All Products
Search
Document Center

Resource Access Management:Create a RAM role for an Alibaba Cloud service

Last Updated:Jul 03, 2026

A RAM role that uses an Alibaba Cloud service as its trusted entity authorizes cross-service access. The trusted Alibaba Cloud service can assume this type of role.

Types of service roles

  • Standard service role: Specify a custom role name, select a trusted Alibaba Cloud service, and attach a custom permission policy.

  • Service-linked role: You only select a trusted Alibaba Cloud service. The service provides a preset role name and permission policy. A service-linked role is typically created automatically when you take a specific action, such as creating a cloud resource or enabling a feature. You can also create it manually in the RAM console. For more information about service-linked roles, see Service-linked roles.

Create a standard service role

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Principal Type as the Cloud Service, select a specific Alibaba Cloud service, and then click OK.

    Note

    The available services are listed in the Principal Name drop-down list in the console.

  5. (Optional) If you need to trust access from another cloud account or from multiple Alibaba Cloud services, click Switch to Policy Editor to specify the services.

    The editor has two modes: Visual Editor and Script Editor. The following example shows how to allow the ActionTrail service from another cloud account (ID: 177*******6878) to assume this RAM role and perform operations in your account.

    • Visual Editor

      In the Principal section, specify the Alibaba Cloud service.

      Set Principal Type to Alibaba Cloud Service. Then, click Edit next to the Alibaba Cloud Service field that appears to specify the service.

      In the Add Principal dialog box, for Cloud Account, select Other Alibaba Cloud Account and enter the target cloud account ID. For Cloud Service, select the target service, such as ActionTrail actiontrail.aliyuncs.com, and then click OK.

    • Script Editor

      Specify the Alibaba Cloud service in the Service field of Principal.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "177*******6878@actiontrail.aliyuncs.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
  6. In the Create Role dialog box, enter a Role Name, and then click OK.

By default, a newly created RAM role has no permissions. You must grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.

Create a service-linked role

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the upper-right corner of the Create Role page, click Create Service Linked Role.

  5. On the Create Service Linked Role page, select a trusted service, and then click Create Service Linked Role.

    For Trusted Service, select Tag. The preview information shows that the role name is AliyunServiceRoleForTag and the permission policy name is AliyunServiceRolePolicyForTag.

    Note

    The available services are listed in the Select Service drop-down list in the console.

A service-linked role includes a preset role name and permission policy, so it can be used immediately. The corresponding cloud service defines the permission policy.