This topic describes how to create an instance RAM role, attach a policy to the RAM role, and then attach the RAM role to an Elastic Compute Service (ECS) instance by using the Resource Access Management (RAM) and ECS consoles.

Prerequisites

  • The ECS instance to which you want to attach a RAM role is located in a virtual private cloud (VPC).
  • A RAM user is already authorized to use the instance RAM role if you use the RAM user to perform the procedure described in this topic. For more information, see Authorize a RAM user to manage an instance RAM role.

Background information

If you have attached an instance RAM role to an ECS instance and want to access the APIs of other Alibaba Cloud services from applications that are deployed on the instance, you must obtain a temporary authorization token for the instance RAM role by using the instance metadata. For more information, see Use an instance RAM role by calling API operations.

Procedure

An Alibaba Cloud account is used in the following example to create an instance RAM role and attach the role to an ECS instance in the RAM console:
  1. Step 1: Create an instance RAM role
  2. Step 2: Attach a policy to the instance RAM role
  3. Step 3: Attach the instance RAM role to an ECS instance

Step 1: Create an instance RAM role

Perform the following operations to create an instance RAM role in the RAM console:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, select Alibaba Cloud Service as the trusted entity and click Next.
    Select Alibaba Cloud Service to authorize ECS instances to access or manage your cloud resources. After you select Alibaba Cloud Service for the RAM role, you can attach the RAM role to ECS instances. Create a RAM role
    Note
    If you select Alibaba Cloud Account for a RAM role, you must click Edit Trust Policy on the Trust Policy Management tab to manually add the following policy for ECS after the RAM role is created: 
    "Service": [
    "ecs.aliyuncs.com"
]
  5. Select Normal Service Role for the Role Type parameter.
  6. Specify the RAM Role Name and Note parameters.
  7. Select Elastic Compute Service as the trusted service.
  8. Click OK.
  9. Click Close.
After the RAM role is created, click the name of the RAM role to go to the role details page. Click the Trust Policy Management tab and check for the policy that is shown in the following figure. This policy is used for ECS. ECS

Step 2: Attach a policy to the instance RAM role

Perform the following operations to attach a system or custom policy to the instance RAM role in the RAM console:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. (Optional) Create a custom policy if you do not want to use a system policy. For more information, see the "Create a custom policy" section in Control access to resources by using RAM users.
  3. In the left-side navigation pane, choose Identities > Roles.
  4. On the Roles page, find the RAM role to which you want to grant permissions and click Input and Attach in the Actions column.
  5. In the Add Permissions panel, set Type to System Policy or Custom Policy and enter a policy name.
  6. Click OK.
  7. Click Close.

Step 3: Attach the instance RAM role to an ECS instance

Perform the following operations to attach the instance RAM role to an ECS instance in the ECS console.
Note An ECS instance can have only one instance RAM role attached at a time.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Find the ECS instance to which you want to attach the instance RAM role and choose More > Instance Settings > Attach/Detach RAM Role in the Actions column.
  5. In the Attach/Detach RAM Role dialog box, select the instance RAM role from the RAM Role drop-down list and click OK.

You can also select the instance RAM role from the RAM Role drop-down list in the System Configurations (Optional) step when you create an ECS instance. For more information, see Create an instance by using the wizard.