CreateRole - API Reference (RAM)| Alibaba Cloud Documentation Center

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	CreateRole	The operation that you want to perform. Set the value to CreateRole.
RoleName	String	Yes	ECSAdmin	The name of the RAM role. The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), and hyphens (-).
AssumeRolePolicyDocument	String	Yes	{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}	The content of the policy that specifies one or more entities entrusted to assume the RAM role. A trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). Note RAM users cannot assume the RAM roles of trusted Alibaba Cloud services.
Description	String	No	ECS administrator	The description of the RAM role. The description must be 1 to 1,024 characters in length.
MaxSessionDuration	Long	No	3600	The maximum session duration of the RAM role. Valid values: 3600 to 43200. Unit: seconds. Default value: 3600. The default value is used if the parameter is not specified.

Examples of the AssumeRolePolicyDocument parameter

The following policy allows the RAM role to be assumed by all RAM users of the Alibaba Cloud account whose ID is 123456789012****.


{
"Statement": [
{
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
    "RAM": [
      "acs:ram::123456789012****:root"
    ]
  }
}
],
"Version": "1"
}

The following policy allows the RAM role to be assumed by the RAM user named testuser of the trusted Alibaba Cloud account whose ID is 123456789012****.

Note Before creating the RAM role, you must ensure that you have created a RAM user named testuser whose UPN is testuser@123456789012****.onaliyun.com.
```
{
"Statement": [
{
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
    "RAM": [
      "acs:ram::123456789012****:user/testuser"
    ]
  }
}
],
"Version": "1"
}
					
```

The following policy allows the RAM role to be assumed by the Elastic Compute Service (ECS) service of the current Alibaba cloud account.


{
"Statement": [
{
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "ecs.aliyuncs.com"
    ]
  }
}
],
"Version": "1"
}

The following policy allows the RAM role to be assumed by all users of the IdP named testprovider. The IdP is configured under the Alibaba Cloud account whose ID is 123456789012****.


{

    "Statement": [

        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "acs:ram::123456789012****:saml-provider/testprovider"
                ]
            },
            "Condition":{
                "StringEquals":{
                    "saml:recipient":"https://signin.aliyun.com/saml-role/sso"
                }
            }
        }
    ],
    "Version": "1"
}

Response parameters


Parameter	Type	Example	Description
RequestId	String	04F0F334-1335-436C-A1D7-6C044FE73368	The ID of the request.
Role	Struct		The information of the RAM role.
Arn	String	acs:ram::123456789012****:role/ECSAdmin	The Alibaba Cloud Resource Name (ARN) of the RAM role.
AssumeRolePolicyDocument	String	{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }	The content of the policy that specifies one or more entities entrusted to assume the RAM role.
CreateDate	String	2015-01-23T12:33:18Z	The time when the RAM role was created.
Description	String	ECS administrator	The description of the RAM role.
MaxSessionDuration	Long	3600	The maximum session duration of the RAM role.
RoleId	String	901234567890****	The ID of the RAM role.
RoleName	String	ECSAdmin	The name of the RAM role.

Examples

Sample requests

https://ram.aliyuncs.com/?Action=CreateRole
&RoleName=ECSAdmin
&AssumeRolePolicyDocument={"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}
&Description=ECS administrator
&<Common request parameters>

Sample success responses

XML format

<CreateRoleResponse>
      <RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId>
      <Role>
            <RoleId>901234567890****</RoleId>
            <RoleName>ECSAdmin</RoleName>
            <Arn>acs:ram::123456789012****:role/ECSAdmin</Arn>
            <Description>ECS administrator</Description>
            <MaxSessionDuration>3600</MaxSessionDuration>
            <AssumeRolePolicyDocument>{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }</AssumeRolePolicyDocument>
            <CreateDate>2015-01-23T12:33:18Z</CreateDate>
      </Role>
</CreateRoleResponse>

JSON format

{
    "RequestId": "04F0F334-1335-436C-A1D7-6C044FE73368",
    "Role": {
        "RoleId": "901234567890****",
        "RoleName": "ECSAdmin",
        "Arn": "acs:ram::123456789012****:role/ECSAdmin",
        "Description": "ECS administrator",
        "MaxSessionDuration": 3600,
        "AssumeRolePolicyDocument": "{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012****:root\" } } ], \"Version\": \"1\" }",
        "CreateDate": "2015-01-23T12:33:18Z"
    }
}

Error codes

For a list of error codes, visit the API Error Center.