This topic describes how a Resource Access Management (RAM) user uses the RAM console and API to assume a RAM role whose trusted entity is an Alibaba Cloud account.
Prerequisites
The following prerequisites must be met:
- A RAM user is created. For more information, see Create a RAM user.
- An AccessKey pair is created or a logon password is set for the RAM user.
- For more information about how to set a logon password, see Change the password for a RAM user.
- For more information about how to create an AccessKey pair, see Create an AccessKey pair for a RAM user.
- The RAM user is granted the required permissions. For more information, see Grant permissions to a RAM user.
- You can attach the
AliyunSTSAssumeRoleAccess
system policy to the RAM user. This allows the RAM user to assume all RAM roles. - You can attach a custom policy to the RAM user to specify the RAM role that the RAM user can assume. For more information, see FAQ about RAM roles and STS tokens.
- You can attach the
Method 1: Use the RAM console
To assume a RAM role, a RAM user must log on to the RAM console and then switch the logon identity to the RAM role. The RAM user can either log on to the console by using a password or using role-based single sign-on (SSO).
Method 2: Use the API
An authorized RAM user can use an AccessKey pair to call the AssumeRole operation. This way, the RAM user obtains an STS token. The RAM user can then use the STS token to access Alibaba Cloud resources.
References
For information about how to log on to the console by using role-based SSO, see Overview of role-based SSO.