Alibaba Cloud Resource Access Management (RAM)

In this guide I will give you an overview of the Alibaba Cloud Resource Access Management (RAM) service including a console demo.

What is Resource Access Management (RAM)?

RAM is a Resource Access Management service provided by Alibaba Cloud that helps you to securely control access to the resources.

RAM refers to a policy or frame-work that ensures the proper people in an organization have appropriate access to the resources.

For the use of resources, who is Authenticated (signed-In) and Authorized (has permissions) is controlled.

Resource Access Management (RAM) Overview

Why we need RAM?

Following scenarios help  to clarify the need of RAM :

  • By default, only the root user has access to all the resources in the root account which means the root user has unlimited power. He can do everything within the root account, but if accidentally the account gets deleted by the root user then it cannot be recovered.
  • Suppose XYZ Company is using cloud and 5000 employees are working on the cloud, for each employee, you cannot create a root account. In this case from the one root account Admin can easily create the RAM users and according to their role and responsibility admin will assign proper permissions to each employee.

Terms used in RAM

1. RAM User

  • It represents the person or an application that has fix ID and credentials to access the resources.
  • It is a physical Identity.
  • This user does not receive individual bills and cannot make the payments.
  • RAM users do not own the resources.

2. RAM User Group

  • RAM group is nothing but a collection of RAM Users.
  • It is an easy way to assign permissions or policies to multiple users at once.
  • Groups cannot be nested.
  • If the responsibilities of a RAM user are changed, you only need to move the RAM user to a RAM user group with the required permissions. This does not affect other RAM users.

3. RAM Role

  • It is a virtual identity and doesn’t have any credentials (password or access keys).
  • RAM roles are identities to which permission policies are attached.
  • Based on the entrusted entity, roles are divided into the following types:
    • Alibaba Cloud account: It is used for cross-account access and temporary authorization.
    • IDP: It is used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IDP.
    • Alibaba cloud service: It is used to authorize Alibaba Cloud services to manage your resources.

4. RAM Policy

  • A policy is defined as a set of permissions.
  • You can grant permissions to users by defining a policy.
  • A policy can be deleted, created, viewed, and updated.
  • There are two types of policies:
    • System Policy: These policies cannot be modified by users.
    • Custom Policy: These policies are created, modified, and deleted by users to meet their business requirements.
Limits of RAM Users, Groups, Policies and Roles


Let’s See a Demo of creating a RAM User  and assign the polices to the user.

Step 1: Log in to the Alibaba Cloud Console & click on the Resource Access management.  

Resource Access Management in the Alibaba Cloud console

Step 2:

  • Create a RAM User.
  • Give the Name to the RAM User in User account information.
  • In the picture below, I have given console access to the user, but you can also give only the programmatic access or both accesses to the user.
Creating a RAM User
Configuring a RAM User

Step 3: Make sure your user is successfully created and download the CSV file if you have given the programmatic access to your user.

Download CSV file

Step 4: Add the required  permissions to your user.

In the picture below I have given full access to the VPC and read only permission to the OSS.

RAM permission policies

Step 5: Login to the RAM user with the following link:

Step 6: Enter the RAM User name for login

Step 7: Now you already have created the RAM user and added the policy permissions. Let’s verify the given permissions of the RAM User.

  • First we will try to create a new Bucket in OSS as shown in the below picture:
OSS bucket creation

After this step, a pop-up message will come,  which will show you an error message as below, since the user has read-only permissions, so he cannot create OSS buckets. Write permissions are required for that action.

Error Code: AccessDenied

Step 8: Let’s check the another permissions. Go to VPC and click on create VPC.

Creating an Alibaba Cloud VPC
Alibaba Cloud VPC details

As you can see in the pictures above, the VPC is created successfully, since the created RAM user has full permissions to VPC.

What We Learned In This Guide

  • What is RAM
  • Need for Resource Access Management (RAM)
  • How to create RAM user and assign policies to give permissions to the created RAM user

Leave a Comment

Scroll to Top