All Products
Search
Document Center

Elastic GPU Service:Use RAM to implement access control for Elastic GPU Service

Last Updated:Jun 08, 2026

By default, Alibaba Cloud accounts have full access to all resources. To limit exposure, use Resource Access Management (RAM) identities—RAM users and RAM roles—and attach policies to control exactly which Elastic GPU Service resources each identity can access.

Elastic GPU Service shares the same access control mechanisms as Elastic Compute Service (ECS): identities, policies, and service-linked roles. The sections below describe each mechanism.

  • Identities

    RAM users and RAM roles are the two identity types you can grant permissions to. RAM users are long-term identities tied to a person or application. RAM roles are temporary identities assumed by services, applications, or other Alibaba Cloud accounts—useful for cross-account access or service-to-service authorization. Grant each identity only the permissions it needs. For more information, see Identities.

  • Policies

    Two types of identity-based policies are supported: system policies and custom policies. Attach a policy to a RAM identity to grant the permissions defined in that policy.

    • System policy: Predefined policies created and maintained by Alibaba Cloud. Use system policies to get started quickly with common permission sets—you can attach them but cannot modify them. For more information, see System policies for ECS.

    • Custom policy: Policies you create, update, and delete based on your requirements. Use custom policies when system policies grant more permissions than needed—custom policies let you define permission boundaries precisely. For more information, see Custom policies for ECS.

  • Service-linked roles

    A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. Elastic GPU Service uses service-linked roles to access other cloud services or resources. For more information, see Service-linked roles.

  • RAM role-based access to KMS keys

    To use Key Management Service (KMS) keys to encrypt ECS resources—such as disks, snapshots, or images—use a RAM role to authorize ECS to access KMS keys. To share encrypted snapshots or images with other Alibaba Cloud accounts, first grant those accounts permission to access the KMS keys. For more information, see Grant access to KMS keys through RAM roles.