A RAM role that uses an Alibaba Cloud service as its trusted entity authorizes cross-service access. The trusted Alibaba Cloud service can assume this type of role.
Types of service roles
-
Service-linked role: You only select a trusted Alibaba Cloud service. The service provides a preset role name and permission policy. A service-linked role is typically created automatically when you take a specific action, such as creating a cloud resource or enabling a feature. You can also create it manually in the RAM console. For more information about service-linked roles, see Service-linked roles.
Create a standard service role
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose .
-
On the Roles page, click Create Role.
-
On the Create Role page, select Principal Type as the Cloud Service, select a specific Alibaba Cloud service, and then click OK.
NoteThe available services are listed in the Principal Name drop-down list in the console.
-
(Optional) If you need to trust access from another cloud account or from multiple Alibaba Cloud services, click Switch to Policy Editor to specify the services.
The editor has two modes: Visual Editor and Script Editor. The following example shows how to allow the ActionTrail service from another cloud account (ID: 177*******6878) to assume this RAM role and perform operations in your account.
-
Visual Editor
In the Principal section, specify the Alibaba Cloud service.
Set Principal Type to Alibaba Cloud Service. Then, click Edit next to the Alibaba Cloud Service field that appears to specify the service.
In the Add Principal dialog box, for Cloud Account, select Other Alibaba Cloud Account and enter the target cloud account ID. For Cloud Service, select the target service, such as ActionTrail actiontrail.aliyuncs.com, and then click OK.
-
Script Editor
Specify the Alibaba Cloud service in the
Servicefield ofPrincipal.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "177*******6878@actiontrail.aliyuncs.com" }, "Action": "sts:AssumeRole" } ] }
-
-
In the Create Role dialog box, enter a Role Name, and then click OK.
By default, a newly created RAM role has no permissions. You must grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.
Create a service-linked role
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose .
-
On the Roles page, click Create Role.
-
In the upper-right corner of the Create Role page, click Create Service Linked Role.
-
On the Create Service Linked Role page, select a trusted service, and then click Create Service Linked Role.
For Trusted Service, select Tag. The preview information shows that the role name is
AliyunServiceRoleForTagand the permission policy name isAliyunServiceRolePolicyForTag.NoteThe available services are listed in the Select Service drop-down list in the console.
A service-linked role includes a preset role name and permission policy, so it can be used immediately. The corresponding cloud service defines the permission policy.