All Products
Search
Document Center

Resource Access Management:Edit the trust policy of a RAM role

Last Updated:Feb 23, 2024

You can edit the trust policy that is attached to a Resource Access Management (RAM) role to change the trusted entity of the RAM role. This topic describes how to change the trusted entity of a RAM role to an Alibaba Cloud account, an Alibaba Cloud service, or an identity provider (IdP).

Background information

When you create a RAM role, you can specify an Alibaba Cloud account, an Alibaba Cloud service, or an IdP as the trusted entity of the RAM role. In most cases, you do not need to change the trusted entity after you create a RAM role. If you need to change the trusted entity, you can use one of the methods described in this topic.

Warning

If you change the trusted entity in the trust policy of a RAM role, your workloads may be affected. Before you change the trusted entity, we recommend that you perform a test by using a test account.

Procedure

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click the name of the RAM role that you created.

  4. On the Trust Policy tab, click Edit Trust Policy.

  5. Modify the content of the trust policy and click Save trust policy document.

Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account

If the Principal element in a policy includes the RAM field, the trusted entity is an Alibaba Cloud account. A RAM role to which the policy is attached can be assumed by authorized RAM users and RAM roles of the trusted Alibaba Cloud account.

  • The RAM role can be assumed by all RAM users and RAM roles of the trusted Alibaba Cloud account.

    In the following policy, the RAM role can be assumed by all the RAM users and RAM roles of the Alibaba Cloud account whose ID is 123456789012****.

    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::123456789012****:root"
                    ]
                }
            }
        ],
        "Version": "1"
    }
  • The RAM role can be assumed only by a specific RAM user of the trusted Alibaba Cloud account.

    If you reconfigure the Principal element based on the following code, the RAM role can be assumed only by the RAM user named testuser of the Alibaba Cloud account whose ID is 123456789012****.

                "Principal": {
                    "RAM": [
                        "acs:ram::123456789012****:user/testuser"
                    ]
                }                   
    Note

    Before you edit the trust policy, make sure that a RAM user named testuser is created.

  • The RAM role can be assumed only by a specified RAM role of the trusted Alibaba Cloud account.

    If you reconfigure the Principal element based on the following code, the RAM role can be assumed only by the RAM role named testrole of the Alibaba Cloud account whose ID is 123456789012****.

                "Principal": {
                    "RAM": [
                        "acs:ram::123456789012****:role/testrole"                
                    ]
                }                                 
    Note

    Before you edit the trust policy, make sure that a RAM role named testrole is created.

Example 2: Change the trusted entity of a RAM role to an Alibaba Cloud service

If the Principal element in a policy includes the Service field, the trusted entity is an Alibaba Cloud service. A RAM role to which the policy is attached can be assumed by a trusted Alibaba Cloud service of the current Alibaba Cloud account.

In the following policy, the RAM role can be assumed by Elastic Compute Service (ECS) of the current Alibaba Cloud account.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
Note

You cannot change the trusted entity of a policy that is attached to a service-linked role because this policy is defined by the linked service. For more information, see Service-linked roles.

Example 3: Change the trusted entity of a RAM role to an IdP

If the Principal element includes the Federated field, the trusted entity is an IdP. The RAM role can be assumed by all users in the IdP.

In the following policy, the RAM role can be assumed by all users in the IdP named testprovider of the Alibaba Cloud account whose ID is 123456789012****.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "acs:ram::123456789012****:saml-provider/testprovider"
                ]
            },
            "Condition":{
                "StringEquals":{
                    "saml:recipient":"https://signin.alibabacloud.com/saml-role/sso"
                }
            }
        }
    ],
    "Version": "1"
}