Instance Resource Access Management (RAM) roles are a type of RAM role that Elastic Compute Service (ECS) instances can assume to take on specific permissions. ECS instances can use the temporary access credentials of instance RAM roles to access and securely communicate with specific Alibaba Cloud services, such as Object Storage Service (OSS) and ApsaraDB RDS. This topic describes how to configure and use an instance RAM role.
Prerequisites
The ECS instance to which you want to attach an instance RAM role resides in a virtual private cloud (VPC).
If you use a RAM user to perform the procedure that is described in this topic, the RAM user is granted the permissions to configure the instance RAM role. For more information, see Authorize a RAM user to manage an instance RAM role.
Create and attach an instance RAM role
An ECS instance can have only one instance RAM role attached.
Use the consoles
Log on to the RAM console to create an instance RAM role and grant permissions to the role.
In the left-side navigation pane, choose Identities > Roles. Click Create Role. In the Create Role panel, set the following parameters to specific values and configure other parameters as prompted based on your business requirements:
Select Trusted Entity: Select Alibaba Cloud Service.
Role Type: Select Normal Service Role.
Select Trusted Service: Select Elastic Compute Service.
Attach the instance RAM role to an ECS instance.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
Find the ECS instance that you want to manage and choose
in the Actions column.In the Attach/Detach RAM Role dialog box, select the instance RAM role that you created from the RAM Role drop-down list and click OK.
Call API operations
Create and configure an instance RAM role.
Call the CreateRole operation to create an instance RAM role.
Set the AssumeRolePolicyDocument parameter to the following policy:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ecs.aliyuncs.com" ] } } ], "Version": "1" }
(Optional) Call the CreatePolicy operation to create a policy.
If you have a policy that can be attached to the RAM role, skip this step.
Set the
PolicyDocument
parameter to the following policy:{ "Statement": [ { "Action": [ "oss:Get*", "oss:List*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
Call the AttachPolicyToRole operation to attach the policy to the instance RAM role.
Call the AttachInstanceRamRole operation to attach the instance RAM role to an ECS instance.
Detach or change an instance RAM role
Use the consoles
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
Find the ECS instance that you want to manage and choose
in the Actions column.To detach the instance RAM role, set Action to Unbind and click OK.
To change the instance RAM role, set Action to Bind, select a different role from the RAM Role drop-down list, and then click OK.
Call API operations
To detach an instance RAM role from an ECS instance, call the DettachInstanceRamRole operation.
To change the instance RAM role that is attached to an ECS instance, call the following operations:
Call the DettachInstanceRamRole operation to detach the instance RAM role from the instance.
Call the AttachInstanceRamRole operation to attach a different instance RAM role to the instance.