This topic describes how to create an instance RAM role, attach a policy to the RAM role, and then attach the RAM role to an Elastic Compute Service (ECS) instance by using the Resource Access Management (RAM) and ECS consoles.

Prerequisites

  • The RAM service is activated. For more information, see Activate RAM.
  • The ECS instance to which you want to attach a RAM role is located in a virtual private cloud (VPC).
  • A RAM user is already authorized to use the instance RAM role if you use the RAM user to perform the procedure described in this topic. For more information, see Authorize a RAM user to manage an instance RAM role.

Background information

  • An instance RAM role can be attached to a single instance at a time.
  • If you have attached an instance RAM role to an ECS instance and want to access the APIs of other Alibaba Cloud services from applications deployed on the instance, you must obtain a temporary authorization token for the instance RAM role by using the instance metadata. For more information, see Obtain a temporary authorization token.

Procedure

An Alibaba Cloud account is used in the following example to create an instance RAM role and attach the role to an ECS instance in the RAM console:
  1. Step 1: Create an instance RAM role
  2. Step 2: Attach a policy to the RAM role
  3. Step 3: Attach the RAM role to an ECS instance

Step 1: Create an instance RAM role

Perform the following operations to create an instance RAM role in the RAM console:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create Role panel, select Alibaba Cloud Service as the trusted entity and click Next.
    Select Alibaba Cloud Service to authorize ECS instances to access or manage your cloud resources. After you select Alibaba Cloud Service for the RAM role, you can attach the RAM role to ECS instances. Create a RAM role
    Note
    If you select Alibaba Cloud Account for a RAM role, you must click Edit Trust Policy on the Trust Policy Management tab to manually add the following permission policy for ECS after the RAM role is created:
    "Service": [
        "ecs.aliyuncs.com"
    ]
  5. Select Normal Service Role for the Role Type parameter.
  6. Specify the RAM Role Name and Note parameters.
  7. Select Elastic Compute Service as the trusted service.
  8. Click OK.
After the RAM role is created, check whether the RAM role include the following permission policy for ECS on the Trust Policy Management tab. ECS

Step 2: Attach a policy to the RAM role

Perform the following operations to attach a system or custom policy to the instance RAM role in the RAM console:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. (Optional) Create a custom policy if you do not want to use a system policy. For more information, see the "Create a custom policy" section in Control access to resources by using RAM users.
  3. In the left-side navigation pane, choose Identities > Roles.
  4. On the Roles page, find the RAM role to which you want to grant permissions and click Input and Attach in the Actions column.
  5. In the Add Permissions panel, set Type to System Policy or Custom Policy and enter a policy name.
    Note To view a policy name, choose Permissions > Policies in the left-side navigation pane.
  6. Click OK.
  7. Click Close.

Step 3: Attach the RAM role to an ECS instance

Perform the following operations to attach the instance RAM role to an ECS instance in the ECS console:

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Find the ECS instance to which you want to attach the RAM role and choose More > Instance Settings > Bind/Unbind RAM Role in the Actions column.
  5. In the Bind/Unbind RAM Role dialog box, select the RAM role in the RAM Role drop-down list and click OK.

Alternatively, you can select the created instance RAM role from the RAM Role drop-down list in the System Configurations (Optional) step when you create an ECS instance. For more information, see Create an instance by using the wizard.