You can bind an instance RAM role to an ECS instance. Applications deployed on the ECS instance can then access the APIs of other Alibaba Cloud services based on a Security Token Service (STS) temporary credential. This ensures the security of your AccessKey pair and helps you implement fine-grained permission control and management by using RAM.


Applications deployed on ECS instances can access the APIs of other Alibaba Cloud services such as Object Storage Service (OSS), Virtual Private Cloud (VPC), and ApsaraDB RDS by using an AccessKey pair of an Alibaba Cloud account or a RAM user. The AccessKey pair is configured in an ECS instance, such as writing the AccessKey pair to the configuration file, for easy management and quick calls. However, this method may cause problems such as information leaks and complex maintenance. It may also cause more permissions than necessary to be granted. Instance RAM roles can be used to avoid the preceding problems. For example, you can use an STS temporary credential to access other Alibaba Cloud services.

Instance RAM roles enable ECS instances to assume roles with certain access permissions. For more information about the roles, see RAM role overview.


You can use instance RAM roles to perform the following operations:
  • Bind a role to an ECS instance.
  • Access other Alibaba Cloud services by using an STS temporary credential.
  • Grant roles with different authorization policies to different instances so that these instances can have different access permissions on different cloud resources. This allows you to implement fine-grained access control.
  • Modify permissions by changing the authorization policy of a role rather than manually changing the AccessKey pair. This allows you to efficiently manage access permissions of an ECS instance.


You are not billed for binding an instance RAM role.


Instance RAM roles have the following limits:
  • The ECS instance must be a VPC-type instance.
  • Only one RAM role can be bound to an ECS instance at a time.