Alibaba Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Alibaba, this is done through the use of a RAM (Resource Access Manager) user.  A RAM user is a RAM identity with a fixed ID and credential information that represents a person or an application.  Ram users are visible only to the Alibaba Cloud account to which they belong. Like a normal user, a RAM user can be given specific roles to have permission over the services they need to access. RAM users created here will be limited to the account and will be having only a Read-Only role over the account.

Default Setup

Step 1: Navigate to the Cloud Accounts page. Click Connect Account on the top right.

Step 2: Choose Alibaba Cloud Service under Account Type and Manual Setup under Method.

Step 3: Create a new RAM user in the Alibaba portal

  1. On the Alibaba Cloud console, select Products from the left-side navigation pane to view the complete list of products and services.
  2. Type RAM in the search bar. Click Resource Access Management from the displayed list of services to open its console. 
  3. On the RAM console, click Users under Identities in the left-side navigation pane
  4. On the Users page, click Create User. Note: The Users page has a list of already created RAM users. 
  5. Set the Logon Name and Display Name (preferably AquaScanner) parameters. 
  6. In the Access Mode section, select Programmatic Access.  If you select this access mode, an AccessKey pair (access KeyId and AccessKeySecret) is automatically created for the RAM user. The RAM user can access Alibaba Cloud resources through the API or other development tools.
  7. Click OK and click Complete. The console will then provide the access key id and secret. You can copy/download the CSV file and save this for further use or regenerate the key pair as shown in step #10.
  8. On the Users page, find the RAM user to which you want to grant permissions. For example, the second user is selected in the screenshot below. 
  9. Click Add Permissions under the Permissions tab.
  10. In the Add Permissions panel, add permissions to the RAM user.
    • Authorized Scope: Select the authorization scope as Alibaba Cloud Account (the permissions take effect on the current Alibaba Cloud account).
    • Principal: Specify the principal. The principal is the RAM user to which permissions are granted. By default, the current RAM user is listed. You can also specify additional RAM users.
    • Select Policy: Select ReadOnlyAccess from the System Policy list. You can type and search for the policy in the search bar provided above the list. 
  11. To generate an access key id and secret, select the desired user, navigate to the Authentication tab on the user page and click Create AccessKey.

Step 4: On the Aqua console, enter the Access Key and Secret in the appropriate text boxes and click Connect Account.