DocsICP FilingConsole
官方文档
首页

Create an AccessKey pair

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes what an AccessKey pair is and how to create one for a RAM user or an Alibaba Cloud account.

What is an AccessKey pair?

An AccessKey pair is a long-term security credential provided by Alibaba Cloud to authenticate programmatic requests. It consists of an AccessKey ID and an AccessKey secret.

  • AccessKey ID: The public, unique identifier for your AccessKey pair.

  • AccessKey secret: The private key used to sign API requests. The signature verifies the authenticity and integrity of the request. You must keep your AccessKey secret strictly confidential.

Important

To reduce the risk of a leak, the AccessKey secret is displayed only once upon creation and cannot be retrieved.

How to use an AccessKey pair

It is used to programmatically call Alibaba Cloud APIs with tools such as the CLI, SDKs, or Terraform.

Alibaba Cloud provides more secure alternatives that use temporary security credentials (STS tokens) instead of AccessKey pairs. For specific use cases, see Application development scenarios.

If you must create and use an AccessKey pair, see the following best practice: Properly store and use unavoidable AccessKey pairs.

How an AccessKey pair works

The AccessKey ID and AccessKey secret are generated by Resource Access Management (RAM) using a specific algorithm. Alibaba Cloud encrypts them during both storage and transmission.

When an application uses an AccessKey pair to make a request, the request includes the AccessKey ID and a signature generated by using the AccessKey secret to encrypt the request content. When Alibaba Cloud receives the request, it authenticates the sender's identity and verifies the request's integrity. For more information about the signature mechanism that Alibaba Cloud uses, see Request body and signature mechanism for V3.

AccessKey types

AccessKey pairs belong to either an Alibaba Cloud account or a RAM user and are categorized into two types based on their owner:

  • Alibaba Cloud account AccessKey pair (Not recommended)

    This AccessKey pair is created directly by the Alibaba Cloud account. By default, it has full permissions to manage all resources under the account. If this AccessKey pair is compromised, the security risk is extremely high. We strongly recommend that you do not create or use an AccessKey pair for your Alibaba Cloud account.

  • RAM user AccessKey pair (Recommended)

    This is a programmatic access credential that belongs to a RAM user. You must first create a RAM user before you can create an AccessKey pair for it. A RAM user's AccessKey pair inherits the permissions of the RAM user, which allows for least-privilege access management. As a best practice, assign a separate RAM user and AccessKey pair for each independent application. This prevents excessive permissions and reduces the blast radius if credentials are compromised.

Permission requirements

Because an Alibaba Cloud account has excessive permissions, you should avoid using it to create an AccessKey pair in a production environment. Instead, use a RAM user with the appropriate permissions to create and manage AccessKey pairs (except for those belonging to the Alibaba Cloud account).

  • You can grant the AliyunRAMFullAccess (RAM administrator) system policy to an administrator to allow them to create and manage AccessKey pairs for RAM users.

  • You can also enable the Allow users to manage AccessKey option in the global security settings of RAM to allow users to manage their own AccessKey pairs. For more information, see Manage security settings for RAM users.

    Note

    Enabling this setting means that all RAM users can manage their own AccessKey pairs, including creating, disabling, and deleting them, unless an administrator attaches a policy that explicitly denies these operations.

    We do not recommend enabling this setting in a production environment. To allow a specific user to manage their own AccessKey pair, we recommend using a custom policy and setting the Resource element to the user's own identity. See the following example policies:

    Create AccessKey

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateAccessKey",
        "ram:ListAccessKeys"
      ],
      "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME"
    }
  ]
}

    Manage AccessKey

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateAccessKey",
        "ram:ListAccessKeys",
        "ram:UpdateAccessKey",
        "ram:DeleteAccessKey",
        "ram:GetAccessKeyLastUsed",
        "ram:ListAccessKeysInRecycleBin"
      ],
      "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME"
    }
  ]
}

Create an AccessKey for a RAM user

Complete the following steps as a RAM administrator (a user with the AliyunRAMFullAccess policy). If you do not have any RAM users in your account, see Create a RAM user.

Note

The steps for a RAM user to create their own AccessKey pair are the same as those for creating an AccessKey pair for an Alibaba Cloud account. Before a RAM user can create their own AccessKey pair, the Alibaba Cloud account owner must enable the Allow users to manage AccessKey option. Otherwise, the RAM user cannot see the option to create a key. For more information, see Manage security settings for RAM users.

Console

  1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.

  2. In the user list, find the RAM User and click their username.

  3. On the Credential tab, in the AccessKey section, click Create AccessKey.

    image

    Note

    Each RAM user can have a maximum of two AccessKey pairs. One is for active use, and a second for rotation.

  4. In the dialog box that appears, read the use cases and recommendations. Follow the recommendations to choose a more appropriate credential solution. If you must create an AccessKey pair, select a use case, select the I confirm that it is necessary to create an AccessKey checkbox, and then click Continue. The use case you select does not affect the created AccessKey pair.

    image

  5. Complete the security verification as prompted.

  6. In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and then click OK.

    (Optional) Configure an AccessKey network ACL policy: You can restrict the source IP addresses of API requests that use this AccessKey pair. This helps improve security by ensuring that the AccessKey pair is used only from trusted network environments. We recommend that you click Configure network access policy to define the trusted network environments for this AccessKey pair. For more information, see Configure an AccessKey network ACL policy for a RAM user.

    Snipaste_2025-12-04_12-07-47

    Important

    To reduce the risk of a leak, the AccessKey secret is displayed only once upon creation and cannot be retrieved.

API

Call the CreateAccessKey API and specify the following parameter:

  • UserPrincipalName: The logon name of the user who owns the AccessKey pair, for example, test@example.onaliyun.com. You can view the user's logon name in the RAM console.

Important

To reduce the risk of a leak, the AccessKey secret is returned only in the response of the CreateAccessKey operation. It cannot be retrieved again.

Create an Alibaba Cloud account AccessKey (Not recommended)

Warning

Unless absolutely necessary, we strongly recommend that you do not create or use an AccessKey pair for your Alibaba Cloud account. Before you proceed, evaluate whether you can use a RAM user's AccessKey pair instead.

  1. Log on to the Alibaba Cloud console with your Alibaba Cloud account.

  2. Hover over your profile picture in the upper-right corner and click AccessKey.

    image

  3. In the We do not recommend that you use the AccessKey of your Alibaba Cloud account dialog box, read the risks of creating an AccessKey pair for your Alibaba Cloud account. If you must proceed, select the I am aware of the security risks of using a main account AccessKey. checkbox, and then click Continue to use the AccessKey of my Alibaba Cloud account.

    image

  4. On the AccessKey page, click Create AccessKey.

    image

    Note

    An Alibaba Cloud account can have a maximum of two AccessKey pairs. One is for active use, and a second for rotation.

  5. In the Create Main Account AccessKey dialog box, review the risks and limitations again. If you are sure you want to create the AccessKey pair, select the I am aware of the security risks of using a main account AccessKey. checkbox, and then click Continue to use the AccessKey of my Alibaba Cloud account.

    20251204150912

  6. Complete the security verification as prompted.

  7. In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret. Then, select the I have saved the AccessKey Secret checkbox and click OK.

    (Recommended) Configure an AccessKey network ACL policy: You can restrict the source IP addresses of API requests that use this AccessKey pair. This helps improve security by ensuring that the AccessKey pair is used only from trusted network environments. We recommend that you click Configure network access policy to define the trusted network environments for this AccessKey pair. For more information, see Configure an AccessKey network ACL policy for an Alibaba Cloud account.

    image

    Important

    To reduce the risk of a leak, the AccessKey secret for an Alibaba Cloud account is displayed only upon creation and cannot be retrieved.

References

Previous:AccessKey pairsNext:View RAM user AccessKey information