In this guide I will give you an overview of the Alibaba Cloud Resource Access Management (RAM) service including a console demo.
What is Resource Access Management (RAM)?
RAM is a Resource Access Management service provided by Alibaba Cloud that helps you to securely control access to the resources.
RAM refers to a policy or frame-work that ensures the proper people in an organization have appropriate access to the resources.
For the use of resources, who is Authenticated (signed-In) and Authorized (has permissions) is controlled.
Why we need RAM?
Following scenarios help to clarify the need of RAM :
- By default, only the root user has access to all the resources in the root account which means the root user has unlimited power. He can do everything within the root account, but if accidentally the account gets deleted by the root user then it cannot be recovered.
- Suppose XYZ Company is using cloud and 5000 employees are working on the cloud, for each employee, you cannot create a root account. In this case from the one root account Admin can easily create the RAM users and according to their role and responsibility admin will assign proper permissions to each employee.
Terms used in RAM
1. RAM User
- It represents the person or an application that has fix ID and credentials to access the resources.
- It is a physical Identity.
- This user does not receive individual bills and cannot make the payments.
- RAM users do not own the resources.
2. RAM User Group
- RAM group is nothing but a collection of RAM Users.
- It is an easy way to assign permissions or policies to multiple users at once.
- Groups cannot be nested.
- If the responsibilities of a RAM user are changed, you only need to move the RAM user to a RAM user group with the required permissions. This does not affect other RAM users.
3. RAM Role
- It is a virtual identity and doesn’t have any credentials (password or access keys).
- RAM roles are identities to which permission policies are attached.
- Based on the entrusted entity, roles are divided into the following types:
- Alibaba Cloud account: It is used for cross-account access and temporary authorization.
- IDP: It is used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IDP.
- Alibaba cloud service: It is used to authorize Alibaba Cloud services to manage your resources.
4. RAM Policy
- A policy is defined as a set of permissions.
- You can grant permissions to users by defining a policy.
- A policy can be deleted, created, viewed, and updated.
- There are two types of policies:
- System Policy: These policies cannot be modified by users.
- Custom Policy: These policies are created, modified, and deleted by users to meet their business requirements.
DEMO
Let’s See a Demo of creating a RAM User and assign the polices to the user.
Step 1: Log in to the Alibaba Cloud Console & click on the Resource Access management.
Step 2:
- Create a RAM User.
- Give the Name to the RAM User in User account information.
- In the picture below, I have given console access to the user, but you can also give only the programmatic access or both accesses to the user.
Step 3: Make sure your user is successfully created and download the CSV file if you have given the programmatic access to your user.
Step 4: Add the required permissions to your user.
In the picture below I have given full access to the VPC and read only permission to the OSS.
Step 5: Login to the RAM user with the following link: https://signin.aliyun.com/login.html
Step 6: Enter the RAM User name for login
Step 7: Now you already have created the RAM user and added the policy permissions. Let’s verify the given permissions of the RAM User.
- First we will try to create a new Bucket in OSS as shown in the below picture:
After this step, a pop-up message will come, which will show you an error message as below, since the user has read-only permissions, so he cannot create OSS buckets. Write permissions are required for that action.
Step 8: Let’s check the another permissions. Go to VPC and click on create VPC.
As you can see in the pictures above, the VPC is created successfully, since the created RAM user has full permissions to VPC.
What We Learned In This Guide
- What is RAM
- Need for Resource Access Management (RAM)
- How to create RAM user and assign policies to give permissions to the created RAM user