A RAM role is an identity defined in Alibaba Cloud Resource Access Management (RAM). A RAM role is a virtual user that does not have a specific logon password or AccessKey pair. A RAM role can be only used after being assumed by a trusted entity.

Note In this topic, the term role refers to a RAM role unless otherwise specified.

What is a RAM role?

A RAM role is a type of identity that represents a virtual user. RAM roles

Related concepts

The following figure shows the concepts related to RAM users. Concepts related to RAM users
Table 1. Concepts
Concept Description
ARN An Alibaba Cloud Resource Name (ARN) is the global resource identifier of a role. It is used to specify a role.
  • ARNs conform to Alibaba Cloud ARN naming conventions. For example, the ARN of the role named devops under an Alibaba Cloud account is acs:ram::1234567890123456:role/samplerole.
  • After creating a role, you can click the role name and view its ARN in the Basic Information section.
Trusted entity A trusted entity indicates an entity user who can assume a role.
  • When creating a role, you must specify a trusted entity. A role can only be assumed by a trusted entity.
  • A trusted entity can be an Alibaba Cloud account or Alibaba Cloud service.
Policy A role can be attached with a set of policies. Roles that are not attached with any policies can exist, but cannot access resources.
Role assumption Role assumption is the method for entity users to obtain security tokens of roles. An entity user can call the AssumeRole operation to obtain the security token of a role, which allows the entity user to call API operations of other Alibaba Cloud services.
Identity switching Identity switching is the method by which entity users can switch from the logon identity to role identity in the RAM console.
  • After an entity user logs on to the RAM console, the entity user can switch to a role that the user can assume. The entity user can then use the role identity to manage Alibaba Cloud resources.
  • If the user no longer needs the role identity, the user can switch back to its logon identity.
Role token A role token is a temporary AccessKey pair for a role. A RAM roles does not have a specific logon password or AccessKey pair. If an entity user wants to use a role, the entity user must assume the role to obtain the role token. Then, the entity user can use the role token to call API operations of other Alibaba Cloud services.

Instructions

RAM roles can be only used after they are assumed by trusted entities. Use RAM roles
The following section describes the differences between RAM roles and textbook roles:
  • A RAM role represents a virtual user that has a fixed identity and can be granted a set of policies. However, a RAM role does not have a specific logon password or AccessKey pair.
  • A textbook role (or a traditionally defined role) indicates a permission set, similar to a policy in RAM. If a user assumes a textbook role, the user can obtain a set of permissions and access the authorized resources.
The following section describes the differences between virtual users and entity users:
  • Entity users include Alibaba Cloud accounts, RAM user accounts, and Alibaba Cloud services. Entity users have specific logon passwords or AccessKey pairs.
  • Virtual users do not have specific logon passwords and AccessKey pairs. RAM roles are an example of virtual users. After an entity user assumes a RAM role, the entity user can obtain the role token and use the token to access the authorized resources.

RAM role types

The following two types of roles are supported:

  • User roles: roles that RAM users can assume. The RAM users may belong to their own Alibaba Cloud accounts or other accounts. User roles provide cross-account resource access and temporary authorization.
  • Service roles: roles that Alibaba Cloud services can assume. Service roles are used to authorize Alibaba Cloud services to manage resources.

Create a RAM role

To create a RAM role in the RAM console, follow these steps:

  1. Select a role type.
  2. Select a trusted entity.
  3. Enter the role name.
  4. Attach a policy to the role.

Create a user role

  1. Log on to the RAM console.
  2. Choose Roles > Create Role.
  3. In the dialog box that appears, click User Role.
  4. Select a trusted Alibaba Cloud account. Click Next.
    • To create a role for RAM users under your Alibaba Cloud account, select Current Alibaba Cloud Account.
    • To create a role for RAM users under another Alibaba Cloud account, select Other Alibaba Cloud Account and enter the account ID.
  5. Enter a role name in the Role Name field. You can also enter a description in the Description field. Then, click Create.
    Note
    • After you create a RAM role, you can click Authorize to grant permission to the role. For more information, see Permission granting.
    • After creating a RAM role, you can click the role name in the Role Name column or click Manage in the Actions column to view the role details.

Create a service role

  1. Log on to the RAM console.
  2. Choose Roles > Create Role.
  3. In the dialog box that appears, click Service role. Available service roles include the following Alibaba Cloud services:
    • Media Transcoding Service (MTS): You can create a role, configure MTS as its trusted service, and use MTS to assume the role and access Object Storage Service (OSS) data when you set OSS buckets as the data sources for MTS tasks.
    • Archive Storage: You can create a role, configure Archive Storage as its trusted service, and use Archive Storage to assume the role and access OSS data when you set OSS buckets as the data sources for Archive Storage.
    • Log Service: You can create a role, configure Log Service as its trusted service, and use Log Service to assume the role and write data into OSS when you import Log Service-collected logs into OSS.
    • API Gateway: You can create a role, configure API Gateway as its trusted service, and use API Gateway to assume the role and use Function Compute when you set Function Compute as the backend service of API Gateway.
    • Elastic Compute Service (ECS): You can create a role and use this role to authorize ECS to access your resources of other Alibaba Cloud services.
    Note For more information about the trusted services, see the RAM console.
  4. Select a trusted Alibaba Cloud service.
  5. Enter a role name in the Role Name field. You can also enter a description in the Description field. Then, click Create.
    Note
    • After creating a RAM role, you can click Authorize to grant permission to the role. For more information, see Permission granting.
    • After creating a RAM role, you can click the role name in the Role Name column or click Manage in the Actions column to view the role details.

Use a RAM role

Service roles can be only assumed by trusted Alibaba Cloud services, and user roles can be only assumed by RAM users.
  1. Create a RAM user, and create an AccessKey pair or set a password for the RAM user.
  2. Attach the AliyunSTSAssumeRoleAccess system policy to the RAM user.
Note To ensure account security, a trusted Alibaba Cloud account is not allowed to assume a role. Only RAM users under the Alibaba Cloud account can assume roles.

RAM users can assume roles by either using the RAM console or calling an API operation.

  • Use the console to assume a RAM role.

    If an entity user wants to assume a RAM role, the entity user must log on to the RAM console and perform the Switch Role operation.

    1. Log on to the RAM console as a RAM user.
    2. Move the pointer over the profile picture in the upper-right corner of the console, and click Switch Role.
    3. In the Switch Role dialog box that appears, enter the account alias and role name, and then click Switch.
      Note
      • After switching the role, you can log on to the console as the RAM role. After you log on, both the current identity (the RAM role) and the logon identity are displayed in the upper-right corner of the console.
      • After switching the role, you can only perform operations that are authorized to this role. The access permission of your original identity is hidden when you log on to the console.
    4. Click Switch Back to Logon User to switch back to your logon identity.
      Note After you switch back to the logon identity, you will obtain the original permissions and lose the permissions associated with the role.
  • Call an API operation to assume a RAM role.

    After a RAM user is granted the AssumeRole permission, the RAM user can use the AccessKey pair to call the AssumeRole operation of STS to obtain a role token. Then, the RAM user can use the token to call API operations of other Alibaba Cloud services.

    For more information about how to call the AssumeRole operation, see AssumeRole.

Scenarios of RAM roles