Users can access resources through the management console or APIs after authorization.
The RAM user logon requires an independent logon URL (this can be viewed on the RAM console). Use the primary account enterprise alias, username and password to log on to the console. After successfully logging in, the user can perform operations on the authorized resources. If the user attempts to perform an operation that they do not have permission for, the error message “No operation permissions” is displayed.
If a RAM user is allowed to assume a role, after logon, the user can use the “Switch Role” operation to switch from the current logon identity to a role identity. In this way, the user can use the permissions of the newly selected role to perform operations on resources. If the user wants to switch back to the logon identity, the user can use the “Return to Logon Identity” operation. For more information about roles, refer to Roles.
For the application that calls cloud service APIs to perform resource operations, you need to create a RAM user account for this application and grant it relevant permissions. Then, create an access key for this RAM user, which is used by the application to call cloud service SDKs and APIs.
Some cloud services provide easy-to-use client tools, for instance, aliyuncli. These tools allow the usage of RAM user access keys to perform cloud resource operations.