Use an instance RAM role by calling API operations

Edit in GitHub

Last Updated: Jun 15, 2020 Edit in GitHub

You can call API operations to create, authorize, and bind an instance RAM role.

Prerequisites

The RAM service is activated. For more information, see Billing in the RAM documentation.

Background information

Instance RAM roles have the following limits:

Instance RAM roles are applicable only to VPC-type ECS instances.
Only one instance RAM role can be bound to an ECS instance at a time.
If you want to access the APIs of other Alibaba Cloud services from applications within an ECS instance that is bound with an instance RAM role, you must obtain a temporary authorization token of the instance RAM role through the instance metadata. For more information, see Obtain a temporary authorization token.
If you want to use an instance RAM role of a RAM user, you must use the Alibaba Cloud account to authorize the RAM user to use an instance RAM role. For more information, see Authorize a RAM user to use an instance RAM role.

Procedure

Perform the following operations to use an instance RAM role by calling API operations:

Step 1: Create an instance RAM role
Step 2: Authorize the instance RAM role
Step 3: Bind the instance RAM role
(Optional) Step 4: Unbind the instance RAM role
(Optional) Step 5: Obtain a temporary authorization token
(Optional) Step 6: Authorize a RAM user to use the instance RAM role

Step 1: Create an instance RAM role

Call the CreateRole operation to create an instance RAM role.

Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

Set the AssumeRolePolicyDocument parameter based on the following policy:

{
     "Statement": [
     {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "ecs.aliyuncs.com"
         ]
         }
     }
     ],
     "Version": "1"
 }

Step 2: Authorize the instance RAM role

Perform the following operations to authorize the instance RAM role:

Call the CreatePolicy operation to create an authorization policy.
Configure the following parameters:
- Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTestingPolicy.
- Set the PolicyDocument parameter based on the following policy:
```
{
     "Statement": [
         {
         "Action": [
             "oss:Get*",
             "oss:List*"
         ],
         "Effect": "Allow",
         "Resource": "*"
         }
     ],
     "Version": "1"
 }
```
Call the AttachPolicyToRole operation to authorize the role policy.
Configure the following parameters:
- Set the PolicyType parameter to Custom.
- Set the PolicyName parameter. For example, set this parameter to EcsRamRoleDocumentTestingPolicy.
- Set the RoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

Step 3: Bind the instance RAM role

Call the AttachInstanceRamRole operation to bind the instance RAM role.

Configure the following parameters:

Set the RegionId and InstanceIds parameters to specify the ECS instance.
Set the RamRoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

(Optional) Step 4: Unbind the instance RAM role

Call the DettachInstanceRamRole operation to unbind the instance RAM role.

Configure the following parameters:

Set the RegionId and InstanceIds parameters to specify the ECS instance.
Set the RamRoleName parameter. For example, set this parameter to EcsRamRoleDocumentTesting.

(Optional) Step 5: Obtain a temporary authorization token

You can obtain a temporary authorization token for an instance RAM role. With this periodically updated token, you can use the permissions and resources granted to the RAM role. Perform the following operations:

Query the temporary authorization token of the instance RAM role named EcsRamRoleDocumentTesting.

Linux instance: Run the curl http://100.100.100.200/latest/meta-data/Ram/security-credentials/EcsRamRoleDocumentTesting command.
Windows instance: For more information, see Metadata.

Obtain the temporary authorization token. The sample responses are as follow:

{
"AccessKeyId" : "XXXXXXXXX",
"AccessKeySecret" : "XXXXXXXXX",
"Expiration" : "2017-11-01T05:20:01Z",
"SecurityToken" : "XXXXXXXXX",
"LastUpdated" : "2017-10-31T23:20:01Z",
"Code" : "Success"
}

(Optional) Step 6: Authorize a RAM user to use the instance RAM role

Perform the following operations to authorize a RAM user to use the instance RAM role:

Note When you authorize a RAM user to use an instance RAM role, you must grant the PassRole permission to the RAM user on the instance RAM role. Without the PassRole permission, the RAM user cannot exercise the permissions specified in role policies.

Log on to the RAM console.

Authorize a RAM user to use the instance RAM role. For more information, see Grant permissions to a RAM user.

{
        "Version": "2016-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Action": [
                "ecs: [ECS RAM Action]",
                "ecs: CreateInstance",
                "ecs: AttachInstanceRamRole",
                "ecs: DetachInstanceRAMRole"
            ],
            "Resource": "*"
            },
            {
        "Effect": "Allow",
        "Action": "ram:PassRole",
        "Resource": "*"
            }
        ]
}

[ECS RAM Action] indicates permissions that can be granted to the RAM user. For more information, see Authentication rules.