All Products
Search
Document Center

Elastic Compute Service:grant a RAM user the permissions to manage an instance RAM role

Last Updated:Mar 21, 2024

If you want to attach, replace, or detach an instance Resource Access Management (RAM) role by using a RAM user, you must use an Alibaba Cloud account to grant the RAM user the permissions to manage the instance RAM role. This operation is suitable for scenarios such as cross-account access, temporary privilege escalation, and access to specific elastic computing resources. This topic describes how to grant a RAM user the permissions to manage an instance RAM role in Alibaba Cloud.

Background information

When you authorize a RAM user to use an instance RAM role, you must grant the RAM user the PassRole permission on the RAM role.

Note

If the RAM user does not have the PassRole permission, the RAM user cannot execute the permissions specified in role policies.

Procedure

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. In the Select Policy section, click Create Policy.

    4. On the Create Policy page, click the JSON tab and create a custom policy as prompted.

      The following code describes the custom policy. [ECS RAM Action] indicates the permissions that can be granted to the RAM user. For more information, see Authorization rules.

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs: [ECS RAM Action]",
                      "ecs: CreateInstance",
                      "ecs: AttachInstanceRamRole",
                      "ecs: DetachInstanceRAMRole"
                  ],
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "ram:PassRole",
                  "Resource": "*"
              }
          ]
      }
  5. Go back to the Add Permissions panel and click Custom Policy in the Select Policy section.

  6. In the Authorization Policy Name column, click the names of the policies that you want to attach to the RAM user.

    Note
    • You can attach up to five policies to a RAM user at a time. If you want to attach additional policies, perform the Add Permissions operation multiple times.

    • In the Selected section on the right, you can click × next to a policy to remove the policy.

  7. Click OK.

  8. Click Complete.