Limits

The instance RAM role has the following limits:

Prerequisites

Before using this feature, the RAM user must be authorized to use the instance RAM role. See Activation method  to activate the RAM service.

1. Create an instance RAM role

  1. Call the CreateRole  CreateRole to create an instance RAM role.
  2. Set the parameter RoleName, for example, EcsRamRoleDocumentTesting.
  3. Set the AssumeRolePolicyDocumentas follows:
    "Statement": [
    
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {
    "Service": [
    "ecs.aliyuncs.com"
    
    }
    
    
    "Version": "1"

2. Authorize the instance RAM role

  1. Call the CreatePolicy to  CreatePolicy create an authorization policy.
  2. Set the parameter RoleName, for example, set it to EcsRamRoleDocumentTestingPolicy.
  3. Set the PolicyDocumentas follows.
    "Statement": [
    
    "Action": [
    "oss:Get*",
    "oss:List*"
    
    "Effect": "Allow",
    "Resource": "*"
    
    
    "Version": "1"
  4. Call the AttachPolicyToRole to authorize the role policy.
  5. Set PolicyType to Custom.
  6. Set the parameter PolicyName, for example, EcsRamRoleDocumentTestingPolicy.
  7. Set the parameter RoleName, for example, EcsRamRoleDocumentTesting.

Attach the instance RAM role

  1. Call the AttachInstanceRamRole  to attach an instance RAM role to an ECS instance.
  2. Set the parameters RegionId  and InstanceIds to specify an ECS  instance.
  3. Set the parameter RamRoleName, for example, EcsRamRoleDocumentTesting.

4. (Optional). Detach an instance RAM role

  1. Call the DetachInstanceRamRole  to detach an instance RAM role.
  2. Set the parameters RegionId and InstanceIds to specify an ECS  instance.
  3. Set the parameter RamRoleName, for example, EcsRamRoleDocumentTesting.

5. (Optional). Obtain the on-demand authorization credential

For the internal application of an ECS instance, you can obtain the STS credential of the instance RAM role, which is a metadata of an instance, to access the role-authorized permissions and resources.  The credential is updated periodically. Example:

  1. Obtain the STS credential of the instance RAM role, for example, EcsRamRoleDocumentTesting:
    • Linux instance: run curl http://100.100.100.200/latest/meta-data/Ram/security-credentials/EcsRamRoleDocumentTesting .
    • Windows instance: see Metadata.
  2. Get the credential Token. Return example:
    "AccessKeyId" : "XXXXXXXXX",
    "AccessKeySecret" : "XXXXXXXXX",
    "Expiration" : "2017-11-01T05:20:01Z",
    "SecurityToken" : "XXXXXXXXX",
    "LastUpdated" : "2017-10-31T23:20:01Z",
    "Code" : "Success"
    

6. (Optional). Authorize a RAM user to use the instance RAM role

Note
You must grant the RAM user with the PassRole permission to use  the instance RAM role feature.  Without the PassRole permission, a RAM user cannot carry out the permission of the authorization policy that is attached to the RAM user.

Log on to the RAM console and  Attach policies to a RAM user authorize a RAM user to complete the authorization, see the following code snippet as an authorization policy example:

"Version": "2016-10-17",
"Statement": [

"Effect": "Allow",
"Action": [
"ecs: [ECS RAM Action]",
"ecs: CreateInstance",
"ecs: AttachInstanceRamRole",
"ecs: DetachInstanceRAMRole"

"Resource": "*"


"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*"

The parameter [ECS RAM Action] indicates the action that a RAM user can be authorized. See Authorization rules.

References