All Products
Search

This Product

    Resource Access Management:Create a RAM role for a trusted identity provider

    Document Center

    Resource Access Management:Create a RAM role for a trusted identity provider

    Last Updated:Dec 18, 2025

    A Resource Access Management (RAM) role with an identity provider (IdP) as its trusted entity enables role-based single sign-on (SSO) between your enterprise IdP and Alibaba Cloud. Users from a trusted IdP can assume this RAM role.

    Create a RAM role for a SAML IdP

    To implement role-based SSO using Security Assertion Markup Language (SAML) 2.0, you must create a RAM role for a SAML IdP.

    Prerequisites

    A SAML IdP has been created. For more information, see Manage SAML IdPs.

    Procedure

    1. Log on to the RAM console as a RAM administrator.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. In the upper-right corner of the Create Role page, click Switch to Policy Editor.

      image

    5. Specify a SAML IdP in the editor.

      The editor supports the visual editor and JSON modes.

      • Visual editor

        In the Principal section, specify a SAML IdP.

        image

        image

      • Script editor

        In the Principal element, specify a SAML IdP in the Federated field and configure the Condition element.

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "acs:ram::100*******0719:saml-provider/Azure-AD"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "saml:recipient": [
            "https://signin.alibabacloud.com/saml-role/sso"
          ]
        }
      }
    }
  ]
}

    6. Set conditions in the editor.

      The following table lists the supported service-specific condition keys.

      Condition key

      Description

      Required

      Example

      saml:recipient

      The recipient of the SAML assertion. Alibaba Cloud checks this value to confirm it is the intended recipient.

      Yes

      Fixed value: https://signin.alibabacloud.com/saml-role/sso

    7. In the Create Role dialog box, enter a Role Name and click OK.

    Create a RAM role for an OIDC IdP

    To implement role-based SSO using OpenID Connect (OIDC), you must create a RAM role for an OIDC IdP.

    Prerequisites

    An OIDC IdP has been created. For more information, see Create an OIDC IdP.

    Procedure

    1. Log on to the RAM console as a RAM administrator.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. In the upper-right corner of the Create Role page, click Switch to Policy Editor.

      image

    5. Specify an OIDC IdP in the editor.

      The editor supports the visual editor and JSON modes.

      • Visual editor

        In the Principal section, specify an OIDC IdP.

        image

        image

      • Script editor

        In the Principal element, specify an OIDC IdP in the Federated field and configure the Condition element.

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "acs:ram::100*******0719:oidc-provider/xiyun****"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "oidc:iss": [
            "https://dev-xxxxxx.okta.com"
          ],
          "oidc:aud": [
            "0oa294vi1vJoClev****"
          ]
        }
      }
    }
  ]
}

    6. Set conditions in the editor.

      The following table lists the supported service-specific condition keys.

      Condition key

      Description

      Required

      Example

      oidc:iss

      The issuer. You can assume the RAM role only if the iss field of the OIDC token that you want to use to assume the RAM role meets this condition.

      The OIDC issuer. The `iss` field in the OIDC token must match this condition to assume the role. The condition operator must be `StringEquals`. The value must be the issuer URL that you specified for the OIDC IdP. This ensures only tokens from a trusted IdP can assume the role.

      Yes

      https://dev-xxxxxx.okta.com

      oidc:aud

      The audience. You can assume the RAM role only if the aud field of the OIDC token that you want to use to assume the RAM role meets this condition.

      The OIDC audience. The `aud` field in the OIDC token must match this condition to assume the role. The condition operator must be `StringEquals`. The value can be one or more client IDs that you configured for the OIDC IdP. This ensures only tokens for your specified client IDs can assume the role.

      Yes

      0oa294vi1vJoClev****

      oidc:sub

      The subject. You can assume the RAM role only if the sub field of the OIDC token that you want to use to assume the RAM role meets this condition.

      The OIDC subject. The `sub` field in the OIDC token must match this condition to assume the role. You can use any String condition operator. You can specify up to 10 subjects as condition values. This condition further restricts which identities can assume the role. This condition is optional.

      No

      00u294e3mzNXt4Hi****

    7. In the Create Role dialog box, enter a Role Name and click OK.

    What to do next

    A newly created RAM role has no permissions by default. You must grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.