This topic uses two example policies to demonstrate how to grant permissions across cloud services.

Granting permissions across cloud services refers to authorizing a cloud service to access resources of another cloud service. To grant permissions across cloud services, you can use general authorization and precise authorization.

  • General authorization: Authorized RAM users under an Alibaba Cloud account can grant permissions across cloud services.
    {
        "Statement": [
            {
                "Action": [
                    "ram:GetPolicy",
                    "ram:CreateRole",
                    "ram:AttachPolicyToRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "*"
                ]
            }
        ],
        "Version": "1"
    }
  • Precise authorization: Authorized RAM users under an Alibaba Cloud account can only authorize Alibaba Cloud SSL Certificates Service to access resources of other cloud services.
    Note Compared with the policy of general authorization, the policy of precise authorization specifies a RAM role and policy name. In this example, the RAM role is AliyunCASDefaultRole and the system policy of Alibaba Cloud SSL Certificates Service is AliyunCASRolePolicy.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ram:GetPolicy",
                    "ram:AttachPolicyToRole"
                ],
                "Resource": [
                    "acs:ram:*:*:policy/AliyunCASRolePolicy",
                    "acs:ram:*:*:role/AliyunCASDefaultRole"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ram:CreateRole"
                ],
                "Resource": "acs:ram:*:*:role/*"
            }
        ],
        "Version": "1"
    }