Creates a RAM role.

Description

For more information about RAM roles, see Overview of RAM roles.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateRole

The operation that you want to perform. Set the value to CreateRole.

RoleName String Yes ECSAdmin

The name of the RAM role.

The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), and hyphens (-).

Description String No ECS administrator

The description of the RAM role.

The description must be 1 to 1,024 characters in length.

AssumeRolePolicyDocument String Yes {"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}

The trust policy that specifies one or more trusted entities to assume the RAM role. The trusted entities can be Alibaba Cloud accounts, Alibaba Cloud services, or identity providers (IdPs).

Note RAM users cannot assume the RAM roles of trusted Alibaba Cloud services.
MaxSessionDuration Long No 3600

The maximum session duration of the RAM role.

Valid values: 3600 to 43200. Unit: seconds. Default value: 3600.

If you do not specify this parameter, the default value is used.

The following content provides sample values for the AssumeRolePolicyDocument parameter.
  • The following policy allows the RAM role to be assumed by all RAM users of the Alibaba Cloud account whose ID is 123456789012****.
    
    {
    	"Statement": [{
    		"Action": "sts:AssumeRole",
    		"Effect": "Allow",
    		"Principal": {
    			"RAM": [
    				"acs:ram::123456789012****:root"
    			]
    		}
    	}],
    	"Version": "1"
    }
    
  • The following policy allows the RAM role to be assumed by the RAM user named testuser of the trusted Alibaba Cloud account whose ID is 123456789012****.
    Note Before you create the role, ensure that you have created a RAM user named testuser whose logon name is testuser@123456789012****.onaliyun.com.
    
    {
    	"Statement": [{
    		"Action": "sts:AssumeRole",
    		"Effect": "Allow",
    		"Principal": {
    			"RAM": [
    				"acs:ram::123456789012****:user/testuser"
    			]
    		}
    	}],
    	"Version": "1"
    }
    
  • The following policy allows the RAM role to be assumed by the Elastic Compute Service (ECS) service of the current trusted Alibaba Cloud account.
    
    {
    	"Statement": [{
    		"Action": "sts:AssumeRole",
    		"Effect": "Allow",
    		"Principal": {
    			"Service": [
    				"ecs.aliyuncs.com"
    			]
    		}
    	}],
    	"Version": "1"
    }
    
  • The following policy allows the RAM role to be assumed by the Security Assertion Markup Language (SAML) IdP named testprovider of the current trusted Alibaba Cloud account whose ID is 123456789012****.
    Note Before you create the role, ensure that you have created a SAML IdP named testprovider.
    
    {
    	"Statement": [{
    		"Action": "sts:AssumeRole",
    		"Effect": "Allow",
    		"Principal": {
    			"Federated": [
    				"acs:ram::123456789012****:saml-provider/testprovider"
    			]
    		},
    		"Condition": {
    			"StringEquals": {
    				"saml:recipient": "https://signin.aliyun.com/saml-role/sso"
    			}
    		}
    	}],
    	"Version": "1"
    }
    
  • The following policy allows the RAM role to be assumed by the OIDC IdP named TestOIDCProvider of the current trusted Alibaba Cloud account whose ID is 123456789012****.
    Note Before you create the policy, ensure that you have created an OIDC IdP named TestOIDCProvider.
    
    {
    	"Statement": [{
    		"Action": "sts:AssumeRole",
    		"Effect": "Allow",
    		"Principal": {
    			"Federated": [
    				"acs:ram::123456789012****:oidc-provider/TestOIDCProvider"
    			]
    		},
    		"Condition": {
    			"StringEquals": {
    				"oidc:aud": [
    					"496271242565057****"
    				],
    				"oidc:iss": "https://dev-xxxxxx.okta.com",
    				"oidc:sub": "KryrkIdjylZb7agUgCEf****"
    			}
    		}
    	}],
    	"Version": "1"
    }
    

Response parameters

Parameter Type Example Description
Role Object

The information of the RAM role.

AssumeRolePolicyDocument String { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }

The trust policy that specifies the trusted entity to assume the RAM role.

Description String ECS administrator

The description of the RAM role.

MaxSessionDuration Long 3600

The maximum session duration of the RAM role.

RoleName String ECSAdmin

The name of the RAM role.

CreateDate String 2015-01-23T12:33:18Z

The time when the RAM user was created.

RoleId String 901234567890****

The ID of the RAM role.

Arn String acs:ram::123456789012****:role/ECSAdmin

The Alibaba Cloud Resource Name (ARN) of the role.

RequestId String 04F0F334-1335-436C-A1D7-6C044FE73368

The ID of the request.

Examples

Sample requests

https://ram.aliyuncs.com/?Action=CreateRole
&RoleName=ECSAdmin
&AssumeRolePolicyDocument={"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"}
&Description=ECS administrator
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<?xml version="1.0" encoding="UTF-8" ?>
<CreateRoleResponse>
	<RequestId>04F0F334-1335-436C-A1D7-6C044FE73368</RequestId>
	<Role>
		<RoleId>901234567890****</RoleId>
		<RoleName>ECSAdmin</RoleName>
		<Arn>acs:ram::123456789012****:role/ECSAdmin</Arn>
		<Description>ECS administrator</Description>
		<MaxSessionDuration>3600</MaxSessionDuration>
		<AssumeRolePolicyDocument>{ &quot;Statement&quot;: [ { &quot;Action&quot;: &quot;sts:AssumeRole&quot;, &quot;Effect&quot;: &quot;Allow&quot;, &quot;Principal&quot;: { &quot;RAM&quot;: &quot;acs:ram::123456789012****:root&quot; } } ], &quot;Version&quot;: &quot;1&quot; }</AssumeRolePolicyDocument>
		<CreateDate>2015-01-23T12:33:18Z</CreateDate>
	</Role>
</CreateRoleResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "04F0F334-1335-436C-A1D7-6C044FE73368",
  "Role" : {
    "RoleId" : "901234567890****",
    "RoleName" : "ECSAdmin",
    "Arn" : "acs:ram::123456789012****:role/ECSAdmin",
    "Description": "ECS administrator",
    "MaxSessionDuration" : 3600,
    "AssumeRolePolicyDocument" : "{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012****:root\" } } ], \"Version\": \"1\" }",
    "CreateDate" : "2015-01-23T12:33:18Z"
  }
}

Error codes

For a list of error codes, visit the API Error Center.