You can edit the policy that is attached to a RAM role to change the trusted entity of the RAM role. This topic describes how to change the trusted entity of a RAM role to an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).
Background information
Procedure
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, click RAM Roles.
- On the page that appears, click the name of the RAM role in the RAM Role Name column.
- On the page that appears, click the Trust Policy Management tab. On this tab, click Edit Trust Policy.
- Modify the trust policy and click OK.
Change the trusted entity of a RAM role to an Alibaba Cloud account
If the Principal element in a policy includes the RAM field, the trusted entity is an Alibaba Cloud account. A RAM role to which the policy is attached can be assumed by authorized RAM users
of the trusted Alibaba Cloud account.
In the following policy, the RAM role can be assumed by all the RAM users of the Alibaba Cloud account whose ID is 123456789012****.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::123456789012****:root"
]
}
}
],
"Version": "1"
}If you configure the Principal element to the following code, the RAM role can be assumed by the RAM user named
testuser of the Alibaba Cloud account whose ID is 123456789012****.
"Principal": {
"RAM": [
"acs:ram::123456789012****:user/testuser"
]
} testuser.
If you configure the Principal element to the following code, the RAM role can be assumed by the RAM role named
testrole of the Alibaba Cloud account whose ID is 123456789012****.
"Principal": {
"RAM": [
"acs:ram::123456789012****:role/testrole"
]
} testrole.
Change the trusted entity of a RAM role to an Alibaba Cloud service
If the Principal element in a policy includes the Service field, the trusted entity is an Alibaba Cloud service. A RAM role to which the policy is attached can be assumed by a trusted Alibaba Cloud
service of the current Alibaba Cloud account.
For example, the following trust policy indicates that the RAM role can be assumed by the Elastic Compute Service (ECS) service of the current Alibaba Cloud account.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}Change the trusted entity of a RAM role to an IdP
If the Principal element includes the Federated field, the trusted entity is an IdP. The RAM role can be assumed by all users in the IdP.
In the following policy, the RAM role can be assumed by all users in the IdP named
testprovider of the Alibaba Cloud account whose ID is 123456789012****.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::123456789012****:saml-provider/testprovider"
]
},
"Condition":{
"StringEquals":{
"saml:recipient":"https://signin.alibabacloud.com/saml-role/sso"
}
}
}
],
"Version": "1"
}Additional considerations
The trusted entity of a policy that is attached to a service linked role cannot be changed. This is because the policy is defined by the linked service. For more information about service linked roles, see Service linked roles.