You can call API operations to create, authorize, and bind an instance RAM role.
Prerequisites
The RAM service is activated. For more information, see Billing in the RAM documentation.
Background information
- Instance RAM roles are applicable only to VPC-type ECS instances.
- Only one instance RAM role can be bound to an ECS instance at a time.
- If you have bound an instance RAM role to an ECS instance and want to access the APIs of other Alibaba Cloud services from applications deployed on the instance, you must obtain a temporary authorization token of the instance RAM role by using the instance metadata. For more information, see Obtain a temporary authorization token.
- If you want to use an instance RAM role as a RAM user, you must use the Alibaba Cloud account to authorize the RAM user to use the instance RAM role. For more information, see Authorize a RAM user to use an instance RAM role.
Procedure
Step 1: Create an instance RAM role
Call the CreateRole operation to create an instance RAM role.
Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Step 2: Authorize the instance RAM role
Step 3: Bind the instance RAM role
Call the AttachInstanceRamRole operation to bind the instance RAM role.
- Set the RegionId and InstanceIds parameters to specify the ECS instance.
- Set the RamRoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.
(Optional) Step 4: Unbind the instance RAM role
Call the DettachInstanceRamRole operation to unbind the instance RAM role.
- Set the RegionId and InstanceIds parameters to specify the ECS instance.
- Set the RamRoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.
(Optional) Step 5: Obtain a temporary authorization token
You can obtain a temporary authorization token for an instance RAM role. With this periodically updated token, you can use the permissions and resources granted to the RAM role. Perform the following operations:
- Linux instance: Run the
curl http://100.100.100.200/latest/meta-data/Ram/security-credentials/EcsRamRoleDocumentTesting
command. - Windows instance: For more information, see Metadata.
{
"AccessKeyId" : "XXXXXXXXX",
"AccessKeySecret" : "XXXXXXXXX",
"Expiration" : "2017-11-01T05:20:01Z",
"SecurityToken" : "XXXXXXXXX",
"LastUpdated" : "2017-10-31T23:20:01Z",
"Code" : "Success"
}