This topic describes how to assign a Resource Access Management (RAM) role to a trusted entity. You can grant a RAM role the permissions to access Log Service and assign the role to a trusted entity. This allows the trusted entity to manage Log Service resources. To do so, you must use your Alibaba Cloud account to create a RAM role, grant permissions to the RAM role, and then grant the AssumeRole permission to a RAM user of an Alibaba Cloud account. Then, you can assign the role to the RAM user and receive a Security Token Service (STS) token for the role.
Background information
RAM roles and RAM users are identities that are managed in RAM. A RAM role is a virtual identity that does not have any credentials, such as a password or an AccessKey pair. You can assign the RAM role to a trusted entity, such as an Alibaba Cloud account, RAM user, or Alibaba Cloud service. After the trusted entity receives an STS token for the RAM role, the trusted entity can use the STS token to access the resources that the RAM role is authorized to use.
Step 1: Create a RAM role and specify an Alibaba Cloud account for the RAM role
Step 2: Grant permissions to the RAM role
After you create a RAM role, the RAM role does not have permissions on Alibaba Cloud resources. You must grant the RAM role the permissions to manage Log Service resources. The Alibaba Cloud account that is specified in the previous step can assume the RAM role and manage Log Service resources.
You can attach one or more policies to a RAM role. The policies include system policies and custom policies. To grant full access permissions on Log Service to a RAM role, perform the following steps:
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, find the RAM role, and click Add Permissions in the Actions column.
- In the Add Permissions pane, click System Policy, select the AliyunLogFullAccess policy, and then click OK.
- Confirm the authorization result, and then click Complete.
Step 3: Assign the RAM role to a RAM user of the specified Alibaba Cloud account
To use a RAM role, a RAM user must first assume the RAM role. This allows the RAM user to manage resources that the RAM role is authorized to use.
The specified Alibaba Cloud account must attach the AssumeRole policy to a RAM user of the account. Then, the RAM user can call the AssumeRole operation and assume the RAM role that is created in Step 1: Create a RAM role and specify an Alibaba Cloud account for the RAM role.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user, and then click Add Permissions in the Actions column.
- In the Add Permissions pane, click System Policy, select the AliyunSTSAssumeRoleAccess policy, and then click OK.
- Confirm the authorization result, and then click Complete.
Step 4: Obtain an STS token for the RAM role
After a RAM user is granted the AssumeRole permission, the RAM user calls the AssumeRole operation to obtain a temporary STS token for the RAM role that is created in Step 1: Create a RAM role and specify an Alibaba Cloud account for the RAM role.