This topic describes how to assume a RAM role by using a RAM user under a trusted Alibaba Cloud account.
- A RAM user is created. For information about how to create a RAM user, see Create a RAM user.
- An access key or a password is set for the RAM user.
- The system policy
AliyunSTSAssumeRoleAccessis attached to the RAM user. For information about how to grant permission to a RAM role, see Grant permission to a RAM role.
- Log on to the RAM console as a RAM user.
- Move the pointer over the account icon in the upper-right corner and click Switch Role.
- On the displayed Switch Role page, enter the enterprise alias or the default domain name in the Enterprise Alias/Default Domain Name filed and the RAM role name in the Role Name field. Then, click Switch.
- Click Switch Back to Logon User to switch back to your logon identity.
Note After you switch to the logon identity, you will obtain the original permissions and lose the permissions associated with the RAM role.
What to do next
A RAM user can also assume a RAM role by calling an API action. After being granted
AliyunSTSAssumeRoleAccess policy, a RAM user can use its access key to call the AssumeRole action of the Security Token Service (STS) to obtain the temporary security token
of a role. Then, the user uses the token to access Alibaba Cloud APIs.