This topic describes how a RAM user uses the RAM console and API to assume a RAM role whose trusted entity is an Alibaba Cloud account.

Prerequisites

The following prerequisites must be met:

  1. A RAM user is created. For more information, see Create a RAM user.
  2. An AccessKey pair or logon password is set for the RAM user.
  3. The RAM user is granted the required permissions. For more information, see Grant permissions to a RAM user.
    • You can attach the AliyunSTSAssumeRoleAccess system policy to the RAM user. This allows the RAM user to assume all RAM roles.
    • You can attach a custom policy to the RAM user to specify the RAM role that the RAM user can assume. For more information, see FAQ about RAM roles and STS tokens.

Method 1: Use the RAM console

To assume a RAM role, a RAM user must first log on to the RAM console and then switch the logon identity to the RAM role. You can either directly log on to the console, or log on to the console by using role-based single sign-on (SSO).

  1. Log on to the RAM console as a RAM user.
  2. Move the pointer over the profile picture in the upper-right corner of the console. Find and copy the value of the Current Alias field.
  3. Click Switch Role.
  4. On the Switch Role page, enter the alias that you copied in the previous step.
    Note On the Switch Role page, you can also enter the default domain name in the Enterprise Alias / Default Domain Name field. For more information about the default domain name, see Manage the default domain name.
  5. Specify the Role Name field.
  6. Click Switch.

    After the switch is completed, your logon identity changes to the RAM role and you have the permissions that are granted to the RAM role. You can view the RAM role and RAM user information when you move the pointer over the profile picture in the upper-right corner of the console.

    The maximum duration of the logon session depends on the smaller value of the Maximum Session Duration and Logon Session Valid For parameters. For more information, see Set the maximum session duration for a RAM role and Set security policies for RAM users.

Method 2: Use the API

An authorized RAM user can use an AccessKey pair to call the AssumeRole operation. This way, the RAM user obtains an STS token. Then, the RAM user can use the STS token to access Alibaba Cloud resources.

Note If STS tokens that you obtain after assuming a RAM role are disclosed, you can disable all of the STS tokens. For more information, see FAQ about RAM roles and STS tokens.

References

For information about how to log on to the console by using role-based SSO, see Overview of role-based SSO.