If Function Compute, CloudMonitor, and other services that are running on the gateway of an edge instance need to access other Alibaba Cloud resources (for example, to call an OSS API operation), the edge instance obtains the access to the resources by using a specific RAM role.

For information about RAM roles and how to create and authorize RAM roles, see RAM roles and Permission control.

Prerequisites

An edge instance is created. For more information, see Set up environments.

Procedure

  1. Log on to the IoT Platform console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Link IoT Edge > Edge Instances. On the page that appears, find the target edge instance, and click View in the Actions column.
  3. On the Instance Details page, click the Configurations tab. On this tab, assign a role to the instance as follows:
    • Assign an existing role
      1. Click Assign Existing Role, and select a RAM role. After you select a role, the permissions of this role are granted to the edge instance.

        To change the permissions of a role in the RAM console, click RAM Console. For more information about how to change permissions, see Permission control.

        Assign an existing role
      2. Click OK to assign the role to the edge instance.
    • Create a role and grant permissions
      1. Click Add Role & Permission. In the dialog box that appears, enter a role name and select permissions for the edge instance.Create a role
        Table 1. Parameters
        Parameter Description
        Role Name The name of the role. The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).
        Role Permissions The permissions of the role. You can select multiple permissions that are required by the edge instance to access other Alibaba cloud resources.
        Note
        • When you move the pointer over the question mark (?), a message appears listing the permissions that edge instances may require.
        • If you want to remove a permission, you can click the cross sign (X) next to the permission.
      2. Click OK to go to the RAM console.
      3. In the RAM console, confirm the settings, and click OK to create the role for the edge instance.
      4. Return to the IoT Platform console. On the Configurations tab of the Instance Details page, you can view the created role and the permissions that are granted to the role.
  4. Optional. If you want to access extra cloud resources while using Link IoT Edge, grant more permissions to an assigned role.
    1. Click Edit in the Actions column to the right of the assigned role and change the role or the permissions.
      Table 2. Parameters
      Parameter Description
      Role You can change the selected role.
      Role Permissions You can add or remove the permissions for the selected role.
      • To change the permissions of a role in the RAM console, click RAM Console. For more information about how to change permissions, see Permission control.
      • If you want to remove a permission, click the cross sign (X) next to the permission.
    2. On the Edit Role and Permission page, click OK to save the changes.
  5. After you assign a role to the edge instance, click Deploy in the upper-right corner of the page. In the message that appears, click OK to deploy the edge instance.