Attach an instance RAM role to an ECS instance - Elastic Compute Service

Instance Resource Access Management (RAM) roles are a type of RAM role that Elastic Compute Service (ECS) instances can assume to take on specific permissions. ECS instances can use the temporary access credentials of instance RAM roles to access and securely communicate with specific Alibaba Cloud services, such as Object Storage Service (OSS) and ApsaraDB RDS. This topic describes how to configure and use an instance RAM role.

Prerequisites

The ECS instance to which you want to attach an instance RAM role resides in a virtual private cloud (VPC).
If you use a RAM user to perform the procedure that is described in this topic, the RAM user is granted the permissions to configure the instance RAM role. For more information, see Authorize a RAM user to manage an instance RAM role.

Create and attach an instance RAM role

Note

An ECS instance can have only one instance RAM role attached.

Use the consoles

Log on to the RAM console to create an instance RAM role and grant permissions to the role.
1. Create an instance RAM role.
  In the left-side navigation pane, choose Identities > Roles. Click Create Role. In the Create Role panel, set the following parameters to specific values and configure other parameters as prompted based on your business requirements:
  - Select Trusted Entity: Select Alibaba Cloud Service.
  - Role Type: Select Normal Service Role.
  - Select Trusted Service: Select Elastic Compute Service.
2. Grant permissions to the instance RAM role.
Attach the instance RAM role to an ECS instance.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Instances & Images > Instances.
3. In the upper-left corner of the top navigation bar, select a region.
4. Find the ECS instance that you want to manage and choose > Instance Settings > Attach/Detach RAM Role in the Actions column.
5. In the Attach/Detach RAM Role dialog box, select the instance RAM role that you created from the RAM Role drop-down list and click OK.

Call API operations

Create and configure an instance RAM role.

Call the CreateRole operation to create an instance RAM role.

Set the AssumeRolePolicyDocument parameter to the following policy:

{
     "Statement": [
     {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "ecs.aliyuncs.com"
         ]
         }
     }
     ],
     "Version": "1"
 }

(Optional) Call the CreatePolicy operation to create a policy.

If you have a policy that can be attached to the RAM role, skip this step.

Set the PolicyDocument parameter to the following policy:

{
     "Statement": [
         {
         "Action": [
             "oss:Get*",
             "oss:List*"
         ],
         "Effect": "Allow",
         "Resource": "*"
         }
     ],
     "Version": "1"
 }

Call the AttachPolicyToRole operation to attach the policy to the instance RAM role.

Call the AttachInstanceRamRole operation to attach the instance RAM role to an ECS instance.

Detach or change an instance RAM role

Use the consoles

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the upper-left corner of the top navigation bar, select a region.
Find the ECS instance that you want to manage and choose > Instance Settings > Attach/Detach RAM Role in the Actions column.
- To detach the instance RAM role, set Action to Unbind and click OK.
- To change the instance RAM role, set Action to Bind, select a different role from the RAM Role drop-down list, and then click OK.

Call API operations

To detach an instance RAM role from an ECS instance, call the DettachInstanceRamRole operation.
To change the instance RAM role that is attached to an ECS instance, call the following operations:
1. Call the DettachInstanceRamRole operation to detach the instance RAM role from the instance.
2. Call the AttachInstanceRamRole operation to attach a different instance RAM role to the instance.