All Products
Search
Document Center

Resource Access Management:Grant permissions to a RAM role

Last Updated:May 09, 2024

You can grant permissions to a Resource Access Management (RAM) role that you created for a trusted Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). We recommend that you grant only the required permissions to the RAM role based on the principle of least privilege.

Limits

  • You cannot grant permissions to service-linked roles by attaching policies to the roles. This is because the policies that are attached to this type of role are defined by the linked cloud services. For more information, see Service-linked roles.

  • For more information about the maximum numbers of system policies and custom policies that can be attached to each RAM role, see Limits.

Method 1: Grant permissions to a RAM role by clicking Grant Permission on the Roles page

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.

    image

    You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.

  4. In the Grant Permission panel, grant permissions to the RAM role.

    1. Configure the Resource Scope parameter.

      • Account: The authorization takes effect on the current Alibaba Cloud account.

      • Resource Group: The authorization takes effect on a specific resource group.

        Note

        If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Configure the Principal parameter.

      The principal is the RAM role to which you want to grant permissions. The current RAM role is automatically selected.

    3. Configure the Policy parameter.

      A policy is a set of access permissions. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

    4. Click Grant permissions.

  5. Click Close.

Method 2: Grant permissions to a RAM role by clicking Precise Permission on the Roles page

If you know the exact name of a policy, you can grant permissions to a RAM role by clicking Input and Attach in the Actions column of the RAM role on the Roles page. By default, the authorization scope is the current Alibaba Cloud account. For more information about how to view the name of a policy, see View the basic information about a policy.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click the name of the RAM role that you want to manage.

  4. On the Permissions tab, click Precise Permission.

    image

  5. In the Precise Permission panel, set Type to System Policy or Custom Policy and enter a policy name.

  6. Click OK.

  7. Click Close.

Method 3: Grant permissions to a RAM role on the Grants page

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Permission page, click Grant Permission.

    image

  4. In the Grant Permission panel, grant permissions to the RAM role.

    1. Configure the Resource Scope parameter.

      • Account: The authorization takes effect on the current Alibaba Cloud account.

      • Resource Group: The authorization takes effect on a specific resource group.

        Note

        If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Configure the Principal parameter.

      The principal is the RAM role to which you want to grant permissions. You can select multiple RAM roles at a time.

    3. Configure the Policy parameter.

      A policy is a set of access permissions. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

    4. Click Grant permissions.

  5. Click Close.