You can grant permissions to a Resource Access Management (RAM) role that you created
for a trusted Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).
This topic describes how to grant permissions to a RAM role.
Note You cannot grant permissions to service-linked roles by attaching policies to the
roles. This is because the policies that are attached to this type of role are defined
by the linked cloud services. For more information, see
Service-linked roles.
Limits
You can attach up to 20 system policies and 5 custom policies to a RAM role.
Method 1: Grant permissions to a RAM role by clicking Add Permissions on the Roles
page
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM role.
- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
Note If you select Specific Resource Group for Authorized Scope, make sure that the required
cloud service supports resource groups.
For more information, see Services that work with Resource Group.
- Specify the principal.
The principal is the RAM role to which permissions are granted. By default, the current
RAM role is specified. You can also specify a different RAM role.
- Select policies.
Note You can attach a maximum of five policies to a RAM user at a time. If you want to
attach more than five policies to a RAM user, perform the operation multiple times.
- Click OK.
- Click Complete.
Method 2: Grant permissions to a RAM role by clicking Input and Attach on the Roles
page
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, find the RAM role to which you want to grant permissions and click Input and Attach in the Actions column.
- In the Add Permissions panel, set Type to System Policy or Custom Policy and enter a policy name.
Note To view a policy name, choose in the left-side navigation pane.
- Click OK.
- Click Close.
Method 3: Grant permissions to a RAM role on the Grants page
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Grants page, click Grant Permission.
- On the Grant Permissions page, grant permissions to the RAM role.
- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
Note If you select Specific Resource Group for Authorized Scope, make sure that the required
cloud service supports resource groups.
For more information, see Services that work with Resource Group.
- Specify the principal.
The principal is the RAM role to which permissions are granted.
- Select policies.
Note You can attach a maximum of five policies to a RAM user at a time. If you want to
attach more than five policies to a RAM user, perform the operation multiple times.
- Click OK.
- Click Complete.