This topic describes the concepts of identities and permissions in Alibaba Cloud services.
Identities
Alibaba Cloud identities can be classified as physical entities and virtual entities.
Physical entities
A physical entity has a fixed ID and identity credential. It is used to represent a person, a company, or an application. The identity credentials of a physical entity can be a logon password or an AccessKey pair. A physical entity can be an Alibaba Cloud account or a Resource Access Management (RAM) user. A physical entity can access the Alibaba Cloud resources by using following methods:
Access cloud resources through the console by using a username and password, or the multi-factor authentication (MFA) method.
Access cloud resources by using an AccessKey pair.
Alibaba cloud accounts and RAM users have different features. Take note of the following items before you access Alibaba Cloud resources.
Virtual entities
A virtual entity does not have a fixed identity credential, for example, a logon password or an AccessKey pair. A RAM role is considered as a virtual entity. You need to assume a RAM role with a RAM user of a trusted Alibaba Cloud account before you use the RAM role. After you use a trusted entity to assume a RAM role, you obtain a Security Token Service (STS) token of the RAM role. Then, you can use the STS token to access the resources on which the RAM role has permissions.
RAM roles are classified into three types based on trusted entities.
Trusted entity | Description | Reference |
Alibaba Cloud account | This type of RAM role is used for cross-account access and temporary authorization. It can be assumed only by a RAM user that belongs to a trusted Alibaba Cloud account. The trusted Alibaba Cloud account can be either the current Alibaba Cloud account or another Alibaba Cloud account. | |
Alibaba Cloud service | This type of RAM role is used to authorize the access across Alibaba Cloud services. It can be assumed only by trusted Alibaba Cloud services. | |
Identity provider (IdP) | This type of RAM role is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP. It can be assumed only by users of a trusted IdP. |
Permissions
Permissions are used to control the access of different user identities to specific resources. You can use permissions to control whether to allow or deny specific operations on specific resources.
Permissions of physical entities
Physical entity | Default permission | Authorization | Description |
Alibaba Cloud account | Full permissions on resources | Not required. | An Alibaba Cloud account has full control and permissions over the resources that it owns. Other users, such as RAM users, can access resources only after being authorized by an Alibaba Cloud account. |
RAM user | None | RAM users can access and use cloud resources in the console or by calling API operations only after they are authorized. | Alibaba Cloud implements authorization by attaching policies to RAM identities. A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. RAM supports the following two types of policies:
You can attach a policy to a RAM user or a RAM user group to grant it the access permissions specified in the policy. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM user group. |
Permissions of virtual entities
RAM roles of Alibaba Cloud do not have any permissions by default.
RAM roles can access and use cloud resources in the console or by calling API operations only after they are assumed by trusted entities and authorized.
You can attach a policy to a RAM role to grant it the access permissions specified in the policy. For more information, see Grant permissions to a RAM role.
References
For more information about the Alibaba Cloud services that support RAM and the corresponding system policies, see Services that work with RAM.
For more information about the basic policy elements and syntax supported by RAM, see Policy elements and Policy structure and syntax.