This topic describes how to assume a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud account as a RAM user by using the Alibaba Cloud Management Console or the RAM API.

Prerequisites

Before you can assume a RAM role, make sure that you have completed the following operations:

  1. Create a RAM user.
  2. Create an AccessKey pair or configure a logon password for the RAM user.
    • If you want to assume a RAM role as the RAM user by logging on to the Alibaba Cloud Management Console, configure a logon password for the RAM user. For more information, see Change the password of a RAM user.
    • If you want to assume a RAM as the RAM user by using the RAM API, create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair for a RAM user.
  3. Grant permissions to a RAM user.
    • To allow the RAM user to assume all RAM roles, attach the system policy AliyunSTSAssumeRoleAccess to the RAM user.
    • To allow the RAM user to assume a specific RAM role, attach a custom policy to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?.

Use the Alibaba Cloud Management Console

After you log on to the Alibaba Cloud Management Console as a RAM user, you can switch your logon identity to a RAM role.

  1. Log on to the RAM console as a RAM user.
    Note To view the logon URL of RAM users, use your Alibaba Cloud account to log on to the RAM console. The logon URL is displayed on the Overview page.
  2. Move the pointer over the profile picture in the upper-right corner of the console and click Switch Identity.
    Switch Identity
  3. On the Switch Role page, configure the parameters.
    RAM role-based logon
    1. Enter the enterprise alias (account alias), default domain name, or ID of the Alibaba Cloud account to which the RAM role belongs. For more information, see View and modify the default domain name.
    2. Enter the name of the RAM role. For more information, see View the basic information about a RAM role.
  4. Click Submit.

    After the switch is complete, your logon identity changes to the RAM role, and your RAM user has the permissions that are granted to the RAM role.

    You can move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud Management Console to view the logon identity and current identity.

    The role is switched

    The following table describes the logon identity and current identity. The My Identity parameter shows the current identity.

    Logon type Logon identity Current identity
    Password-based logon

    The format is <Username of the logon RAM user>.

    The format is <RoleName>/<RoleSessionName>.

    • RoleName: the name of the role that is assumed by the RAM user
    • RoleSessionName: the username of the RAM user
    Role-based SSO

    After you log on to the RAM console as a RAM role, only the current identity is displayed. The logon identity is not displayed.

    If you switch the logon identity to a different RAM role, the logon identity is displayed in the format of <RoleName>/<RoleSessionName>.

    • RoleName: the name of the role that is used for SSO
    • RoleSessionName: the RoleSessionName attribute in the role-based SSO authentication response

    For example, if the tom@example.local user of a trusted IdP logs on to the Alibaba Cloud Management Console as the RAM role test-saml-role1 and switches the identity to the RAM role alice-testrole, the logon identity is test-saml-role1/tom@example.local.

    The format is <RoleName>/<RoleSessionName>.

    • RoleName: the name of the assumed role
    • RoleSessionName: the RoleSessionName attribute in the role-based SSO authentication response

    For example, if the tom@example.local user of a trusted IdP logs on to the Alibaba Cloud Management Console as the RAM role test-saml-role1, the current identity is test-saml-role1/tom@example.local. If the tom@example.local user switches the identity to the RAM role alice-testrole, the current identity is alice-testrole/tom@example.local. The value of RoleSessionName remains unchanged.

    The smaller value between the Maximum Session Duration and Logon Session Valid For parameters is used as the maximum session duration for a RAM role. For more information, see Specify the maximum session duration for a RAM role and Configure security policies for RAM users.

Use the RAM API

An authorized RAM user can use an AccessKey pair to call the AssumeRole operation. This way, the RAM user obtains an STS token and can use the STS token to access Alibaba Cloud resources.

Note If the obtained STS token is disclosed, you can disable all the STS tokens. For more information, see What do I do if STS tokens are disclosed?.