RAM User Access Keys Rotation

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Identities, choose Users.

04 Click on the name (link) of the RAM user that you want to examine, listed in the User Logon Name/Display Name column.

05 Select the Authentication tab to access the authentication configuration information available for the selected user.

06 Check the resource creation date, listed in the Created At column, for each active access key available in the User AccessKeys section to determine the key age. An active access key has the Status set to enabled. If an active key is older than 90 days, the access key is outdated and needs to be re-created in order to secure the access to your Alibaba Cloud resources.

07 Repeat steps no. 4 – 6 for each RAM user available in your Alibaba Cloud account.

01 Run ListUsers command (OSX/Linux/UNIX) with custom output filters to list the name of each RAM user available within your Alibaba Cloud account:

aliyun ram ListUsers
  --output cols=UserName

02 The command output should return a list with the requested RAM user identifiers:

UserName
--------
tm-project-admin
tm-project-developer

03 Run GetUser command (OSX/Linux/UNIX) with the name of the Resource Access Management (RAM) user that you want to examine as the identifier parameter, to describe the access keys created for the selected RAM user:

aliyun ram ListAccessKeys
  --UserName tm-project-admin

04 Run bucket-policy command (macOS/Linux/Windows) with --method set to get to describe the bucket policy configured for the specified OSS bucket:

{
	"AccessKeys": {
		"AccessKey": [
			{
				"Status": "Active",
				"AccessKeyId": "ABCD1234ABCD1234ABCD1234",
				"CreateDate": "2023-07-10T10:50:06Z"
			},
			{
				"Status": "Active",
				"AccessKeyId": "1234ABCD1234ABCD1234ABCD",
				"CreateDate": "2023-07-18T20:54:58Z"
			}
		]
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

05 Repeat steps no. 3 and 4 for each RAM user available within your Alibaba Cloud account.

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left avigation panel, under Identities, choose Users.

04 Click on the name (link) of the inactive RAM user that you want to configure, listed in the User Logon Name/Display Name column.

05 Select the Authentication tab to access the authentication configuration information available for the selected user.

06 Choose Create AccessKey from the User AccessKeys section to create a new set of access keys required for key rotation. If the RAM user has two access keys and the Create AccessKey button is not active, follow the instructions outlined at step no. 9 to remove the outdated key first.

07 In the Create AccessKey confirmation box, choose Download CSV File to save the new access key ID and secret access key to a CSV file on your device or copy the AccessKey ID and AccessKey Secret strings to a text file. Alibaba Cloud will not provide access to the new secret access key again once the Create AccessKey confirmation box is closed so make sure that you save your credentials in a safe location before you close the box. Choose OK to return to the RAM console.

08 Update all your applications and systems to replace the outdated access key ID and secret access key with the new ones created at the previous step.

09 Once the new access key is validated, return to the RAM console, identify the outdated access key under User AccessKeys, and choose Disable to change the state of the selected key to disabled. In the Disable confirmation box, choose Disable to decommission the selected key.

10 Test all your applications and systems to make sure that the new key pair is working as expected. Confirm that your new access key is working.

11 Once you are sure that your applications and systems are no longer using the original access key, return to the RAM console, identify the disabled access key, and choose Delete to remove the selected key. In the Delete confirmation box, enter the key ID and choose Move to Recycle Bin to move the selected key to the recycle bin.

12 Repeat steps no. 4 – 11 for each outdated RAM user access key available in your Alibaba Cloud account.

01 Run CreateAccessKey command (OSX/Linux/UNIX) to create a new set of access keys for the selected RAM user, required for key rotation:

aliyun ram CreateAccessKey
  --UserName tm-project-admin

02 The command output should return the access key information:

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"AccessKey": {
		"Status": "Active",
		"AccessKeyId": "1234ABC01234ABC01234ABC0",
		"AccessKeySecret": "abcd1234abcd1234abcd1234abcd1a",
		"CreateDate": "2024-01-20T10:08:54Z"
	}
}

03 Update all your applications and systems to replace the outdated access key ID and secret access key with the new ones created at the previous steps.

04 Run UpdateAccessKey command (OSX/Linux/UNIX) to disable (decommission) the outdated access key:

aliyun ram UpdateAccessKey
  --UserName tm-project-admin
  --UserAccessKeyId ABCD1234ABCD1234ABCD1234
  --Status Inactive

05 If successful, the output should return the command request ID:

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

06 Test all your applications and systems to make sure that the new key pair is working as expected. Confirm that your new access key is working.

07 Once you are sure that your applications and systems are no longer using the original access key, run DeleteAccessKey command (OSX/Linux/UNIX) to delete the outdated access key:

aliyun ram DeleteAccessKey
  --UserName tm-project-admin
  --UserAccessKeyId ABCD1234ABCD1234ABCD1234

08 If successful, the output should return the command request ID:

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

09 Repeat steps no. 1 - 8 for each outdated RAM user access key available within your Alibaba Cloud account.