If you want to attach, replace, or detach an instance RAM role by using a RAM user, you must use the Alibaba Cloud account to authorize the RAM user to manage the instance RAM role. The procedure described in this topic can be used only when you use an Alibaba Cloud account.

Background information

When you authorize a RAM user to use an instance RAM role, you must grant the RAM user the PassRole permission on the instance RAM role. If the RAM user does not have the PassRole permission, the RAM user cannot exercise the permissions specified in role policies.


  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. In the Select Policy section, click Create Policy.
    4. On the Create Policy page, click the JSON tab to create a custom policy.
      The following code describes the custom policy. [ECS RAM Action] indicates the permissions that can be granted to the RAM user. For more information, see Authentication rules.
          "Version": "1",
          "Statement": [
                  "Effect": "Allow",
                  "Action": [
                      "ecs: [ECS RAM Action]",
                      "ecs: CreateInstance",
                      "ecs: AttachInstanceRamRole",
                      "ecs: DetachInstanceRAMRole"
                  "Resource": "*"
                  "Effect": "Allow",
                  "Action": "ram:PassRole",
                  "Resource": "*"
  5. Go back to the Add Permissions panel and click Custom Policy in the Select Policy section.
  6. In the Authorization Policy Name column, click the names of policies to be attached to the RAM user.
    Note In the Selected section on the right, you can click the cross sign (×) next to a RAM policy to remove the RAM policy.
  7. Click OK.
  8. Click Complete.