All Products
Search
Document Center

Resource Access Management:Create a RAM role for a trusted Alibaba Cloud account

Last Updated:Feb 22, 2024

A Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud account is used to implement cross-account access and temporary authorization. The RAM role can be assumed by a RAM user that belongs to a trusted Alibaba Cloud account.

Procedure

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.

  5. Configure parameters for the RAM role.

    1. Specify RAM Role Name.

    2. Specify Note.

    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account section.

      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.

      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.

        You can view the ID of your Alibaba Cloud account on the Security Settings page.

      Important

      If you want a specific RAM user instead of all RAM users that belong to your Alibaba Cloud account to assume the RAM role, you can use one of the following methods:

  6. Click OK.

  7. Click Close.

What to do next

  1. Grant permissions to the RAM role.

    After you create a RAM role, the RAM role does not have any permissions. You must grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.

  2. Assume the RAM role.

    You can assume the RAM role as a RAM user that belongs to the trusted Alibaba Cloud account by using the Alibaba Cloud Management Console or the RAM API, and then obtain an Security Token Service (STS) token and access relevant cloud resources. For more information, see Assume a RAM role.