Use a Resource Access Management (RAM) user or RAM role to access Virtual Private Cloud (VPC), rather than your Alibaba Cloud account. This limits the blast radius of credential exposure and keeps your Alibaba Cloud account credentials out of day-to-day operations.
RAM users
RAM users can be created by Alibaba Cloud accounts or by RAM users and RAM roles that have administrative rights. Once granted the required permissions, a RAM user can access resources through the Alibaba Cloud Management Console or by calling API operations.
Separate human access from programmatic access
When creating a RAM user, set the Access Mode parameter to one of three options:
Console Access — the RAM user logs in with a username and password. Use this for people.
Using permanent AccessKey to access — the RAM user authenticates via an AccessKey pair. Use this for programs and automated workflows.
Both — use this only when a single identity genuinely needs both access paths.
Keeping human and programmatic identities separate prevents an unintended console action from disrupting an automated workflow, and vice versa.
RAM user security recommendations
Grant least-privilege permissions — assign only the minimum permissions required for a task. Scoped permissions reduce the impact of misuse or credential compromise. See System policies for VPC and Custom policies for VPC for policy references.
Enable MFA for console users — enable multi-factor authentication (MFA) for every RAM user with console access. MFA adds a second verification step beyond username and password.
Keep AccessKey pairs out of your code — never embed an AccessKey ID or AccessKey secret directly in source code. A committed key exposes all resources in your account. Instead, use Security Token Service (STS) tokens or load credentials from environment variables at runtime.
Use your Alibaba Cloud account to create the first admin RAM user — create a RAM user with administrative rights under your Alibaba Cloud account, then use that RAM user to create and manage all other RAM users. Avoid using the Alibaba Cloud account for routine operations.
Enable SSO when your organization has an identity provider — enable single sign-on (SSO) for RAM users to let them access Alibaba Cloud resources directly from your enterprise identity management system, without managing separate cloud credentials.
Related topics
RAM user groups
Group RAM users to manage permissions at scale. Users in the same group share the same policies — update the group once to affect all members.
RAM user group security recommendations
Grant least-privilege permissions to groups, not individuals — attach policies to the group rather than to individual users wherever possible. This keeps permission management centralized and auditable.
Remove users when their role changes — if a team member moves to a different project or leaves the team, remove them from the group immediately. Stale group memberships are a common source of excessive permissions.
Revoke group permissions when they are no longer needed — periodically review each group's attached policies and remove any that are no longer required.
Related topics
RAM roles
A RAM role is a virtual identity with attached policies but no permanent credentials — no password, no AccessKey pair. A trusted entity assumes the role and receives a temporary STS token to access Alibaba Cloud resources as that role.
This model suits cross-account access, service-to-service calls, and any scenario where issuing long-lived credentials would be a security risk.
How it works
A trusted entity calls the AssumeRole operation.
Security Token Service (STS) returns a time-limited STS token.
The trusted entity uses the token to access resources as the RAM role until the token expires.
RAM role security recommendations
Set an appropriate maximum session duration — the STS token is valid for at most the maximum session duration configured on the RAM role. Set this to the minimum value that keeps your workflows functional. Shorter durations reduce the window of exposure if a token is leaked.
Keeping the session duration short is especially important for roles with broad permissions.
Avoid changing the trusted entity after creation — changing a role's trusted entity can remove access for legitimate users (causing an outage) or add access for unintended parties (privilege escalation). Test changes in a non-production environment before applying them.
Enable SSO for federated access — enable SSO for RAM roles to allow users from your enterprise identity management system to assume roles and access Alibaba Cloud resources without maintaining separate cloud credentials.