Roles

Last Updated: Nov 10, 2017

Like a RAM-User, a RAM-Role is also a type of RAM identity. Compared with RAM-User, a RAM-Role is a virtual user, that is, a RAM-Role has no identity credentials and has to be assumed by a trusted Alibaba Cloud account.

With this document, you can gain a better understanding of the RAM-Role, and know how to create and use a RAM-Role.

Note: Unless otherwise stated, the role in this document represents a RAM-Role.

Understanding RAM-Role

A RAM-Role is a virtual user (or shadow account). It is a type of RAM identity.

  • Virtual users vs. Real users

    The difference between a virtual user and a real user is that a real user identity can be directly authenticated.

    • A real user has a logon password or an AccessKey. For example, Alibaba Cloud accounts, RAM-User accounts, and cloud service accounts are real users.

    • However, a virtual user, such as a RAM-Role, does not have a fixed security credential (such as a logon password, an AccessKeys, or a MFA).

  • RAM-Role vs. Textbook-Role

    • A Textbook-Role (or a role as traditionally defined) indicates a set of permissions. It is similar to a policy in RAM. If a Textbook-Role is granted to a user, it means that the corresponding permissions are granted to the user.

    • A RAM-Role differs from a textbook role. As a type of virtual user, a RAM-Role has a fixed identity and can be granted policies.

      • When creating a RAM-Role, you must specify the Alibaba Cloud account which can assume the role.
      • And you must grant necessary permissions to the RAM-Role to make it useful.
  • RAM-Roles differ from normal RAM-Users in the way they are used

    RAM-Roles must be assumed by an authorized real user. After assuming a role, the real user receives a temporary security token (STS) for this RAM-Role. Then, the user can use this temporary security token to access the resources authorized for the role.

Usage notice

A RAM-Role must be associated with a real user identity so that it becomes available.

  • If a real user wants to use a RAM-Role that has been granted to the user, the real user must first log on using his identity and then perform the SwitchRole operation to switch from a real identity to a role identity. The user can then perform all operations authorized for this role identity, but the access permissions of the user’s real identity will not be available.

  • To switch from the role identity back to the real identity, the user must perform the Switch Back to Logon Identity operation. Then, the user can have the access permissions granted to his real identity, but not those of the role.

RAM-Roles are mainly used to address the identity federation needs, such as entrusting other Alibaba Cloud accounts and their RAM-Users to perform operations on your resources, and entrusting cloud service to perform operations on your resources.

Concepts

The following table lists several basic concepts related to RAM-Roles:

Concept Explanation
Role ARN A Role ARN is the global resource description of a role. It is used to specify a role.
  • RoleARNs follow Alibaba Cloud ARN naming rules. For example, the RoleARN for the devops role under an Alibaba Cloud account is: acs:ram::1234567890123456:role/devops.
  • After a RAM-Role is created, the role’s ARN is displayed on the Role Details page.
Trusted Actors A role’s trusted actors are the real user identities (the current Alibaba Cloud account or another Alibaba Cloud account) that can assume this role.
  • When creating a role, you must specify the trusted actors.
  • A role can only be assumed by trusted actors.
Policy A role can be attached with a set of permissions, that is, a policy.
Roles not attached with policies can exist, but cannot be used.
Assume Role By performing the assume role operation, A real user can obtain a security token for a role.
By calling the AssumeRole API, a real user obtains the role’s security token and can use this token to access cloud service APIs.
Switch Role By performing the switch role operation on the console, a real user can switch from the current logon identity to a role identity.
  • After a real user logs on to the console, the user can switch to a role for which he is a trusted actor. Then, the user can use the role identity to perform operations on cloud resources.
  • After switching to a role identity, the user can no longer use his real identity access permissions. When the user no longer needs to use a role, he can switch from the role back to the original logon identity.
Role Token A role token is a temporary AccessKey for the role identity.
Role identities do not have fixed AccessKeys, so when a real user wants to use a role, he must assume the role to obtain the corresponding role token. Then, the user can use this role token to call Alibaba Cloud service APIs.

Application scenarios of RAM-Roles

RAM-roles are mainly used for cross-account access and temporary authorization access.

Cross-account access

Using RAM-Roles, you can perform cross-account resource operations and authorization management.

Scenario

Assume that there are two enterprises, A and B. A has purchased multiple cloud resources and uses them to conduct its businesses.

Requirements Solutions
A wants to focus on its business systems, so it entrusts or grants cloud resource O&M, monitoring management, and other tasks to enterprise B. Alibaba Cloud account A creates a role in RAM and grants this role the necessary permissions. Then, it allows Alibaba Cloud account B to use this role.
Enterprise B further delegates O&M tasks to its employees. B needs to precisely control the operations its employees can perform on A’s cloud resources. If account B has employees (RAM-Users) who need to use this role, it can independently control their permissions. When performing O&M operations on behalf of A, account B’s RAM-users can use the role identity to perform operations on A’s resources.
If A and B terminate this O&M entrustment contract, A is able to revoke B’s permissions at will. If accounts A and B terminate their contract, A just needs to revoke B’s permission to use this role. Once account B’s permission to use this role is revoked, all RAM-Users of account B will automatically lose their permission to use this role.

Temporary authorization access

Using RAM-Roles, you can temporarily authorize a mobile app client to perform operations on the resources under your control.

Scenario

Assume that enterprise A has developed a mobile app and has bought OSS. The mobile app must upload and download data to and from OSS, but A does not want to allow all apps to use the AppServer to transmit data.

Because the mobile app runs on user devices, these devices are out of A’s control. For security reasons, A cannot save the AccessKey in the app.

Requirements Solutions
A wants to allow the app to directly upload and download data to and from OSS.
  • Alibaba Cloud account A creates a role in RAM and gives this role the necessary permissions. Then, it allows AppServer (giving it a RAM user identity) to use this role.
  • When the app needs to directly connect to OSS to upload and download data, AppServer can use this role to obtain the role’s temporary security token and send it to the app. The app can use the temporary security token to directly access OSS APIs.
A wants to minimize its security risks by, for example, giving each app an access token with only the minimum permissions it needs when directly connected to OSS and restricting the access duration to a short period of time (such as 30 minutes).
  • If more precise control of the permissions of each app is required, when using the role, the AppServer can further restrict the resource operation permissions of the temporary security token.
  • For example, when assuming the role, the AppServer can restrict that different app users can perform operations only on some subdirectories.

User roles

RAM supports User Roles.

  • Roles that can be assumed by RAM-Users are called user roles.

  • RAM-Users permitted to assume roles can belong to your Alibaba Cloud account or another Alibaba Cloud account.

  • User roles are used to solve problems such as cross-account access and temporary authorization access.

Create a User Role

Do the following:

  1. Log on to the RAM console.

  2. On the left navigation pane, click Roles.

  3. On the Role Management page, click Create Role.

  4. Select Role Type. Click User Role.

  5. Enter Type. Do one of the following and click Next.

    • If the role is to be used by the RAM-Users under your own account (such as authorizing a mobile app client to directly perform operations on OSS resources), select your Alibaba Cloud account as the trusted Alibaba Cloud account.

    • If the role is to be used by the RAM-Users under another Alibaba Cloud account (such as for cross-account resource authorization access), select an Alibaba Cloud account and enter its ID in the Trusted Alibaba Cloud account ID field, as shown in the following figure.

      create_role

  6. Configure Basic Information. Enter a Role Name (the description is optional) and click Create.

  7. After you have successfully created a role, you can click Authorize to grant permissions to the role or click Close to finish.

  8. Go back to the Role Management page and you can find the newly created role in the role list.

    • Click the corresponding Authorize in the Actions column to open the Edit Role Authorization Policy window, where you can grant necessary permissions to the role.

      authorize

      The role authorization method is similar to the normal RAM-User authorization method. For details, see Grant permissions.

    • Click the Role Name or the corresponding Manage in the Actions column to enter the Role Details page, where you can find the role’s Arn and can Edit Basic Information.

    • Click the corresponding Delete in the Actions column to delete the role.

Use a role

A RAM role can only be assumed by RAM users in the trusted Alibaba Cloud account. For security reasons, the trusted Alibaba Cloud accounts are not allowed to perform AssumeRole.

Therefore, you must use a trusted account to create a RAM-User account, and grant the AssumeRole permission to the RAM-User account. Then, you can assume the role by using this RAM-User identity. The procedures are as follows:

  1. Create a RAM-User and create an AccessKey or set a logon password for this user.

  2. Grant permissions to this RAM-User. The system authorization policy AliyunSTSAssumeRoleAccess is required.

Use a RAM-Role to access APIs

After a RAM-User is granted the AssumeRole permission, the user can use the AccessKey to call the STS AssumeRole API to obtain a temporary security token for this role.

For the AssumeRole API calling method, see STS API Documentation.

Use a RAM-Role to perform console operations

If a RAM-User needs to use the role identity to perform console operations, the RAM-User must first log on to the console with the logon identity, and then use the SwitchRole method. After that, the user can use the role identity to perform console operations.

For example, the RAM-User Alice under company2 (enterprise alias) logs on to the console, the user can move the mouse pointer to the account name on the upper-right corner and click Switch Role.

  • Alice needs to select the corresponding company alias and role name. For example, we assume that the user has been granted permission to assume the ‘ecs-admin’ role of company1 (enterprise alias).

  • After switching to the role, Alice can use the role identity to access the console.

Thank you! We've received your feedback.