Alibaba Cloud: RAM Role and STS

A RAM Role is used to allow authenticated user (this can be an actual user, application or a service) can assume the permissions of a particular role. An example of a user could be any of the following:

  • Alibaba Cloud Account user
  • Alibaba Cloud Service (used to grant access to your resources)
  • A user from Idp (federated users)

A use case for creating a RAM role could be that I want the ability to grant a user that assumes a particular role to certain permissions. For example, I want users/applications with a certain role to be able to have read-only access to Object Storage Services (OSS) so that it can pull files from OSS.

Below we will show you how you could set this up…

Creating RAM role using Alibaba Cloud console

When creating a role, you will be prompted to select the type of entity that the new role can be associated with. This can be any of the three examples of a ‘user’. The new RAM role will appear in the RAM Roles.

Create a new RAM role and the document policies associated with the role.

The RAM role does not have any policies attached to the role. For the role to be useful, policies should be added. You can either add Alibaba Cloud’s managed policies or custom created policies.

The role created can be assumed by any RAM user under the Alibaba Cloud account whose ID is under the ‘Current Alibaba Cloud Account’.

Viewing the Role’s policy, any user that is under the account ID (blacked out in the picture) can assume the role. This can be modified to restrict this role to certain users as for example.

RAM Role principal

The RAM role principal can be updated to be restricted to specific users, services or federated Idp users. The following is an example of only restricting a specific user to the role:

"acs:ram::{accountid}:user/app-admin"

Grant RAM Role

Users that need to assume the new RAM Role must be granted permissions to do so. This can be done using RAM’s Grants. To grant the user to the role you can use pre-build policies such as ‘AliyunSTSAssumeRoleAccess‘ policy or you can create a custom policy.

Assigning policy enables user app-admin permissions to assume roles.

Note that you can further restrict the role policy by creating a custom policy by creating your own policy.

Creating your own Assume Role Access Policy

Custom policies can be created to deny/allow resources. In this example, we are allowing the STS:AssumeRole action for the defined RAM Role. Grant this policy to the user to take effect.

Creating your custom policy that further restricts who can have the AssumeRole.

Source – Details about RAM Roles