account. The suffix is in the format <AccountAlias>.onaliyun.com.
Call the CreateUser operation to create a RAM user. The following parameters are required:
1. UserPrincipalName: The logon name of a RAM user in the format <username>@<AccountAlias>.onaliyun.com, where <username> is the RAM username and <AccountAlias>.onaliyun.com is the default logon suffix.
2. DisplayName: The display name for the RAM user, which can be different from the <username> above.
To create an AccessKey pair (AccessKey), call the CreateAccessKey operation and pass only the UserPrincipalName for the user that you created in the previous step.

Important
The CreateAccessKey response contains the AccessKeyId and AccessKeySecret. The AccessKeySecret appears only once and cannot be retrieved later — save it immediately. A leaked AccessKey compromises all resources in your account. For more information, see Create an AccessKey.

Next steps

Grant permissions to the RAM user.

New RAM users have no permissions. Grant the required permissions before they access cloud resources. Manage permissions for a RAM user.
Use the RAM user to sign in to the Alibaba Cloud console or call an Alibaba Cloud API.

Sign in to the Alibaba Cloud console as a RAM user. API integration overview.
(Optional) Manage the logon suffix for a RAM user.