This topic describes how to create, authorize, and bind an instance RAM role in the RAM and ECS consoles.

Prerequisites

  • The RAM service is activated. For more information, see Activate RAM.
  • The network type of the ECS instance to which you want to bind a RAM role is VPC.
  • A RAM user is authorized to use the instance RAM role if you use the RAM user to perform operations in this topic. For more information, see Authorize a RAM user to use an instance RAM role.

Background information

  • Only one RAM role can be bound to an ECS instance at a time.
  • If you want to access the APIs of other Alibaba Cloud services from applications within an ECS instance that is bound with an instance RAM role, you must obtain a temporary authorization token for the instance RAM role by using the instance metadata. For more information, see Obtain a temporary authorization token.

Procedure

An Alibaba Cloud account is used in the following example to create an instance RAM role and bind the role to an ECS instance in the RAM console:
  1. Step 1: Create an instance RAM role
  2. Step 2: Authorize the instance RAM role
  3. Step 3: Bind the instance RAM role

Step 1: Create an instance RAM role

Perform the following operations to create an instance RAM role in the RAM console:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, select Alibaba Cloud Service for the Trusted Entity Type parameter, and then click Next.
  5. Select Normal Service Role for the Role Type parameter.
  6. Specify the RAM Role Name and Note parameters.
  7. Select Elastic Compute Service as the trusted service.
  8. Click OK.

Step 2: Authorize the instance RAM role

Perform the following operations to attach a system policy or custom policy to the instance RAM role in the RAM console:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. (Optional) Create a custom policy if you do not want to use a system policy. For more information, see Implement access control by using RAM.
  3. In the left-side navigation pane, click RAM Roles.
  4. In the RAM Role Name column, click the name of the target RAM role.
  5. On the Permissions tab, click Input and Attach.
  6. Select System Policy or Custom Policy.
  7. Enter the policy name.
  8. Click OK.
  9. Click Close.

Step 3: Bind the instance RAM role

Perform the following operations to bind the instance RAM role to an ECS instance in the ECS console:

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Find the target ECS instance and choose More > Instance Settings > Bind/Unbind RAM Role.
    Bind/Unbind RAM Role
  5. In the Bind/Unbind RAM Role dialog box that appears, select an instance RAM role from the RAM Role drop-down list and click OK.

Alternatively, you can select an instance RAM role from the RAM Role drop-down list in the RAM Role field on the System Configurations page when you create an ECS instance. For more information, see Create an instance by using the provided wizard.