All Products
Search

This Product

    Resource Access Management:Create a RAM role and attach the required policies to the role

    Document Center

    Resource Access Management:Create a RAM role and attach the required policies to the role

    Last Updated:Apr 07, 2025

    A Resource Access Management (RAM) role is a virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token and use the STS token to access Alibaba Cloud resources as the RAM role.

    RAM role types

    RAM roles are classified into the following types based on trusted entities:

    • RAM role whose trusted entity is an Alibaba Cloud account: RAM users within an Alibaba Cloud account can assume this type of RAM role. RAM users that assume this type of RAM role can belong to their owner Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.

    • RAM role whose trusted entity is an Alibaba Cloud service: Alibaba Cloud services can assume this type of RAM role. RAM roles that a trusted Alibaba Cloud service can assume are classified into two types: normal service role and service-linked role. For more information about service-linked roles, see service-linked roles. This type of RAM role is used to authorize access across Alibaba Cloud services.

    • RAM role whose trusted entity is an identity provider (IdP): Users of a trusted IdP can assume this type of RAM role. This type of RAM role is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP.

    Step 1: Create a RAM role

    The methods that you can use to create a RAM role vary based on the type of the RAM role. The following example describes how to create a RAM role whose trusted entity is an Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted Alibaba Cloud service, and Create a RAM role for a trusted IdP.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.

      image

      • Current Account: If you want a RAM user or RAM role that belongs to your Alibaba Cloud account to assume the RAM role, select Current Account.

      • Other Account: If you want a RAM user or RAM role that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts. You can view the ID of your Alibaba Cloud account on the Security Settings page.

    5. Optional. If you want the RAM role to be assumed only by a specific RAM user or RAM role that belongs to the trusted Alibaba Cloud account, click Switch to Policy Editor and modify the trust policy of the RAM role in the editor.

      The editor supports the Visual editor and JSON modes. In the following example, only the RAM user Alice within the Alibaba Cloud account whose ID is 100******0719 can assume the RAM role.

      • Visual editor

        Specify a RAM user for the Principal element.

        image

        image

      • JSON

        Specify a RAM user for the RAM field of the Principal parameter. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "RAM": "acs:ram::100******0719:user/Alice"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    6. In the Create Role dialog box, configure the Role Name parameter and click OK.

    Step 2: (Optional) Create a custom policy

    RAM provides system policies and custom policies. System policies are provided by Alibaba Cloud and cannot be modified. If system policies cannot meet your business requirements, you can create a custom policy to implement fine-grained access control.

    You can create a custom policy by using different methods. In this example, a custom policy is created on the Visual editor tab. For more information, see Create a custom policy.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

      image

    4. On the Create Policy page, click the Visual editor tab.

      image

    5. Configure a policy.

      For more information, see Policy elements.

      1. In the Effect section, select Allow or Deny.

      2. In the Service section, select an Alibaba Cloud service.

        Note

        The Alibaba Cloud services that you can select are displayed in the Service section.

      3. In the Action section, select All action(s) or Select action(s).

        The system displays the actions that can be configured based on the Alibaba Cloud service you select in the previous step. If you select Select action(s), you must select actions.

      4. In the Resource section, select All resource(s) or Specified resource(s).

        The system displays the resources that can be configured based on the actions you select in the previous step. If you select Specified resource(s), you must click Add resource to configure one or more Alibaba Cloud Resource Names (ARNs) of resources. You can also click Match all to select all resources for each action that you select.

        Note

        The resource ARNs that are required for an action are tagged with Required. We strongly recommend that you configure the resource ARNs that are tagged with Required. This ensures that the custom policy takes effect as expected.

      5. In the Condition section, click Add condition to configure a condition.

        Conditions include Alibaba Cloud common conditions and service-specific conditions. The system displays the conditions that can be configured based on the Alibaba Cloud service and the actions that you select. You need only to select a condition key and configure the Operator and Value parameters.

      6. Click Add statement and repeat the preceding steps to configure multiple custom policy statements.

    6. Click Optional advanced optimize in the upper part. In the Optional advanced optimize message, click Perform to optimize the policy.

      The system performs the following operations during the advanced optimization:

      • Split resources or conditions that are incompatible with actions.

      • Narrow down resources.

      • Deduplicate or merge policy statements.

    7. On the Create Policy page, click OK.

    8. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

    Step 3: Grant permissions to the RAM role

    When you grant permissions to a RAM role, we recommend that you grant only the required permissions to the RAM role based on the principle of least privilege.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.

      image

      You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.

    4. In the Grant Permission panel, grant permissions to the RAM role.

      1. Configure the Resource Scope parameter.

        • Account: The authorization takes effect on the current Alibaba Cloud account.

        • Resource Group: The authorization takes effect on a specific resource group.

          Note

          If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Configure the Principal parameter.

        The principal is the RAM role to which you want to grant permissions. The current RAM role is automatically selected.

      3. Configure the Policy parameter.

        A policy is a set of access permissions. You can select multiple policies at a time.

        • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

          Note

          The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

        • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.

    Step 4: Assume the RAM role to access Alibaba Cloud by using a trusted entity

    1. Obtain an STS token for the RAM role in the Alibaba Cloud Management Console or by calling an operation. For more information, see the following topics:

    2. Assume the RAM role to access specific Alibaba Cloud resources.