You can grant permissions to a Resource Access Management (RAM) role that you created for a trusted Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). This topic describes how to grant permissions to RAM roles.
Limits
You cannot grant permissions to service-linked roles by attaching policies to the roles. This is because the policies that are attached to this type of role are defined by the linked cloud services. For more information, see Service-linked roles.
For more information about the maximum numbers of system policies and custom policies that can be attached to each RAM role, see Limits.
Method 1: Grant permissions to a RAM role by clicking Grant Permission on the Roles page
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role to which you want to grant permissions and click Grant Permission in the Actions column.
You can also select multiple RAM roles and click Grant Permission below the RAM role list to grant permissions to multiple RAM roles at a time.
In the Grant Permission panel, grant permissions to the RAM role.
Set the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The permissions take effect in a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Specify the principal.
The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
Select the custom policy.
NoteYou can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
Click OK.
Click Complete.
Method 2: Grant permissions to a RAM role by clicking Precise Permission on the Roles page
If you know the exact name of a policy, you can grant permissions to a RAM role by clicking Input and Attach in the Actions column of the RAM role on the Roles page. By default, the authorization scope is the current Alibaba Cloud account. For more information about how to view the name of a policy, see View the basic information about a policy.
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Roles page, click the name of the RAM role that you created.
Find the created RAM role and click Precise Permission in the Actions column.
In the Precise Permission panel, set the Type parameter to System Policy or Custom Policy and enter a policy name.
Click OK.
Click Close.
Method 3: Grant permissions to a RAM role on the Grants page
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Permission page, click Grant Permission.
In the Grant Permission panel, grant permissions to the RAM role.
Set the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The permissions take effect in a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Specify the principal.
The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
Select the custom policy.
NoteYou can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
Click OK.
Click Complete.