RAM role overview - Resource Access Management - Alibaba Cloud Documentation Center

A RAM role is a virtual Resource Access Management (RAM) identity that you can create within your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity.

Terms


Term	Description
RAM role	A virtual identity that you can create within your Alibaba Cloud account. RAM roles, entity users, and textbook roles have the following differences. Entity users include Alibaba Cloud accounts, RAM users, or Alibaba Cloud services. Entity users have logon passwords or AccessKey pairs. Textbook roles (or traditionally defined roles) indicate a set of permissions, which are similar to policies in RAM. If a user assumes a textbook role, the user can obtain a set of permissions and access the resources on which the user has permissions. RAM roles are identities to which policies are attached. However, RAM roles do not have logon passwords or AccessKey pairs. If an entity user assumes a RAM role, the entity user can obtain and use the Security Token Service (STS) token of the role to access the authorized resources.
role ARN	The Alibaba Cloud Resource Name (ARN) of a RAM role is the globally unique resource identifier of the RAM role. ARNs follow the ARN naming conventions of Alibaba Cloud. An ARN is in the `acs:ram::<account-id>:role/<role-name>` format. `<role-name>` is the name of a RAM role in lowercase. After you create a RAM role, you can click the role name to view the ARN in the Basic Information section.
trusted entity	A trusted entity indicates an entity user who can assume a role. When you create a role, you must specify a trusted entity. A RAM role can be assumed only by a trusted entity. A trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).
policy	One or more policies can be attached to a RAM role. RAM roles without policies can exist, but cannot access Alibaba Cloud resources.
role assuming	Role assuming is the method that is used by entity users to obtain Security Token Service (STS) tokens of RAM roles. An entity user can call the AssumeRole STS API operation to obtain the STS token of a RAM role. Then, the entity user can use the STS token to call API operations of Alibaba Cloud services.
identity switching	Identity switching is the method by which entity users can switch from the logon identity to the role identity in the RAM console. After an entity user logs on to the RAM console, the entity user can switch to a RAM role that the entity user can assume. Then, the entity user can use the RAM role to manage Alibaba Cloud resources. If the entity user no longer needs to use the role identity, the RAM user can switch back to the logon identity.
role token	A role token is a temporary AccessKey pair for a RAM role. A RAM role does not have a specific logon password or AccessKey pair. If an entity user wants to use a RAM role, the entity user must assume the RAM role to obtain a role token. Then, the entity user can use the role token to call API operations of Alibaba Cloud services.

Access Alibaba Cloud resources by using a RAM role

The Alibaba Cloud account specifies a trusted entity that can assume the RAM role.
The trusted entity logs on to the RAM console or calls an API operation to assume the RAM role, and obtains a role token.
- The trusted entity can switch the identity in the RAM console to assume the RAM role. For more information, see Assume a RAM role.
- The trusted entity can also call the AssumeRole operation to assume the RAM role.
Note An entity user can obtain a role token by assuming a RAM role and then use the role token to access Alibaba Cloud resources.
The Alibaba Cloud account attaches a policy to the RAM role. For more information, see Grant permissions to a RAM role.
Note Each RAM role can be attached one or more polices. RAM roles without policies can exist, but cannot access Alibaba Cloud resources.
The trusted entity assumes the RAM role and uses the role token to access Alibaba Cloud resources.

RAM role types

RAM roles are classified into three types based on trusted entities.


Role type	Scenario	References
Alibaba Cloud account	RAM users within an Alibaba Cloud account can assume this type of RAM role. RAM users who assume this type of RAM role can belong to their parent Alibaba Cloud accounts or other Alibaba Cloud accounts. This type of RAM role is used for cross-account access and temporary authorization.	Create a RAM role for a trusted Alibaba Cloud account Use an STS token for authorizing a mobile app to access Alibaba Cloud resources Use a RAM role to grant permissions across Alibaba Cloud accounts
Alibaba Cloud service	Alibaba Cloud services can assume this type of RAM role. This type of RAM role is used to authorize the access across Alibaba Cloud services.	Create a RAM role for a trusted Alibaba Cloud service Service-linked roles
IdP	Users of a trusted IdP can assume this type of RAM role. This type of RAM role is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP.	Create a RAM role for a trusted IdP Implement role-based SSO from AD FS Implement role-based SSO from Okta Implement role-based SSO from Azure AD Implement role-based SSO from OneLogin to Alibaba Cloud Implement OIDC-based SSO from Okta