Creates a RAM role.

Debug

Use OpenAPI Explorer to perform debug operations and generate SDK code examples.

Request parameters

Parameter Type Required? Example value Description
Action String Yes CreateRole

The name of this action.

Value: CreateRole

RoleName String Yes ECSAdmin

The RAM role name. It must be 1 to 64 characters in length.

Pattern: ^[a-zA-Z0-9\.@\-]+$

AssumeRolePolicyDocument String Yes {"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"} The policy text that specifies one or more entities entrusted to assume the RAM role. The entrusted entity can be an Alibaba Cloud account, an Alibaba Cloud service, or an identity provider (IdP).
Description String Yes ECS administrator The RAM role description. It must be 1 to 1,024 characters in length.

Example of AssumeRolePolicyDocument

  • The following policy allows the RAM role to be assumed by RAM users under the entrusted Alibaba Cloud account (ID: 123456789012****):
    {
    "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::123456789012****:root"
        ]
      }
    }
    ],
    "Version": "1"
    }
  • The following policy allows the RAM role to be assumed by the RAM user (testuser) under the entrusted Alibaba Cloud account (ID: 123456789012****):
    {
    "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::123456789012****:user/testuser"
        ]
      }
    }
    ],
    "Version": "1"
    }
  • The following policy allows the RAM role to be assumed by ECS under the current Alibaba Cloud account:
    {
    "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ecs.aliyuncs.com"
        ]
      }
    }
    ],
    "Version": "1"
    }
    Note After the RAM role is assumed by ECS, you can specify to use this role when you create an instance. The STS token of role to be assumed is then obtained when you start the instance.
  • The following policy allows the RAM role to be assumed by users under the IdP (testprovider) in the current Alibaba Cloud account (ID: 123456789012****):
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Federated": [
                        "acs:ram::123456789012****:saml-provider/testprovider"
                    ]
                },
                "Condition":{
                    "StringEquals":{
                        "saml:recipient":"https://signin.aliyun.com/saml-role/sso"
                    }
                }
            }
        ],
        "Version": "1"
    }

Response parameters

Parameter Type Example value Description
RequestId String 04F0F334-1335-436C-A1D7-6C044FE73368 The request ID.
Role N/A N/A The information about the RAM role.
Arn String acs:ram::123456789012****:role/ECSAdmin The Alibaba Cloud Resource Name (ARN) of the RAM role.
AssumeRolePolicyDocument String { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" } The policy that specifies the entity entrusted to assume the RAM role.
CreateDate String 2015-01-23T12:33:18Z The date and time when the RAM role was created.
Description String ECS administrator The description of the RAM role.
RoleId String 901234567890**** The ID of the RAM role.
RoleName String ECSAdmin The name of the RAM role.

Example

Request example

https://ram.aliyuncs.com/?Action=CreateRole
&RoleName=ECSAdmin
&AssumeRolePolicyDocument={"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}
&Description=ECS administrator
&<Common parameters>

Response example

XML format

<CreateRoleResponse>
  <RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId>
  <Role>
    <RoleId>901234567890****</RoleId>
    <RoleName>ECSAdmin</RoleName>
    <Arn>acs:ram::123456789012****:role/ECSAdmin</Arn>
    <Description>ECS administrator</Description>
    <AssumeRolePolicyDocument>{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }</AssumeRolePolicyDocument>
    <CreateDate>2015-01-23T12:33:18Z</CreateDate>
  </Role>
</CreateRoleResponse>

JSON format

{
    "RequestId":"04F0F334-1335-436C-A1D7-6C044FE73368",
    "Role":{
        "RoleName":"ECSAdmin",
        "Description":"ECS administrator",
        "AssumeRolePolicyDocument":"{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012****:root\" } } ], \"Version\": \"1\" }",
        "Arn":"acs:ram::123456789012****:role/ECSAdmin",
        "CreateDate":"2015-01-23T12:33:18Z",
        "RoleId":"901234567890****"
    }
}

Errors

For a list of error codes, visit the API Error Center.