Alibaba Cloud Resource Access Management (RAM) SDK for Python

1.2.1 · active · verified Thu Apr 16

The `alibabacloud-ram20150501` library is the official Python SDK for interacting with Alibaba Cloud's Resource Access Management (RAM) service, allowing developers to programmatically manage users, groups, roles, and access policies. It is part of the broader Alibaba Cloud Python SDK ecosystem. The current version is 1.2.1, and the library is actively maintained with regular updates.

Common errors

```
ErrorCode: NoPermission ErrorMessage: Roles may not be assumed by root accounts.
```
cause Attempting to use the Alibaba Cloud root account's AccessKey to assume an STS role, which is not allowed.

fix Use the AccessKey pair of a RAM user (who has `AliyunSTSAssumeRoleAccess` permission) instead of the root account.
```
Error code: InvalidAccessKeyId.NotFound Error message: Specified access key is not found
```
cause The provided AccessKey ID is incorrect, has leading/trailing spaces, or the AccessKey is disabled or non-existent.

fix Verify the AccessKey ID for accuracy, ensure it's active in the RAM console, and remove any extra spaces.
```
MissingParameter, The input parameter “parameter name” that is mandatory for processing this request is not supplied.
```
cause A required parameter for the specific API operation was not provided in the request object.

fix Consult the API documentation for the method being called (`ram_20150501_models.YourRequestClass`) and ensure all mandatory fields are populated.
```
401 Authorization Failed
```
cause The authentication token is missing, incorrect, expired, or used improperly, preventing the SDK from authorizing the request.

fix Ensure your `ALIBABA_CLOUD_ACCESS_KEY_ID` and `ALIBABA_CLOUD_ACCESS_KEY_SECRET` environment variables are correctly set and valid. Verify that the RAM user associated with the AccessKey has the necessary permissions.

Warnings

gotcha Avoid using your Alibaba Cloud root account's AccessKey (AK) and SecretKey (SK) directly in applications. Always create and use a RAM user with appropriate, least-privilege permissions for enhanced security.
Fix: Create a dedicated RAM user, grant only necessary permissions, and use that RAM user's AK/SK. Configure credentials via environment variables (`ALIBABA_CLOUD_ACCESS_KEY_ID`, `ALIBABA_CLOUD_ACCESS_KEY_SECRET`) or an SDK credential file.
breaking By default, new RAM users have no permissions. Any API calls will result in `AccessDenied` errors if the RAM user is not explicitly granted the required permissions.
Fix: After creating a RAM user, explicitly attach authorization policies (system or custom) to grant the necessary permissions for the operations your application needs to perform.
gotcha Incorrect or missing endpoint configuration can lead to connection errors or requests being sent to the wrong region/service. While `ram.aliyuncs.com` is a common endpoint, specific regions might have their own.
Fix: Always explicitly set the `config.endpoint` to the correct service endpoint for the region you intend to operate in. Refer to the Alibaba Cloud documentation for service-specific endpoints.

Install

pip install alibabacloud-ram20150501 Install using pip

Imports

Client
```
from alibabacloud_ram20150501.client import Client
```
This is the main client class for interacting with RAM.

models

from alibabacloud_ram20150501 import models as ram_20150501_models

Contains request and response models for RAM API operations.

Config
```
from alibabacloud_tea_openapi.models import Config
```
Used to configure the SDK client, including endpoint and credentials.
CredentialClient
```
from alibabacloud_credentials.client import Client as CredentialClient
```
Helper for robust credential management, often picking up from environment variables.
RuntimeOptions
```
from alibabacloud_tea_util.models import RuntimeOptions
```
Allows specifying runtime options for API calls, like timeout or retry settings.

Quickstart

This quickstart demonstrates how to initialize the `alibabacloud-ram20150501` client and create a new RAM user. It's recommended to configure your Alibaba Cloud AccessKey ID and Secret as environment variables (`ALIBABA_CLOUD_ACCESS_KEY_ID`, `ALIBABA_CLOUD_ACCESS_KEY_SECRET`). The `CredentialClient` will automatically pick these up for secure authentication. Replace `'your_value'` placeholders with actual data when using other APIs.

import os
import json
from alibabacloud_ram20150501.client import Client as Ram20150501Client
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_tea_openapi.models import Config as OpenApiConfig
from alibabacloud_ram20150501 import models as ram_20150501_models
from alibabacloud_tea_util.models import RuntimeOptions

# It is highly recommended to use environment variables for AccessKey credentials
# For example:
# export ALIBABA_CLOUD_ACCESS_KEY_ID='your_access_key_id'
# export ALIBABA_CLOUD_ACCESS_KEY_SECRET='your_access_key_secret'

# Configure Client
# The CredentialClient will automatically pick up credentials from environment variables
# or other configured sources.
credential = CredentialClient()
config = OpenApiConfig(
    credential=credential,
    endpoint='ram.aliyuncs.com' # Specify the appropriate endpoint for RAM
)

# Initialize the RAM client
client = Ram20150501Client(config)

# Example: Create a user request
create_user_request = ram_20150501_models.CreateUserRequest(
    user_name='example_ram_user_py_sdk',
    display_name='Example RAM User Python SDK',
    comments='Created by Python SDK quickstart'
)

# Set runtime options (optional)
runtime_options = RuntimeOptions()

try:
    # Call the CreateUser API
    response = client.create_user_with_options(create_user_request, runtime_options)
    print("Successfully created RAM user:")
    print(json.dumps(response.to_map(), indent=2, default=str))
except Exception as error:
    print(f"Error creating RAM user: {error.message}")
    if hasattr(error, 'data') and error.data.get('Recommend'):
        print(f"Recommendation: {error.data.get('Recommend')}")

# Clean up (optional: delete the created user)
# Uncomment and provide the actual user_name to delete
# delete_user_request = ram_20150501_models.DeleteUserRequest(
#     user_name='example_ram_user_py_sdk'
# )
# try:
#     client.delete_user_with_options(delete_user_request, runtime_options)
#     print(f"Successfully deleted RAM user: {'example_ram_user_py_sdk'}")
# except Exception as error:
#     print(f"Error deleting RAM user: {error.message}")

view raw JSON →