This topic describes how to create, authorize, and bind an instance RAM role in the console.

Prerequisites

  • You have activated the RAM service. For more information, see Activation methods.
  • The network type of the ECS instance to which you want to bind a RAM role must be VPC.
  • To perform the operations in this topic, a RAM user must be authorized to use the instance RAM role. For more information, see Authorize a RAM user to use an instance RAM role.

Background information

  • A RAM role can be bound to one instance at a time.
  • If you want to access other cloud service APIs from the applications within an ECS instance after an instance RAM role has been bound to the ECS instance, you must obtain a temporary authorization token of the instance RAM role through the instance metadata. For more information, see Obtain a temporary authorization token.

Procedure

In the following example, an Alibaba Cloud account is used to create an instance RAM role and bind it to an ECS instance in the RAM console.
  1. Step 1: Create an instance RAM role
  2. Step 3: Bind the instance RAM role
  3. Step 2: Authorize the instance RAM role

Step 1: Create an instance RAM role

Perform the following operations to create an instance RAM role in the RAM console:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role, select Alibaba Cloud Service, and then click Next.
  4. Specify the RAM Role Name and Note parameters.
  5. Select Elastic Compute Service as the trusted service.
  6. Click OK.

Step 2: Authorize the instance RAM role

Perform the following operations to grant the instance RAM role system administrator or custom permissions:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. (Optional) If you do not need to use system administrator permissions, you can create a custom policy. For more information, see (Optional) Create a custom authorization policy.
  3. In the left-side navigation pane, click RAM Roles.
  4. In the RAM Role Name column, click the name of the target RAM role.
  5. On the Permissions tab, click Input and Attach.
  6. Select System Policy or Custom Policy.
  7. Enter the policy name.
  8. Click OK.
  9. Click Close.

Step 3: Bind the instance RAM role

Perform the following operations to bind the instance RAM role to an ECS instance.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Find the target ECS instance and choose More > Instance Settings > Bind/Unbind RAM Role.
    Bind/Unbind RAM Role
  5. In the Bind/Unbind RAM Role dialog box that appears, select an existing instance RAM role and click OK.

Alternatively, you can select an existing instance RAM role in the RAM Role field on the System Configurations page when you create an ECS instance. For more information, see Create an instance by using the provided wizard.