A RAM role is a virtual RAM identity that you can create in your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM user can be used only after the RAM user is assumed by a trusted entity.

Basic concepts

RAM role
A RAM role is a virtual identity that you can create in your Alibaba Cloud account. The differences among RAM roles, entity users (Alibaba Cloud account, RAM users, or Alibaba Cloud services), and textbook roles are as follows:
  • Entity users have specific logon passwords or AccessKey pairs.
  • Textbook roles (or traditionally defined roles) indicate a set of permissions, which are similar to policies in RAM. If a user assumes a textbook role, the user can obtain a set of permissions and access the authorized resources.
  • RAM roles have specific identities and can be attached a set of policies. However, RAM roles do not have specific logon passwords or AccessKey pairs. If an entity user assumes a RAM role, the entity user can obtain and use the role token to access the authorized resources.
ARN
An Alibaba Cloud Resource Name (ARN) is the global resource identifier of a role. Each RAM role has a unique ARN. For example, the ARN of the RAM role devops of an Alibaba Cloud account is acs:ram::123456789012****:role/samplerole. After you create a RAM role, you can click the role name and find its ARN in the Basic Information section.
Trusted entity
A trusted entity indicates an entity user who can assume a role. When you create a role, you must specify a trusted entity. A RAM role can be assumed only by a trusted entity. A trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).
Policy
A RAM role can be attached a set of policies. RAM roles without policies can exist, but cannot access resources.
Role assuming
Role assuming is the method for entity users to obtain security tokens of RAM roles. An entity user can call the AssumeRole STS API operation to obtain the security token of a RAM role. Then, the entity user can use the security token to call API operations of Alibaba Cloud services.
Identity switching
Identity switching is the method by which entity users can switch from the logon identity to the role identity in the RAM console. After logging on to the RAM console, an entity user can switch to a RAM role that the entity user can assume. Then, the entity user can use the RAM role to manage Alibaba Cloud resources. After the management operations are completed, the RAM user can switch back to the logon identity.
Role token
A role token is a temporary AccessKey pair for a RAM role. A RAM role does not have a specific logon password or AccessKey pair. If an entity user wants to use a RAM role, the entity user must assume the RAM role to obtain a role token. Then, the entity user can use the role token to call API operations of Alibaba Cloud services.

Access Alibaba Cloud resources by using a RAM role

  1. The Alibaba Cloud account specifies a trusted entity that can assume the RAM role.
  2. The trusted entity logs on to the console or calls an API operation to assume the RAM role and obtains a role token. Basic concepts
    • The trusted entity can switch its identity in the console to assume the RAM role. For more information, see Assume a RAM role.
    • The trusted entity can also call the AssumeRole API operation to assume the RAM role.
    Note An entity user can obtain a role token by assuming a RAM role and then use the role token to access Alibaba Cloud resources.
  3. The Alibaba Cloud account attaches a policy to the RAM role. For more information, see Grant permissions to a RAM role.
    Note Each RAM role can be attached one or more polices. A RAM role without a policy cannot access Alibaba Cloud resources.
  4. The trusted entity assumes the RAM role and uses the role token to access Alibaba Cloud resources.

RAM role types

RAM roles are divided into the following types based on the entrusted entity:

  • Alibaba Cloud account. RAM users of a trusted Alibaba Cloud account can assume this type of RAM role. RAM users who assume this type of role can belong to their parent Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.
  • Alibaba Cloud service. Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize Alibaba Cloud services to manage your resources.
  • IdP. Users of an entrusted IdP can assume this type of RAM role. This type of RAM role is used for single sign-on (SSO) between Alibaba Cloud and an entrusted IdP.

Scenarios