If you want to bind, replace, and unbind an instance RAM role of a RAM user, you must use the Alibaba Cloud account to authorize the RAM user to use an instance RAM role. This operation can only be performed by an Alibaba Cloud account.

Background information

When you authorize a RAM user to use an instance RAM role, you must grant the RAM user the PassRole permission on the instance RAM role. Without the PassRole permission, the RAM user cannot exercise the permissions specified in role policies.


  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Users under Identities.
  3. In the User Logon Name/Display Name column, find the target RAM user.
  4. Click Add Permissions. On the page that appears, the principal is automatically filled in.
  5. In the Authorization Policy Name column, select the desired policies by clicking the corresponding rows.
    The authorization policy is as follows. [ECS RAM Action] indicates permissions that can be granted to the RAM user. For more information, see Authentication rules.
        "Version": "1",
        "Statement": [
                "Effect": "Allow",
                "Action": [
                    "ecs: [ECS RAM Action]",
                    "ecs: CreateInstance",
                    "ecs: AttachInstanceRamRole",
                    "ecs: DetachInstanceRAMRole"
                "Resource": "*"
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "*"
    Note To remove a policy, select the policy from the right box and then click the × icon.
  6. Click OK.
  7. Click Finished.