A RAM Role is used to allow authenticated user (this can be an actual user, application or a service) can assume the permissions of a particular role. An example of a user could be any of the following:
- Alibaba Cloud Account user
- Alibaba Cloud Service (used to grant access to your resources)
- A user from Idp (federated users)
A use case for creating a RAM role could be that I want the ability to grant a user that assumes a particular role to certain permissions. For example, I want users/applications with a certain role to be able to have read-only access to Object Storage Services (OSS) so that it can pull files from OSS.
Below we will show you how you could set this up…
Creating RAM role using Alibaba Cloud console
When creating a role, you will be prompted to select the type of entity that the new role can be associated with. This can be any of the three examples of a ‘user’. The new RAM role will appear in the RAM Roles.
The RAM role does not have any policies attached to the role. For the role to be useful, policies should be added. You can either add Alibaba Cloud’s managed policies or custom created policies.
The role created can be assumed by any RAM user under the Alibaba Cloud account whose ID is under the ‘Current Alibaba Cloud Account’.
RAM Role principal
The RAM role principal can be updated to be restricted to specific users, services or federated Idp users. The following is an example of only restricting a specific user to the role:
Grant RAM Role
Users that need to assume the new RAM Role must be granted permissions to do so. This can be done using RAM’s Grants. To grant the user to the role you can use pre-build policies such as ‘AliyunSTSAssumeRoleAccess‘ policy or you can create a custom policy.
Note that you can further restrict the role policy by creating a custom policy by creating your own policy.
Creating your own Assume Role Access Policy
Custom policies can be created to deny/allow resources. In this example, we are allowing the STS:AssumeRole action for the defined RAM Role. Grant this policy to the user to take effect.
Source – Details about RAM Roles