You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, authorize this role, and assign this role to Enterprise B. In this way, the Alibaba Cloud account of Enterprise B or the corresponding RAM user under the Alibaba Cloud account of Enterprise B can be used to access the Application Configuration Management (ACM) resources of Enterprise A.

Cross-entity authorization

Assume that Enterprise A (account ID: 11223344, account alias: company-a) needs to authorize Employee C of Enterprise B (account ID: 12345678, account alias: company-b) to perform operations on the ACM resources of Enterprise A. The following describes the authorization process:

The new version of the RAM console

  1. (New version) Step 1: Enterprise A creates a RAM role
  2. (New version) Step 2: Enterprise A authorizes this RAM role
  3. (New Version) Step 3: Enterprise B creates a RAM user
  4. (New version) Step 4: Enterprise B authorizes this RAM user

The old version of the RAM console

  1. (Old version) Step 1: Enterprise A creates a RAM role
  2. (Old version) Step 2: Enterprise A authorizes this RAM role
  3. (Old version) Step 3: Enterprise B creates a RAM user
  4. (Old version) Step 4: Enterprise B authorizes this RAM user
Note For more information about the account aliases of enterprises, see Set up initial RAM configurations in Set the account alias.

(New version) Step 1: Enterprise A creates a RAM role

  1. Log on to the RAM console through the Alibaba Cloud account of Enterprise A. In the left-side navigation pane, choose RAM Roles.
  2. On the RAM Roles page, click Create RAM Role.
  3. In the Create RAM Role dialog box, perform the following operations and then click OK.
    1. In the Trusted entity type section, select Alibaba Cloud Account.
    2. In the Select Trusted Alibaba Cloud Account section, select Other Alibaba Cloud Account, and enter the account to be authorized in the Account ID field.

      In this example, enter 12345678 as the Alibaba Cloud account ID of Enterprise B.

    3. In the RAM Role Name field, enter a RAM role name.

      In this example, enter acm-admin.

(New version) Step 2: Enterprise A authorizes this RAM role

A newly created RAM role does not have any authorizations. Therefore, Enterprise A must authorize this role. In this example, Enterprise A assigns the AliyunACMFullAccess authorization policy to this RAM role so that it can access the ACM resources of Enterprise A.

  1. Log on to the RAM console. In the left-side navigation pane, choose RAM Roles.
  2. On the RAM Roles page, find the RAM role to be authorized, and click Add Permissions in the Actions column.
  3. In the Add Permissions dialog box, find AliyunACMFullAccess in the left-side System Policy list, and click this policy. Then click OK.
    Note If you also use the configuration encryption and decryption function of ACM, you need to add the AliyunKMSCryptoAccess authorization policy for this RAM role.
Notice In this step, this RAM role is granted full access to ACM. For more information about how to grant a RAM role specific access to a single namespace, see Access control.

(New Version) Step 3: Enterprise B creates a RAM user

  1. Log on to the RAM console through the Alibaba Cloud account of Enterprise B. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, click Create User. In the User Account Information section, enter a logon name in the Logon Name field and a display name in the Display Name field.
    Notice The logon name must be unique within the corresponding Alibaba Cloud account.
    • To create multiple users, click Add User, and enter a logon name in the Logon Name field and a display name in the Display Name field.
  3. In the Access Mode section, select Console Password Logon, and then set Console Password, Password Reset, and Multi-factor Authentication as needed. Then click OK.

After the preceding steps are completed, a RAM user that can log on to the console is created.

(New version) Step 4: Enterprise B authorizes this RAM user

  1. Log on to the RAM console through the Alibaba Cloud account of Enterprise B. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the user to be authorized, and click Add Permissions in the Actions column.
  3. In the Add Permissions dialog box, find AliyunSTSAssumeRoleAccess in the left-side System Policy list, and click this policy. Then click OK.

(Old version) Step 1: Enterprise A creates a RAM role

  1. Log on to the RAM console through the Alibaba Cloud account of Enterprise A. In the left-side navigation pane, choose Roles.
  2. On the Role Management page, click Create Role in the upper-right corner. In the Create Role dialog box, select User Role on the Select Role Type tab.
  3. On the Enter Type tab, select Other Alibaba Cloud Account in the Select Alibaba Cloud Account section. Then enter the account ID of the Alibaba Cloud account to be authorized in the Trusted Alibaba Cloud Account ID field.

    In this example, enter 12345678 as the Alibaba Cloud account ID of Enterprise B.

  4. On the Configure Basic Information tab, enter a role name in the Role Name field. Then click Create.

    In this example, enter acm-admin.

  5. If the Phone Verification dialog box appears, click Send verification code, and enter the verification code received by your phone.

(Old version) Step 2: Enterprise A authorizes this RAM role

A newly created RAM role does not have any authorizations. Therefore, Enterprise A must authorize this role. In this example, Enterprise A assigns the AliyunACMFullAccess authorization policy to this RAM role so that it can access the ACM resources of Enterprise A.

  1. In the Create Role dialog box, click Authorize on the Role created tab. If you have closed the Create Role dialog box, on the Role Management page, find the newly created role, and click Authorize in the Actions column.
  2. On the Role Authorization Policies page, click Edit Authorization Policy in the upper-right corner.
  3. On the Search and Attach tab in the Edit Role Authorization Policy dialog box, find AliyunACMFullAccess in the left-side Available Authorization Policy Names list, and click this policy. Then click the > icon in the middle to add AliyunACMFullAccess to the right-side Selected Authorization Policy Name list. Then click OK.
  4. If the Phone Verification dialog box appears, click Send verification code, and enter the verification code received by your phone.
Notice In this step, this RAM role is granted full access to ACM. For more information about how to grant a RAM role specific access to a single namespace, seeAccess control

(Old version) Step 3: Enterprise B creates a RAM user

  1. Log on to the RAM console through the Alibaba Cloud account of Enterprise B. In the left-side navigation pane, choose Users.
  2. On the User Management page, click Create User in the upper-right corner. In the Create User dialog box, enter a user name, and enter optional information as needed. Then click OK. The newly created user is displayed on the User Management page.
    Notice This user name must be unique within the corresponding Alibaba Cloud account.
  3. On the User Management page, click the user name/display name of the newly created user.
  4. On the User Details page, click Enable Console Logon in the Web Console Logon Management section.
  5. In the dialog box for setting the password, enter a password in the New Password and Confirm Password fields, and select On your next logon you must reset the password. Then click OK.

(Old version) Step 4: Enterprise B authorizes this RAM user

  1. Log on to the RAM console. In the left-side navigation pane, choose Users.
  2. On the User Management page, find the user to be authorized, and click Authorize in the Actions column.
  3. In the Edit User-Level Authorization dialog box, find AliyunSTSAssumeRoleAccess in the left-side Available Authorization Policy Names list, and click this policy. Then click the > icon in the middle to add AliyunSTSAssumeRoleAccess to the right-side Selected Authorization Policy Name list. Then click OK.

Step 5: Use this RAM user of Enterprise B for cross-entity resource access

  1. Log on to the ACM console through this RAM user of Enterprise B.
  2. After logging on, move the pointer over the account icon and click Switch Role.
  3. On the Switch Role page, enter company-a as the account alias of Enterprise A or enter its default domain name, and enter acm-admin as the role name. Then click Switch.
  4. Perform operations on the ACM resources of Enterprise A.

More information