edit-icon download-icon

What is the RAM role of an instance

Last Updated: Nov 29, 2017

Instance RAM (Resource Access Management) roles grant role-based permissions to ECS instances.

You can assign a RAM role to an ECS instance to allow applications hosted on that instance to access other cloud services by using a temporary STS (Security Token Service) credential. This feature guarantees the security of your AccessKey and allows you to use the fine-grained access control in virtue of RAM.

Background

Typically, the applications within an ECS instance use the AccessKey of the user account or RAM user account, including AccessKeyID and AccessKeySecret, to access various cloud services on the Alibaba Cloud platform.

However, if Alibaba Cloud writes the AccessKey into the instance for calling purposes, for example, writing in the configuration files, the exposed AccessKey leads to problems such as excessive permission, data breaches, and maintenance complexities. Thus, Alibaba Cloud has designed the instance RAM role to solve the complexities.

Benefits

The instance RAM role enables you to:

  • Associate a RAM role to an ECS instance.

  • Access other cloud services securely, such as OSS, SLB, or ApsaraDB for RDS, by using the STS credential from the applications within the ECS instance.

  • Assign roles that have different policies for different ECS instances, and let these instances have restrictive access level to other cloud services to obtain fine-grained access control.

  • Maintain the access permission of the ECS instances efficiently only by modifying the policy of the RAM role, without manually changing the AccessKey.

Free of charge

ECS does not charge additional fee for the instance RAM role feature.

Limits

The instance RAM role has the following limits:

  • The instance RAM role is only applicable to VPC instances.

  • One ECS instance can only be authorized to one instance RAM role.

How to use an instance RAM role

The instance RAM role can be used by any of the following methods:

References

Thank you! We've received your feedback.