You can use a Resource Access Management (RAM) role, a RAM user, or the root user to access member accounts. For security purposes, we recommend that you use a RAM role or RAM user to access member accounts.

Use a RAM role to access a member account

The system automatically creates a RAM role named ResourceDirectoryAccountAccessRole for each member account in a resource directory. The trusted entity of the role is the enterprise management account of the resource directory. You can use the enterprise management account or a RAM user of the enterprise management account to assume the ResourceDirectoryAccountAccessRole role of a member account and access the member account.

  1. Create a RAM user by using the enterprise management account.
    For more information, see Create a RAM user.
  2. Grant permissions to the RAM user.

    You must grant the following permissions to the RAM user:

    • AliyunSTSAssumeRoleAccess: the permission to call the AssumeRole operation of Security Token Service (STS)
    • AliyunResourceDirectoryFullAccess: the permission to manage a resource directory
    Note If you want to use the RAM user as an administrator, you can grant the AdministratorAccess permission to it.

    For more information, see Grant permissions to a RAM user.

  3. Use the RAM user to log on to the Resource Management console.
  4. In the left-side navigation pane, choose Resource Directory > Overview.
  5. Click the Organization or Member Accounts tab.
  6. Find the member account that you want to access and click Logon Account in the Actions column.

    Then, you can use the RAM user to assume the RAM role ResourceDirectoryAccountAccessRole of the member account and perform the operations that are defined for the RAM role.

Use a RAM user to access a member account

You can create a RAM user for a member account and use this RAM user to log on to the Alibaba Cloud Management Console and access the member account.

  1. Use a RAM user that belongs to the enterprise management account to assume the related RAM role and access a member account.
    For more information, see Use a RAM role to access a member account.
  2. Create a RAM user for the member account.
    For more information, see Create a RAM user.
  3. Grant permissions to the newly created RAM user.
    If you want to access all the resources of a member account, grant the AdministratorAccess permission to the newly created RAM user. In other cases, grant permissions to the RAM user based on your business requirements. For more information, see Grant permissions to a RAM user.
  4. Use the newly created RAM user to log on to the Alibaba Cloud Management Console.
    For more information, see Log on to the console as a RAM user.

Use the root user to access a member account

You can use the root user to log on to the Alibaba Cloud Management Console and access the member account.

Note For security purposes, we recommend that you do not use the root user to access member accounts.
  1. Log on to the Alibaba Cloud Management Console.
    Note If you have logged on to the Alibaba Cloud Management Console by using another account, log off from the console first.
  2. Enter the username and password of your account.
  3. Click Sign In.