Use the CreateRole operation to create a RAM role.
Operation description
Usage notes
For more information about RAM roles, see Overview.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
ram:CreateRole |
create |
*Role
|
|
None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
|
RoleName |
string |
No |
The name of the RAM role. The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), and hyphens (-). |
ECSAdmin |
|
Description |
string |
No |
The description of the RAM role. The description must be 1 to 1,024 characters in length. |
ECS administrator role |
|
AssumeRolePolicyDocument |
string |
No |
The trust policy that specifies one or more trusted entities allowed to assume the RAM role. Trusted entities can be Alibaba Cloud accounts, Alibaba Cloud services, or identity providers (IdPs). Note
RAM users cannot assume RAM roles whose trusted entity is an Alibaba Cloud service. |
{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"RAM":"acs:ram::123456789012****:root"}}],"Version":"1"} |
|
MaxSessionDuration |
integer |
No |
The maximum session duration of the RAM role. Valid values: 3600 to 43200. Unit: seconds. Default value: 3600. If this parameter is not specified or is left empty, the default value is used. |
3600 |
| Tag |
array<object> |
No |
The tags. |
|
|
object |
No |
The tags. |
||
|
Key |
string |
No |
The key of the tag. |
k1 |
|
Value |
string |
No |
The value of the tag. |
v1 |
Sample values for AssumeRolePolicyDocument
-
The following policy allows the RAM role to be assumed by all RAM users of the Alibaba Cloud account whose ID is
123456789012****.
{
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::123456789012****:root"
]
}
}],
"Version": "1"
}
-
The following policy allows the RAM role to be assumed by the RAM user named
testuserof the trusted Alibaba Cloud account whose ID is123456789012****.
Before you create the role, make sure that you have created a RAM user named testuser whose logon name is testuser@123456789012****.onaliyun.com.
{
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::123456789012****:user/testuser"
]
}
}],
"Version": "1"
}
-
The following policy allows the RAM role to be assumed by the Elastic Compute Service (ECS) service of the current Alibaba Cloud account.
{
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}],
"Version": "1"
}
-
The following policy allows the RAM role to be assumed by the Security Assertion Markup Language (SAML) IdP named
testproviderof the current trusted Alibaba Cloud account whose ID is123456789012****.
Before you create the role, make sure that you have created a SAML IdP named testprovider.
{
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::123456789012****:saml-provider/testprovider"
]
},
"Condition": {
"StringEquals": {
"saml:recipient": "https://signin.aliyun.com/saml-role/sso"
}
}
}],
"Version": "1"
}
-
The following policy allows the RAM role to be assumed by the OpenID Connect (OIDC) IdP named
TestOIDCProviderof the current trusted Alibaba Cloud account whose ID is123456789012****.
Before you create the role, make sure that you have created an OIDC IdP named TestOIDCProvider.
{
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::123456789012****:oidc-provider/TestOIDCProvider"
]
},
"Condition": {
"StringEquals": {
"oidc:aud": [
"496271242565057****"
],
"oidc:iss": "https://dev-xxxxxx.okta.com",
"oidc:sub": "KryrkIdjylZb7agUgCEf****"
}
}
}],
"Version": "1"
}
Response elements
|
Element |
Type |
Description |
Example |
|
object |
Response |
||
| Role |
object |
Information about the RAM role. |
|
|
AssumeRolePolicyDocument |
string |
The trust policy of the RAM role. |
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" } |
|
Description |
string |
The description of the RAM role. |
ECS administrator role |
|
MaxSessionDuration |
integer |
The maximum session duration of the RAM role. |
3600 |
|
RoleName |
string |
The name of the RAM role. |
ECSAdmin |
|
CreateDate |
string |
The time when the RAM role was created. |
2015-01-23T12:33:18Z |
|
RoleId |
string |
The ID of the RAM role. |
901234567890**** |
|
Arn |
string |
The Alibaba Cloud Resource Name (ARN) of the RAM role. |
acs:ram::123456789012****:role/ECSAdmin |
|
RequestId |
string |
The request ID. |
04F0F334-1335-436C-A1D7-6C044FE73368 |
Examples
Success response
JSON format
{
"Role": {
"AssumeRolePolicyDocument": "{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012****:root\" } } ], \"Version\": \"1\" }",
"Description": "ECS administrator role",
"MaxSessionDuration": 3600,
"RoleName": "ECSAdmin",
"CreateDate": "2015-01-23T12:33:18Z",
"RoleId": "901234567890****",
"Arn": "acs:ram::123456789012****:role/ECSAdmin"
},
"RequestId": "04F0F334-1335-436C-A1D7-6C044FE73368"
}
Error response
JSON format
{
"RequestId": "04F0F334-1335-436C-A1D7-6C044FE73368",
"Role": {
"RoleId": "901234567890123",
"RoleName": "ECSAdmin",
"Arn": "acs:ram::1234567890123456:role/ECSAdmin",
"Description": "ECS administrator role",
"AssumeRolePolicyDocument": "{ \"Statement\": [ { \"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": { \"RAM\": \"acs:ram::123456789012345678:root\" } } ], \"Version\": \"1\" }",
"CreateDate": "2015-01-23T12:33:18Z"
}
}
Error codes
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.