Home PageResource Access ManagementUser GuideRAM Role ManagementCreate a RAM roleCreate a RAM role for a trusted Alibaba Cloud service
Search for Help Content

Create a RAM role for a trusted Alibaba Cloud service

Updated at: 2025-03-14 06:32
Product
Community

A Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service is used to authorize access across Alibaba Cloud services. This type of RAM role can be assumed by a trusted Alibaba Cloud service.

Service role types

  • Regular service role: You must enter a name for the RAM role, select a trusted service, and then attach policies to the RAM role.

  • Service-linked role: You need only to select a trusted service. The name and policy of the RAM role are predefined by the service. A service-linked role is automatically created when you perform specific operations, such as creating a cloud resource or enabling a feature. You can also manually create a service-linked role in the RAM console. For more information, see Service-linked roles.

Create a regular service role

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

    image

  4. On the Create Role page, set Principal Type to Cloud Service, select an Alibaba Cloud service for the Principal Name parameter, and then click OK.

    image

    Note

    Available Alibaba Cloud services for the Principal Name parameter are subject to the RAM console.

  5. Optional. If you want to authorize access across Alibaba Cloud accounts or multiple Alibaba Cloud services, click Switch to Policy Editor of the Create Role page to specify an Alibaba Cloud service in the editor.

    The editor supports the Visual editor and JSON modes. In the following example, the Alibaba Cloud service ActionTrail of another Alibaba Cloud account whose ID is 177*******6878 is authorized to assume the RAM role that is being created and perform operations on the resources within the current Alibaba Cloud account.

    • Visual editor

      Specify an Alibaba Cloud service for the Principal element.

      image

      image

    • JSON

      Specify an Alibaba Cloud service for the Service field of the Principal parameter. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "177*******6878@actiontrail.aliyuncs.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  6. In the Create Role dialog box, configure the Role Name parameter and click OK.

After a RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.

Create a service-linked role

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

    image

  4. In the upper-right corner of the Create Role page, click Create Service Linked Role.

    image

  5. On the Create Service Linked Role page, select a trusted Alibaba Cloud service and click Create Service Linked Role.

    image

    Note

    Available Alibaba Cloud services for the Select Service parameter are subject to the RAM console.

After a service-linked role is created, a predefined name and policy are automatically attached to the role. The policy is defined by the Alibaba Cloud service.

Previous: Create a RAM role for a trusted Alibaba Cloud accountNext: Create a RAM role for a trusted IdP
  • On this page (1, M)
  • Service role types
  • Create a regular service role
  • Create a service-linked role
  • References
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare