Application Configuration Management (ACM) supports Alibaba Cloud Resource Access Management (RAM). By using RAM roles, you can access ACM resources in other cloud accounts.
(Old version) Create a RAM role
- Log on to the RAM console. In the left-side navigation pane, choose Roles.
- On the Role Management page, click Create Role in the upper-right corner. In the Create Role dialog box, select a role type as needed on the Select Role Type tab.
- User Role: RAM users under a trusted Alibaba Cloud account can assume this role to access your cloud resources. Trusted accounts can be the current Alibaba Cloud account or another Alibaba Cloud account.
- Service Role: Trusted cloud services, such as Elastic Compute Service (ECS), can assume this role to access your cloud resources.
- Perform the corresponding operation based on the selection in the previous step.
- If you select User Role, on the Enter Type tab, select Current Alibaba Cloud Account, or select Other Alibaba Cloud Account and enter its account ID. Then click Next.
- If you select Service Role, select a cloud service on the Enter Type tab.
- On the Configure Basic tab, enter a role name in the Role Name field, and then click Create.
- If the Phone Verification dialog box appears, click Send verification code, and enter the verification code received by your phone.
(New version) Create a RAM role
- Log on to the RAM console. In the left-side navigation pane, choose RAM Roles.
- On the RAM Roles page, click Create RAM Role.
- In the Create RAM Role dialog box, perform the following operations and then click OK.
- In the Trusted entity type section, select a role type as needed.
- Alibaba Cloud Account: A RAM user of a trusted Alibaba Cloud account can assume the RAM role to access your cloud resources. A trusted Alibaba Cloud account can be the current account or another Alibaba Cloud account.
- Alibaba Cloud Service: A trusted Alibaba Cloud service, such as Elastic Compute Service (ECS), can assume the RAM role to access your cloud resources.
- Perform the corresponding operation based on the selection in the previous step.
- If you select Alibaba Cloud Account, in the Select Trusted Alibaba Cloud Account section, select Current Alibaba Cloud Account, or select Other Alibaba Cloud Account and enter its account ID in the Account ID field.
- If you select Alibaba Cloud Service, select a cloud service from the Select Trusted Service drop-down list.
- In the RAM Role Name field, enter a RAM role name.
- In the Trusted entity type section, select a role type as needed.
(Old version) Authorize a RAM role
A newly created RAM role does not have any authorizations. Therefore, you must authorize this role.
- In the Create Role dialog box, click Authorize on the Role created tab. If you have closed the Create Role dialog box, click the name of the newly created RAM role on the Role Management page. In the left-side navigation pane, choose Role Authorization Policies.
- On the Role Authorization Policies page, click Edit Authorization Policy in the upper right corner.
- On the Search and Attach tab in the Edit Role Authorization Policy dialog box, select AliyunACMFullAccess from the left-side Available Authorization Policy Names list. Then click the > icon in the middle to add AliyunACMFullAccess to the right-side Selected Authorization Policy Name list. Then click OK.
- If you also use the configuration encryption and decryption function of ACM, you need to add the AliyunKMSCryptoAccess authorization policy for this RAM role.
- If the Phone Verification dialog box appears, click Send verification code, and enter the verification code received by your phone.
(New version) Authorize a RAM role
A newly created RAM role does not have any authorizations. Therefore, you must authorize this role.
- Log on to the RAM console. In the left-side navigation pane, choose RAM Roles.
- On the RAM Roles page, find the RAM role to be authorized, and click Add Permissions in the Actions column.
- In the Add Permissions dialog box, find AliyunACMFullAccess in the left-side System Policy list, and click this policy. Then click OK.
- If you also use the configuration encryption and decryption function of ACM, you need to add the AliyunKMSCryptoAccess authorization policy for this RAM role.
(Old version) Deauthorize a RAM role
- Log on to the RAM console. In the left-side navigation pane, choose Roles.
- On the Role Management page, find the role to be deauthorized, and click Authorize in the Actions column.
- In the Edit Role Authorization Policy dialog box, select AliyunACMFullAccess from the right-side Selected Authorization Policy Name list. Then click the < icon in the middle to move this policy to the left-side Available Authorization Policy Names list. Then click OK.
After the authorization is revoked, the corresponding RAM user is not authorized to log on to the ACM console.
(New version) Deauthorize a RAM role
- Log on to the RAM console. In the left-side navigation pane, choose RAM Roles.
- On the RAM Roles page, select the role to be deauthorized in the RAM Role Name column.
- On the Role Authorization Policies tab, click Remove Permission in the Actions column.
- In the Remove Permission dialog box, click OK.
After the authorization is revoked, the corresponding RAM user is not authorized to log on to the ACM console.
(Old version) Delete a RAM role
- Log on to the RAM console. In the left-side navigation pane, choose Roles.
- On the Role Management page, find the role to be deleted, and click Delete in the Actions column.
- In the Delete Role dialog box, click OK.
(New version) Delete a RAM role
- Log on to the RAM console. In the left-side navigation pane, choose RAM Roles.
- On the RAM Roles page, find the role to be deleted, and click Delete in the Actions column.
- In the Delete RAM Role dialog box, click OK.