All Products
Search
Document Center

Resource Access Management:Create a RAM user

Last Updated:Sep 19, 2025

You can create Resource Access Management (RAM) users in your Alibaba Cloud account and grant them permissions to access various resources.

Procedure

  1. Log on to the RAM console using an Alibaba Cloud account or a RAM user that has administrative rights.

  2. In the navigation pane on the left, choose Identities > Users.

  3. On the Users page, click Create User.

    image

  4. On the Create User page, configure the user information in the User Account Information section.

    • Logon Name: The logon name can contain letters, digits, periods (.), hyphens (-), and underscores (_). It can be up to 64 characters in length.

    • Display Name: The display name can be up to 128 characters long.

    • Tag: Click the edit icon, and then enter a tag key and tag value. Tags help you categorize and manage RAM users.

    Note

    Click Add User to create multiple RAM users at the same time.

  5. In the Access Mode section, select an access mode and set the corresponding parameters.

    For enhanced security, we recommend that you create separate users for individuals and applications. To maintain this separation, choose only one access mode for each user.

    • Console Access

      For individual users, we recommend that you enable console access. This allows them to sign in to the Alibaba Cloud Management Console using a username and password. You need to configure the following parameters:

      • Logon Password: You can choose to automatically generate a password or set a custom password. If you set a custom password, it must comply with the password complexity rules. For more information, see Set a password policy for RAM users.

      • Password Reset Required: Select whether the RAM user must reset their password upon the next logon.

      • Multi-factor Authentication (MFA): Select whether to enable MFA for the RAM user. If you enable MFA, you must also bind an MFA device. For more information, see Bind an MFA device to a RAM user.

    • Accessing with a permanent AccessKey

      If the RAM user represents an application, you can use a permanent AccessKey pair for programmatic access to Alibaba Cloud. After you enable this option, the system automatically creates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

      Important

      • The AccessKey secret is displayed only once during creation and cannot be retrieved later. You must save it in a secure location.

      • An AccessKey pair is a long-term credential for programmatic access. If an AccessKey pair is leaked, the security of all resources in your account is at risk. We recommend that you use Security Token Service (STS) tokens instead to reduce the risk of credential leaks. For more information, see Best practices for using access credentials to call OpenAPI operations.

  6. Click OK.

What to do next

  1. Grant permissions to the RAM user.

    By default, a newly created RAM user has no permissions. You must grant permissions to the RAM user before they can access Alibaba Cloud resources. For more information, see Grant permissions to RAM users.

  2. Log on to the Alibaba Cloud Management Console or call Alibaba Cloud APIs as the RAM user.

    For more information, see Log on to the Alibaba Cloud Management Console as a RAM user and Integration overview.