Create a RAM role for a trusted Alibaba Cloud account - Resource Access Management

A Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud account is used to implement cross-account access and temporary authorization. The RAM role can be assumed by a RAM user or a RAM role that belongs to a trusted Alibaba Cloud account.

Procedure

Log on to the RAM console as a RAM user who has administrative rights.
In the navigation pane on the left, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.
- Current Account: If you want a RAM user or RAM role that belongs to your Alibaba Cloud account to assume the RAM role, select Current Account.
- Other Account: If you want a RAM user or RAM role that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Delegate access across Alibaba Cloud accounts using RAM roles. You can view the ID of your Alibaba Cloud account on the Security Settings page.
Optional. If you want the RAM role to be assumed only by a specific RAM user or RAM role that belongs to the trusted Alibaba Cloud account, click Switch to Policy Editor and modify the trust policy of the RAM role in the editor.
The editor provides two modes: Visual Editor and Script Editor. You can use either mode. The following example shows how to allow only the RAM user Alice from the current Alibaba Cloud account (ID: 100******0719) to assume the RAM role.
- Visual editor
  Specify a RAM user for the Principal element.
- Script Editor
  In the Principal section, specify the RAM user in the RAM field.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "RAM": "acs:ram::100******0719:user/Alice"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```
In the Create Role dialog box, configure the Role Name parameter and click OK.

What to do next

Grant permissions to the RAM role.
After a RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.
Assume the RAM role.
You can assume the RAM role as a RAM user or RAM role that belongs to the trusted Alibaba Cloud account using the Alibaba Cloud Management Console or the RAM API, and then obtain an Security Token Service (STS) token and access relevant cloud resources. For more information, see Assume a RAM role.