Users (people or applications) that only access your cloud resources occasionally are called temporary users. You can use Security Token Service (STS, an extended authorization service of RAM) to issue an access token to these users (subaccounts). The permission and automatic expiration time of the token can be defined as required upon issuing.

The advantage of using the STS access token to authorize temporary users is making the authorization more controllable. You do not need to create a RAM user account and key for the temporary users. The RAM user account and key are valid in the long term but the temporary users do not need to access the resources for long. For use cases, see Grant temporary permissions to mobile apps and Cross-account resource authorization and access.

Create a role

  1. On the RAM console, choose RAM Roles > Create RAM Role

  2. Select the role type. Here, the role User is selected.

  3. Enter the type information. A subaccount of a trusted account can play the created role.

  4. Enter the role name.

  5. After a role is created, authorize the role. For details, see Permission granting in RAM and Authorized resources.

Temporary access authorization

Before using STS for access authorization, authorize the role to be assumed by the subaccount of the trusted cloud account created in Step 3. If any subaccount could assume these roles, unpredictable risks may occur. Therefore, in order to assume the corresponding role, a subaccount has to have explicitly configured permissions.

Authorization of the trusted cloud account

  1. Click Policy Management on the left side of the page to go to the Policy Management page.
  2. Click Create Authorization Policy on the right side of the page to go to the Create Authorization Policy page.
  3. Select a blank template to go to the Create Custom Authorization Policy page.
  4. Enter the authorization policy name and fill the following content to the policy content field.
    "Version": "1",
    "Statement": [
       "Effect": "Allow",
       "Action": "sts:AssumeRole",
       "Resource": "acs:ram::${aliyunID}:role/${roleName}"

    ${aliyunID} indicates the ID of the user that creates the role.

    ${roleName} indicates the role name in lowercase.

    Note The resource details can be obtained from the Arn field in Role Details and Basic Information.

  5. On the User Management page, authorize the permission of the role created for the subaccount. For details, see Permission granting in RAM.

Role assumed by a subaccount

After logging on to the console through the subaccount, the subaccount can switch to the authorized role assumed by the subaccount to practise permissions of the role. The steps are as follows:

  1. Move the mouse to the profile picture on the upper-right corner of the navigation bar, and click Switch Role in the window.
  2. Enter the enterprise alias of the account with which you intend to create a role. If the enterprise alias is not modified, the account ID is used by default. Enter the role name and then click Switch to switch to the specified role.