You can call this operation to create a RAM role.
Debugging
OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | CreateRole |
The operation that you want to perform. Set this parameter to CreateRole. |
| RoleName | String | Yes | ECSAdmin |
The name of the RAM role. The specified name can be up to 64 characters in length. Format: |
| AssumeRolePolicyDocument | String | Yes | {"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"} |
The policy text that specifies one or more entities entrusted to assume the RAM role. The trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). Note RAM users cannot assume the RAM roles of the trusted Alibaba Cloud service.
|
| Description | String | No | The RAM role is used to manage ECS instances. |
The description of the RAM role. The description can be up to 1,024 characters in length. |
Example value of the AssumeRolePolicyDocument parameter
- The following policy allows the RAM role to be assumed by RAM users under the trusted
Alibaba Cloud account whose ID is 123456789012****.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::123456789012****:root" ] } } ], "Version": "1" } - The following policy allows the RAM role to be assumed by the RAM user named testuser
under the trusted Alibaba Cloud account whose ID is 123456789012****.
Note To create the RAM role, you must ensure that you have created the RAM user testuser whose UPN is testuser@123456789012****.onaliyun.com.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::123456789012****:user/testuser" ] } } ], "Version": "1" } - The following policy allows the RAM role to be assumed by the ECS service under the
current Alibaba Cloud account.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ecs.aliyuncs.com" ] } } ], "Version": "1" } - The following policy allows the RAM role to be assumed by users under the IdP named
testprovider for the current Alibaba Cloud account whose ID is 123456789012****.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Federated": [ "acs:ram::123456789012****:saml-provider/testprovider" ] }, "Condition":{ "StringEquals":{ "saml:recipient":"https://signin.aliyun.com/saml-role/sso" } } } ], "Version": "1" }
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| RequestId | String | 04F0F334-1335-436C-A1D7-6C044FE73368 |
The ID of the request. |
| Role | N/A | N/A |
The information about the RAM role. |
| Arn | String | acs:ram::123456789012****:role/ECSAdmin |
The Alibaba Cloud Resource Name (ARN) of the RAM role. |
| AssumeRolePolicyDocument | String | { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" } |
The policy that specifies the trusted entity to assume the RAM role. |
| CreateDate | String | 2015-01-23T12:33:18Z |
The time when the RAM role was created. |
| Description | String | The RAM role is used to manage ECS instances. |
The description of the RAM role. |
| RoleId | String | 901234567890**** |
The ID of the RAM role. |
| RoleName | String | ECSAdmin |
The name of the RAM role. |
Examples
Sample requests
https://ram.aliyuncs.com/?Action=CreateRole
&RoleName=ECSAdmin
&AssumeRolePolicyDocument={"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}
&Description=The RAM role is used to manage ECS instances.
&<Common request parameters>Sample success responses
XML format
<CreateRoleResponse>
<RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId>
<Role>
<RoleId>901234567890****</RoleId>
<RoleName>ECSAdmin</RoleName>
<Arn>acs:ram::123456789012****:role/ECSAdmin</Arn>
<Description>The RAM role is used to manage ECS instances.</Description>
<AssumeRolePolicyDocument>{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }</AssumeRolePolicyDocument>
<CreateDate>2015-01-23T12:33:18Z</CreateDate>
</Role>
</CreateRoleResponse>JSON format
{
"RequestId":"04F0F334-1335-436C-A1D7-6C044FE73368",
"Role":{
"RoleName":"ECSAdmin",
"Description":"The RAM role is used to manage ECS instances.",
"AssumeRolePolicyDocument":"{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012****:root\" } } ], \"Version\": \"1\" }",
"Arn":"acs:ram::123456789012****:role/ECSAdmin",
"CreateDate":"2015-01-23T12:33:18Z",
"RoleId":"901234567890****"
}
}Error codes
For more information about error codes, see API Error Center.