After you create a member in a resource directory or invite an Alibaba Cloud account to join a resource directory as a member, you can use the methods described in this topic to enable the member to log on to the Alibaba Cloud Management Console.
Logon methods
Logon method | Description | Applicable member type | References |
Use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console | The system automatically creates a RAM role named ResourceDirectoryAccountAccessRole for each member in a resource directory and specifies the management account of the resource directory as the trusted entity for the RAM role. This way, the management account has permissions to assume the RAM roles of all members in the resource directory and log on to the Alibaba Cloud Management Console. You can use the management account of a resource directory to create a RAM user and grant administrative permissions to the RAM user. Then, you can use the RAM user to assume the RAM role ResourceDirectoryAccountAccessRole of a member in the resource directory and log on to the Alibaba Cloud Management Console. |
| Use a RAM role to log on to the Alibaba Cloud Management Console |
Use a RAM user created for a member to log on to the Alibaba Cloud Management Console | After you use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console, you can create a RAM user for the member and grant the required permissions to the RAM user. Then, you can log on to the Alibaba Cloud Management Console as the RAM user created for the member. | Log on to the Alibaba Cloud Management Console as a RAM user | |
Use the root user of a member to log on to the Alibaba Cloud Management Console (not recommended) | If you want to use a member of the cloud account type in a resource directory to log on to the Alibaba Cloud Management Console, you can use the username and password of the root user of the member. However, for security purposes, we recommend that you do not use this method. | Alibaba Cloud accounts that are invited to join a resource directory as members. These members are of the cloud account type. | Log on to the Alibaba Cloud Management Console as the root user of a member |
Use a CloudSSO user to log on to the Alibaba Cloud Management Console | CloudSSO is integrated with Alibaba Cloud Resource Directory to help you manage identities and access permissions for multiple accounts in a centralized manner. After you activate CloudSSO and grant access permissions on a member in a resource directory to the CloudSSO user, the CloudSSO user can log on to the CloudSSO user portal and access resources of the member based on the related access configuration. | CloudSSO users. |
Use a RAM role to log on to the Alibaba Cloud Management Console
Use the management account of a resource directory to create a RAM user and grant the required permissions to the RAM user.
Use the management account of a resource directory to log on to the RAM console.
Create a RAM user.
In this example, a RAM user named Alice is created. For more information, see Create a RAM user.
Grant the required permissions to Alice.
You must attach the following policies to Alice:
AliyunSTSAssumeRoleAccess: defines the permissions that are required to call the AssumeRole operation of Security Token Service (STS).
AliyunResourceDirectoryFullAccess: defines the permissions that are required to manage a resource directory.
NoteIf you want to use Alice as an administrator, you can attach the AdministratorAccess policy to Alice.
For more information, see Grant permissions to RAM users.
Use Alice to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console.
Use Alice to log on to the Resource Management console.
In the left-side navigation pane, choose .
Click the Organization or Members tab.
Find the desired member and click Logon Account in the Actions column.
Then, Alice can assume the RAM role ResourceDirectoryAccountAccessRole of the member to log on to the Alibaba Cloud Management Console and perform operations that are defined for the RAM role.
Log on to the Alibaba Cloud Management Console as a RAM user
Use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console.
For more information, see Use a RAM role to log on to the Alibaba Cloud Management Console.
Create a RAM user for the member.
In this example, a RAM user named Tom is created. For more information, see Create a RAM user.
Grant the required permissions to Tom.
If you want to allow Tom to access all resources of the member, attach the AdministratorAccess policy to Tom. In other cases, grant permissions to Tom based on your business requirements. For more information, see Grant permissions to RAM users.
Use Tom to log on to the Alibaba Cloud Management Console.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Log on to the Alibaba Cloud Management Console as the root user of a member
For security purposes, we recommend that you do not use the root user of a member to log on to the Alibaba Cloud Management Console.
Log on to the Alibaba Cloud Management Console.
Enter the username and password of the root user of the desired member in a resource directory.
Click Sign in.