DocsICP FilingConsole
官方文档
首页

Manage permissions for a RAM role

更新时间:
复制 MD 格式
产品详情
我的收藏

Grant, view, and revoke permissions for a RAM role.

Limitations

  • Permissions for a service-linked role are predefined by the associated cloud service and cannot be modified. You cannot manually add or remove permissions for a service-linked role.

  • The number of policies (system and custom) that you can attach to a RAM role is subject to Limitations.

Grant permissions to a RAM role

Console

Requires the AliyunRAMFullAccess system policy.

The console provides multiple entry points.

Entry point

Use cases

Batch operation supported

Identities > Roles page

Grant the same permissions to one or more RAM roles.

Yes

Permissions > Grants page

Grant the same permissions to multiple principals (users, user groups, and roles) at once.

Yes

From the Roles page

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the target RAM role and click Grant Permission in the Actions column.

    To grant permissions in bulk, select multiple RAM roles and click Grant Permission at the bottom of the role list.

  4. On the Grant Permission panel, grant permissions to the RAM role.

    1. Select a resource scope.

      • Account: Permissions apply to the current Alibaba Cloud account.

      • Resource Group: Permissions apply to the specified Resource Group.

        Note

        Resource Group-level permissions require the cloud service and resource type to support Resource Groups. Cloud services that support Resource Groups.

    2. Select a principal.

      The system automatically selects the current RAM role as the principal.

    3. Select policies.

      Select one or more policies to attach.

      • System policies: Predefined by Alibaba Cloud and cannot be modified. Available policies per service are listed in Cloud services that work with RAM.

        Note

        The console flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless necessary.

      • Custom policies: Defined and managed by you. Create a custom policy.

    4. Click OK.

  5. Click close.

From the Grants page

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Grants page, click Grant Permission.

  4. On the Grant Permission panel, grant permissions to the RAM role.

    1. Select a resource scope.

      • Account: Permissions apply to the current Alibaba Cloud account.

      • Resource Group: Permissions apply to the specified Resource Group.

        Note

        Resource Group-level permissions require the cloud service and resource type to support Resource Groups. Cloud services that support Resource Groups.

    2. Select a principal.

      Select the target RAM roles.

    3. Select policies.

      Select one or more policies to attach.

      • System policies: Predefined by Alibaba Cloud and cannot be modified. Available policies per service are listed in Cloud services that work with RAM.

        Note

        The console flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless necessary.

      • Custom policies: Defined and managed by you. Create a custom policy.

    4. Click OK.

  5. Click close.

API

Call AttachPolicyToRole to attach a policy to a RAM role. Required parameters:

  • PolicyType: The policy type. Valid values: System and Custom. Case-sensitive.

  • PolicyName: The exact name of the policy to attach.

  • RoleName: The name of the RAM role.

Note

AttachPolicyToRole grants permissions at the Alibaba Cloud account level only. To grant Resource Group-level permissions, use Grant permission to a RAM identity from Resource Management.

View permissions for a RAM role

Requires the AliyunRAMReadOnlyAccess system policy.

Console

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click the name of the target RAM role.

  4. On the Permissions tab, view the policies that are attached to the role.

API

Call ListPoliciesForRole to list policies attached to a RAM role. Required parameter:

RoleName: The name of the RAM role.

Revoke permissions from a RAM role

Requires the AliyunRAMFullAccess system policy.

Console

Revoke permissions from a RAM role using either method below.

From the Roles page

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click the name of the target RAM role.

  4. On the Permissions tab, find the target policy and click Revoke Permission in the Actions column.

    To revoke in bulk, select multiple policies and click Revoke Permission at the bottom of the policy list.

  5. On the Revoke Permission dialog box, click Revoke Permission.

From the Grants page

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Grants page, find the target RAM role and click Revoke Permission in the Actions column.

    To revoke in bulk, select multiple RAM roles and click Revoke Permission at the bottom.

  4. On the Revoke Permission dialog box, click Revoke Permission.

API

Call DetachPolicyFromRole to detach a policy from a RAM role. Required parameters:

  • PolicyType: The policy type. Valid values: System and Custom. Case-sensitive.

  • PolicyName: The exact name of the policy to detach.

  • RoleName: The name of the RAM role.

Previous:View a RAM roleNext:Modify the trust policy of a RAM role