Creates a RAM role.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateRole

The operation that you want to perform. Set the value to CreateRole.

RoleName String Yes ECSAdmin

The name of the RAM role.

The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), and hyphens (-).

AssumeRolePolicyDocument String Yes {"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}

The content of the policy that specifies one or more entities entrusted to assume the RAM role. A trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).

Note RAM users cannot assume the RAM roles of trusted Alibaba Cloud services.
Description String No ECS administrator

The description of the RAM role.

The description must be 1 to 1,024 characters in length.

MaxSessionDuration Long No 3600

The maximum session duration of the RAM role.

Valid values: 3600 to 43200. Unit: seconds. Default value: 3600.

The default value is used if the parameter is not specified.

Examples of the AssumeRolePolicyDocument parameter
  • The following policy allows the RAM role to be assumed by all RAM users of the Alibaba Cloud account whose ID is 123456789012****.
    
    {
    "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::123456789012****:root"
        ]
      }
    }
    ],
    "Version": "1"
    }
    					
  • The following policy allows the RAM role to be assumed by the RAM user named testuser of the trusted Alibaba Cloud account whose ID is 123456789012****.
    Note Before creating the RAM role, you must ensure that you have created a RAM user named testuser whose UPN is testuser@123456789012****.onaliyun.com.
    
    
    {
    "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::123456789012****:user/testuser"
        ]
      }
    }
    ],
    "Version": "1"
    }
    					
  • The following policy allows the RAM role to be assumed by the Elastic Compute Service (ECS) service of the current Alibaba cloud account.
    
    {
    "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ecs.aliyuncs.com"
        ]
      }
    }
    ],
    "Version": "1"
    }
    					
  • The following policy allows the RAM role to be assumed by all users of the IdP named testprovider. The IdP is configured under the Alibaba Cloud account whose ID is 123456789012****.
    
    {
    
        "Statement": [
    
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Federated": [
                        "acs:ram::123456789012****:saml-provider/testprovider"
                    ]
                },
                "Condition":{
                    "StringEquals":{
                        "saml:recipient":"https://signin.aliyun.com/saml-role/sso"
                    }
                }
            }
        ],
        "Version": "1"
    }
    					

Response parameters

Parameter Type Example Description
RequestId String 04F0F334-1335-436C-A1D7-6C044FE73368

The ID of the request.

Role Struct

The information of the RAM role.

Arn String acs:ram::123456789012****:role/ECSAdmin

The Alibaba Cloud Resource Name (ARN) of the RAM role.

AssumeRolePolicyDocument String { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }

The content of the policy that specifies one or more entities entrusted to assume the RAM role.

CreateDate String 2015-01-23T12:33:18Z

The time when the RAM role was created.

Description String ECS administrator

The description of the RAM role.

MaxSessionDuration Long 3600

The maximum session duration of the RAM role.

RoleId String 901234567890****

The ID of the RAM role.

RoleName String ECSAdmin

The name of the RAM role.

Examples

Sample requests

https://ram.aliyuncs.com/?Action=CreateRole
&RoleName=ECSAdmin
&AssumeRolePolicyDocument={"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}
&Description=ECS administrator
&<Common request parameters>

Sample success responses

XML format

<CreateRoleResponse>
      <RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId>
      <Role>
            <RoleId>901234567890****</RoleId>
            <RoleName>ECSAdmin</RoleName>
            <Arn>acs:ram::123456789012****:role/ECSAdmin</Arn>
            <Description>ECS administrator</Description>
            <MaxSessionDuration>3600</MaxSessionDuration>
            <AssumeRolePolicyDocument>{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }</AssumeRolePolicyDocument>
            <CreateDate>2015-01-23T12:33:18Z</CreateDate>
      </Role>
</CreateRoleResponse>

JSON format

{
    "RequestId": "04F0F334-1335-436C-A1D7-6C044FE73368",
    "Role": {
        "RoleId": "901234567890****",
        "RoleName": "ECSAdmin",
        "Arn": "acs:ram::123456789012****:role/ECSAdmin",
        "Description": "ECS administrator",
        "MaxSessionDuration": 3600,
        "AssumeRolePolicyDocument": "{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012****:root\" } } ], \"Version\": \"1\" }",
        "CreateDate": "2015-01-23T12:33:18Z"
    }
}

Error codes

For a list of error codes, visit the API Error Center.