If services, such as Function Compute and Cloud Monitor, that run on the gateway of an edge instance need to access other Alibaba Cloud resources, for example, to call an Object Storage Service (OSS) API operation, the edge instance can obtain the access to the resources by using a specific RAM role.

For information about RAM roles and how to create and authorize RAM roles, see RAM role overview and Policy models.

Prerequisites

An edge instance is created. For more information, see Set up environments.

Procedure

  1. Log on to the Link IoT Edge console.
  2. In the left-side navigation pane, click Edge Instances. On the Edge Instances page, find the edge instance to which you want to assign a RAM role, and click View in the Actions column.
  3. On Instance Details page, click the Configurations tab. On the Configurations tab, perform the following steps to assign a RAM role to the edge instance:
    • Assign an existing RAM role
      1. Click Assign Existing Role. In the Assign Existing Role dialog box, select a RAM role from the Role drop-down list. After you assign the RAM role, the permissions of the RAM role are granted to the edge instance.

        To change the permissions of the RAM role in the RAM console, click RAM Console. For more information about how to change the permissions, see Policy overview.

        Assign Existing Role dialog box
      2. Click OK to assign the RAM role to the edge instance.
    • Create a RAM role and grant permissions
      1. Click Add Role & Permission. In the Add Role & Permission dialog box, enter a RAM role name and select one or more permissions for the edge instance. Add Role & Permission dialog box
        Table 1. Parameter description
        Parameter Description
        Role Name The name of the RAM role. The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).
        Role Permissions The permissions of the RAM role. You can select multiple permissions that are required by the edge instance to access other Alibaba Cloud resources.
        Note
        • When you move the pointer over the question mark (?), a message that lists several commonly used permissions appears. In the message, you can click Add to add these permissions.
        • If you want to remove a permission, you can click the cross sign (X) next to the permission.
      2. Click OK to go to the RAM console.
      3. In the RAM console, confirm the settings, and click OK to create the RAM role for the edge instance.
      4. Go back to the Link IoT Edge console. On the Configurations tab of the Instance Details page, you can view the created RAM role and the permissions that are granted to the RAM role.
  4. Optional. If you want to access other Alibaba Cloud resources when you use Link IoT Edge, you can grant more permissions to an assigned RAM role.
    1. Find the assigned RAM role, click Edit in the Actions column, and then change the RAM role or the permissions.
      Table 2. Parameter description
      Parameter Description
      Role The name of the role. You can change the selected RAM role.
      Role Permissions The permissions that are granted to the role. You can add or remove the permissions for the selected RAM role.
      • To change the permissions of a RAM role in the RAM console, click RAM Console. For more information about how to change the permissions, see Policy models.
      • If you want to remove a permission, you can click the cross sign (X) next to the permission.
    2. In the Edit Role and Permission dialog box, click OK to save the changes.
  5. After you assign a RAM role to the edge instance, click Deploy in the upper-right corner of the Instance Details page. In the message that appears, click OK to deploy the edge instance.