Use an instance RAM role by calling API operations - Security| Alibaba Cloud Documentation Center

Background information

Instance RAM roles have the following limits:

Instance RAM roles are applicable only to VPC-type ECS instances.
Only one instance RAM role can be bound to an ECS instance at a time.
If you have bound an instance RAM role to an ECS instance and want to access the APIs of other Alibaba Cloud services from applications deployed on the instance, you must obtain a temporary authorization token of the instance RAM role by using the instance metadata. For more information, see Obtain a temporary authorization token.
If you want to use an instance RAM role as a RAM user, you must use the Alibaba Cloud account to authorize the RAM user to use the instance RAM role. For more information, see Authorize a RAM user to use an instance RAM role.

Procedure

Perform the following operations to use an instance RAM role by calling API operations:

Step 1: Create an instance RAM role
Step 2: Authorize the instance RAM role
Step 3: Bind the instance RAM role
(Optional) Step 4: Unbind the instance RAM role
(Optional) Step 5: Obtain a temporary authorization token
(Optional) Step 6: Authorize a RAM user to use the instance RAM role

Step 1: Create an instance RAM role

Call the CreateRole operation to create an instance RAM role.

Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

Set the AssumeRolePolicyDocument parameter based on the following policy:

{
     "Statement": [
     {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "ecs.aliyuncs.com"
         ]
         }
     }
     ],
     "Version": "1"
 }

Step 2: Authorize the instance RAM role

Call the CreatePolicy operation to create an authorization policy.
Configure the following parameters:
- Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTestingPolicy.
- Set the PolicyDocument parameter based on the following policy:
```
{
     "Statement": [
         {
         "Action": [
             "oss:Get*",
             "oss:List*"
         ],
         "Effect": "Allow",
         "Resource": "*"
         }
     ],
     "Version": "1"
 }
```
Call the AttachPolicyToRole operation to authorize the role policy.
Configure the following parameters:
- Set the PolicyType parameter to Custom.
- Set the PolicyName parameter. For example, set this parameter to EcsRamRoleDocumentTestingPolicy.
- Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

Step 3: Bind the instance RAM role

Call the AttachInstanceRamRole operation to bind the instance RAM role.

Configure the following parameters:

Set the RegionId and InstanceIds parameters to specify the ECS instance.
Set the RamRoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

(Optional) Step 4: Unbind the instance RAM role

Call the DettachInstanceRamRole operation to unbind the instance RAM role.

Configure the following parameters:

Set the RegionId and InstanceIds parameters to specify the ECS instance.
Set the RamRoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

(Optional) Step 5: Obtain a temporary authorization token

You can obtain a temporary authorization token for an instance RAM role. With this periodically updated token, you can use the permissions and resources granted to the RAM role. Perform the following operations:

Query the temporary authorization token of the instance RAM role named EcsRamRoleDocumentTesting.

Linux instance: Run the curl http://100.100.100.200/latest/meta-data/Ram/security-credentials/EcsRamRoleDocumentTesting command.
Windows instance: For more information, see Metadata.

Obtain the temporary authorization token. Sample response:

{
"AccessKeyId" : "XXXXXXXXX",
"AccessKeySecret" : "XXXXXXXXX",
"Expiration" : "2017-11-01T05:20:01Z",
"SecurityToken" : "XXXXXXXXX",
"LastUpdated" : "2017-10-31T23:20:01Z",
"Code" : "Success"
}

(Optional) Step 6: Authorize a RAM user to use the instance RAM role

Note When you authorize a RAM user to use an instance RAM role, you must grant the RAM user the PassRole permission on the instance RAM role. If the RAM user does not have the PassRole permission, the RAM user cannot exercise the permissions specified in role policies.

Log on to the RAM console.

Authorize a RAM user to use the instance RAM role. For more information, see Grant permissions to a RAM user.

{
        "Version": "2016-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Action": [
                "ecs: [ECS RAM Action]",
                "ecs: CreateInstance",
                "ecs: AttachInstanceRamRole",
                "ecs: DetachInstanceRAMRole"
            ],
            "Resource": "*"
            },
            {
        "Effect": "Allow",
        "Action": "ram:PassRole",
        "Resource": "*"
            }
        ]
}

[ECS RAM Action] indicates permissions that can be granted to the RAM user. For more information, see Authentication rules.

Prerequisites