After being authorized, RAM users can access the relevant resources through the console or APIs. RAM users can also switch identities after logging on to the console, or call the AssumeRole API to obtain the role token (STS) to act as a relevant role and operate related resources as the role.

RAM users operate resources in the console

RAM users log on to the console through an independent logon URL (which can be viewed in the RAM console) with account enterprise alias, username, and password. Then, RAM users can operate authorized resources. If RAM users attempt to operate an unauthorized resource, an error message indicating no operation permissions will be displayed.

If a RAM user is allowed to assume a role, the user can:

  • Perform the Switch Role operation to switch from the current logon identity to the role identity. Then, the user can use the role permissions to operate resources.
  • Perform the Return to Logon Identity operation to switch back to its logon identity. Then, the user can operate resources as its logon identity.

For more information about roles, see Role.

Applications operate resources by calling APIs

If your application need to call cloud service APIs, you need to create a RAM user account for the application and grant it relevant permissions. Then, create an AccessKey (AK), which can be used by the application to call cloud service SDKs or APIs.

RAM users operate resources by using a client tool

Some cloud services provide easy-to-use client tools for RAM users to use AKs to operate cloud resources.

The following uses OSS as an example. Assume that a RAM user is authorized to access a bucket. Then, you can use the OSS client tool ossbrowser to access the bucket.

The procedure is as follows:

  1. Open ossbrowser and set the account and password to the RAM user's AccessKeyId and AccessKeySecret, respectively.
  2. Click Authorized Bucket and click Add to add an authorized bucket. Then, you can operate the bucket.