Hey there! If you followed the previous post on how to secure your root Alibaba account with MFA, then by now you should have a functioning and mostly secure account. With that we are ready to take the next step towards better practices – creating a secondary account for use. This account should be used for you most works. The root account is great and easy to use. However, its risky since one mis-step can lead to breaking of your security or even huge charges.
So, we will create a secondary account in this article using Alibaba Resource and Access Management. To demonstrate how the permissions would work, we would also create a simple Elastic Compute Service Instance (basically a virtual machine) on Aliyun. So, let’s get starte.
Log in to your Root Alibaba account
If you followed the previous article, when you login, it should prompt you for a 6-digit code besides your usual email and password. You will find this code in the Google Authenticator App. Make sure to enter the latest code as it changes every 30 seconds or so.
After you have logged in to your Alibaba Cloud Console, go to the Resource and Access Management (RAM) console. From here on out, this article starts. You should be able to see something similar to what is given below.
Creating the Your First User.
Once in the RAM console, look at the left menu, you should see a menu option ‘Users’. When you click on it, you will be directed to the screen below.
As you have noticed, there are no users listed (your current root account does not count!). We are going to create a user using this menu. Once we have gone through the process, it will list out our user in this section. When you click on ‘Create User’, you should see something similar to what has been shown below.
This is where you insert the name of the user, the display name of the users and select the security options. There are a few terms to notice.
1. Access Mode: – This is where you select how the user will access the Aliyun (another name for Alibaba Cloud). If you are a developer, then you will need to have ‘Programmable Access’ and there also needs to be the case of using ‘API Keys’. ‘Console Password Logon’ means the general way to login. Here we go with the latter.
2. Console Password: – The first option ‘Automatically Generate Default Password’ does exactly that for the user you are making. You will not need to manually need to set the password. Which is why I always opt to go with this.
3. Password Reset: – This determines if the user needs to change the password upon first sign-in/logon. As a best practice, it is always recommended that the user being created should change their password on the first logon to prevent security lapses.
4. Multi-Factor Authentication: – This setting determines whether just like your root account, the user account would also need to use a 6-digit code for MFA (similar to what we went over in part 1). For now, I am setting it to Not Required. However, you can just go ahead and set it to ‘Required to Enable MFA’ (as well will do later on).
Click on OK and then you should be able to see your user’s credentials. You should go ahead and copy those credentials or you can click on ‘Download CSV File’ which triggers a download of CSV .txt file. The screen should look something like below.
At this point, the creation of the User is virtually complete. Though this user, as it is, is kind of useless. Since there are no permissions given to this user, so this user can only login and logout and do nothing else. You cannot really use it for your daily work now, can you?
Creating User with MFA
For the sake of completeness, I am going to redo the above User creation process but this time, enable MFA for this User as well. Look to the image below for reference.
Once done, I have a user which needs to complete MFA and Change the password upon first login. BTW, I have removed the previous user and redone the steps. The result is the same and you should have an identical screen. If you wish to not have MFA, then don’t bother taking these steps. It can work either way.
Also, don’t bother trying to sign-in using these creds. It won’t work. I have removed this user at the end of the tutorial 😊.
Next, move on to the RAM console. You should see a link under ‘RAM User Logon’ on the right side of the screen under ‘Account Management’. Your created users need to use this link for logging into the Console.
Once you use that link to sign-in, you would be made to complete the things like changing your password from the default/autogenerated one to a custom one and then a QR Code which you need to use like you used for your root account (refer to Part 1).
Once you have concluded the formalities, head on to RAM console for this User. You should encounter something similar to what is shown below.
The User “Works”
The newly made user just “works” – as in you can use it for Login/Logout only. All other services of Alibaba Cloud are restricted for this new user since it has no permissions attached to it. We shall see that by trying to launch an ECS instance. You may skip on to the next section where we grant permissions.
Click on the hamburger menu at the top left corner of your new user’s Aliyun console and then go to ‘Elastic Compute Service’. This opens the ECS console for you. We shall explore this in more in-depth in a future article. From here, you can launch your ECS instances under normal circumstances. We shall try to do the same. The screen given below should look similar.
Click on ‘Create Instance’. This will direct you to the below screen where you will need to select the basic configurations of your ECS instance. Here, you need to select the type of ECS instance (I try to go with t5.micro since it has the least cost and is bare minimum). For Billing Method, choose ‘Pay-As-You-Go’. Additionally, you need to select the type and version of OS as well. For now, just go with ‘Aliyun Linux’ and select a version you see fit.
Once you have selected all the aforementioned options, you need to select the ‘Networking’ Settings. Leave the rest of the settings in the screen above in their default options and click on ‘Next: Networking’. This should open a screen shown below.
Ideally, you should be able to select a ‘Security Group’ (Again, a topic we will explore in the future. For now, think of them as a layer of security around a group of ECS instances. Every ECS instance has to be a part of a Security Group). However, since the current User does not have the permissions, we cannot assign a Security Group to the ECS instance. In fact, this user is forbidden from even knowing how many Security Groups are there right now!
To remedy this situation, you need to login back from the Root Account and assign some permissions to this User.
Granting Permissions to the User.
Follow the usual steps of logging in from the Root Account, going to the RAM console. We are going to do stick to best practices here. In Alibaba Cloud, the User account or entity you are trying to grant permissions to is known as ‘Principal’. You grant ‘RAM Roles’ to a ‘Principal’. This can be the default roles provided by Alibaba Cloud or a fine-grained role that you can custom make for your needs. Of course, for this tutorial, we are not going to make any custom roles.
Think of a scenario here – you are the Cloud Architect at a company and that company has 2 teams – a team of developers consisting of 5 people and a team of auditors consisting of 2 people. While the developers may need more access to Alibaba Cloud resources, the auditors don’t. The members of the developer team may need edit permissions to Aliyun services like ECS, OSS or Container Services. But the members of the auditor’s team can do with just Viewer access.
Another thing to note is what happens when the old developers or auditors leave? You can very well give the previous accounts and tell them to change the passwords. Assuming that they would all comply, is it really a viable option?
Perhaps at this point, you would consider removing the old users and then creating new ones and then again assigning them roles?
If you have read the previous article, you should have a fair intuition about Groups by now. This is where we can utilize groups. Groups are essentially a collection of Users and can be used for segregating the Users based on the level of access or say the type of tasks they will perform. Just like Users, Groups can also be used as Principals for Roles.
Using Groups for User Management is considered a tenet of Best Practices in Cloud. Which is why we are going to follow it here. In the RAM console, you should see an option for Groups. Once you click on it, the following screen should appear.
The process for creating a Group is quite similar to that of Users. Once you select the Group name and Display name and create the Group, it should appear in the list. I have chosen ‘Group 1’ as the name of the group as shown below.
Next, move on to Grants in the menu appearing on the left. It should show a similar screen. This is where you choose a Principal for Grants. Refer to the image below.
Click on ‘Grant Permission’. This will open a blade on the right side. Here in the Principal field, enter the name of the Group and it should appear. Select the Group. Under Select Policy select either the System Policy option or if you have a custom policy made previously, select the Custom Policy radio button. Optionally, you may also create a policy here. For the sake of simplicity, I have chosen ‘AliyunOSSFullAccess’ and ‘AliyunECSFullAccess’ appearing under ‘System Policy.
This essentially grants the Group and by transitive property, any Users in the group, full access to OSS and ECS on Alibaba Cloud. Click on ‘Ok’ to Confirm and then click on ‘Confirm’. You should see the group as the Principal of the selected Policies as appearing below in my case.
Next, all you need to do is add the User to the Group. For this, go to the Group option and then click on the name. After this, click on ‘Add Group Members’. The list of Users created by you should appear in the blade which appears on the right. In my case, User 1 is displayed and I select it. Click on ‘Ok’. The below screen should look similar.
The User should be listed as a member of the Group now. The tutorial is practically over at this step. However, to prove to you that this User has inherited the Permissions of its Group, let’s Launch an ECS Instance this time and see what happens.
Launching an Alibaba ECS Instance with the Modified User.
Log in using the User you had created and included in the group. After this, open the ECS console from the Alibaba Cloud Console. Here, click on ‘Create Instance’. Select the options as we had selected before and move on the ‘Networking’ section of the ECS Launch menu. This time, it should show the Default Security Group which ships with every root account. In fact, it should be selected by default.
As for bandwidth billing, I prefer to use ‘Pay-By-Bandwidth’ model as it incurs less cost in some scenarios. With the Basic Configuration of the ECS now done, we can move on to System Configuration and then to ‘Preview’ since this is not a deep dive on Alibaba ECS (Planning to do one in the future articles).
Refer to the image below.
The screen below should appear in System Configuration settings. There are three options for Logon Credentials. I choose Password since that is what I am comfortable with. If you choose the same, then set the Logon Password and then click on Preview as it appears on the following screen.
After you click on ‘Preview’, a summary of the instance about to be created will be displayed. Below the estimated costs of using the instance should appear as well. As shown in the screen below, click on ‘Create Instance’ to confirm.
Once you have initiated the ECS instance creation process, you will be directed back to the ECS console where you will be able to see the instance being created. Once the instance is successfully created, it should display ‘Running’ as the status shown below.
You can use the options shown in the screen above to play around with the instance. Let’s try to find out if the User can connect to the ECS instance or not. Click on ‘Connect’ which appears on the right side of the listed ECS instance. This will open an in-browser SSH session window in the new Tab.
You might be prompted to enter a ‘VNC Password’. Set a new ‘VNC Password’ if this is your first time. After this, the infamous Linux CLI shall appear. This is where you log in using the root user and by entering the password you set during instance creation. Refer to the image shown below.
As shown in the image, this concludes the tutorial. We learnt how to secure your Root account, how to create a new User using the Alibaba RAM console. We also learnt about a few best practices and mopped up with deploying an ECS instance from the new User account. You can essentially allot required permissions to this new User account and use it instead of the Root account. This is also one of the better practices which should be adopted. Remember to Release the Instance you just created as it will be billed. If you plan to play around with it, knock yourself out!