# es-security

Part of **ES**

# Elasticsearch Security Console Guide

## Operations Overview

| Operation | Console Entry Path | Prerequisites | Description |
|----------|-------------------|--------------|-------------|
| Create AccessKey and Configure Environment | Console > Security > RAM > Users > Create AccessKey | - An Alibaba Cloud account with RAM service enabled<br>- A RAM user created and configured with appropriate permissions<br>- Access to the Alibaba Cloud console | Generate an AccessKey pair for a RAM user and set up environment variables for API authentication on Linux/macOS/Windows. |

## Step-by-Step Instructions

### Create AccessKey and Configure Environment

**Navigation**: Console > Security > RAM > Users > Create AccessKey

**Prerequisites**:
- An Alibaba Cloud account with RAM service enabled
- A RAM user created and configured with appropriate permissions
- Access to the Alibaba Cloud console

1. Navigate to the RAM console and select **Users** from the left navigation panel  
   - Element: **Users** (menu) — located in the left navigation panel  
   - Notes: Ensure you are in the correct region if prompted.

2. Click on the target RAM user's name to open the user details page  
   - Element: **User name link** (link) — located in the main content area under the Users list  
   - Notes: The user must already exist and have necessary permissions assigned.

3. Click the **Create AccessKey** button in the AccessKey section  
   - Element: **Create AccessKey** (button) — located in the top-right corner of the AccessKey section on the user details page  
   - Notes: The system will generate a new AccessKey ID and secret. **Download or copy them immediately**, as the secret is only displayed once. A dialog will appear showing the credentials.

**Form Fields**: None

## FAQ

Q: Where can I find the AccessKey after creation if I didn’t save it?
A: You cannot retrieve the AccessKey secret again after closing the initial display dialog. If lost, you must create a new AccessKey or use existing ones listed in the AccessKey section of the RAM user page (secrets are hidden, but IDs are visible).

Q: Can I create multiple AccessKeys for the same RAM user?
A: Yes, a RAM user can have up to two active AccessKeys at a time. You can create a new one if fewer than two exist, or delete an existing one first.

Q: Do I need special permissions to create an AccessKey?
A: Yes, the RAM user (or the administrator acting on their behalf) must have the `ram:CreateAccessKey` permission granted via a policy.

Q: Is there a cost associated with creating or using AccessKeys?
A: No, creating and managing AccessKeys through RAM is free. However, API calls made using the AccessKey may incur charges based on the services accessed.

Q: Can I disable or delete an AccessKey without deleting the RAM user?
A: Yes. On the RAM user’s AccessKey section, you can toggle the status to **Inactive** or click **Delete** next to the AccessKey ID to revoke it permanently.

## Pricing & Billing

### Billing Model
Creating AccessKeys and using RAM users is free of charge.

### Free Tier
Creating AccessKeys and using RAM users is free of charge.

### Billing Notes
AccessKey usage is billed based on the resources accessed via the API calls it authorizes. The AccessKey itself does not incur direct charges.