Users can access the permitted resources on the console or from calling APIs after being authorized.
A RAM user can log on to the management console to perform resource operations.
The RAM user logon requires an independent logon URL (which can be viewed on the RAM console). Use the primary account enterprise alias, username, and password to log on to the console.
After successfully logging on, the user can perform operations on the authorized resources. If the user attempts to perform an operation that they do not have permission for, the error message “No operation permissions” is displayed.
If a RAM user is allowed to assume a role,
After logon, the user can use the Switch Role operation to switch from the current logon identity to a role identity. In this way, the user can use the permissions of the newly selected role to perform operations on resources.
If the user wants to switch back to the logon identity, the user can use the Return to Logon Identity operation. For more information about roles, see Roles.
An Application can call cloud service APIs to perform resource operations.
For the application that calls cloud service APIs to perform resource operations, you create a RAM user account for this application and grant it relevant permissions. Then, create an AccessKey for this RAM user, which is used by the application to call cloud service SDKs and APIs.
You can also perform cloud resource operations using a client tool.
Some cloud services provide easy-to-use client tools, for instance, aliyuncli. These tools allow the usage of RAM user AccessKeys to perform cloud resource operations.