If you want to authorize a cloud service to access resources of a different cloud service, you must grant permissions across these cloud services. This topic uses example policies to demonstrate how to grant permissions across cloud services.
To grant permissions across cloud services, you can use policies of general authorization or fine-grained authorization.
General authorization
Authorized RAM users that belong to an Alibaba Cloud account can authorize a specific cloud service to access resources of other cloud services.
{ "Statement": [ { "Action": [ "ram:CreateRole", "ram:AttachPolicyToRole" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "1" }
Fine-grained authorization
Authorized RAM users that belong to an Alibaba Cloud account can authorize a specific cloud service to access resources of another cloud service.
NoteCompared with the policy of general authorization, the policy of fine-grained authorization specifies RAM roles and policy names. In this example, the RAM role is
aliyuncasdefaultrole
, and the system policy for SSL Certificates Service isAliyunCASRolePolicy
.{ "Version": "1", "Statement": [ { "Action": [ "ram:AttachPolicyToRole", "ram:CreateRole" ], "Resource": [ "acs:ram:*:system:policy/AliyunCASRolePolicy", "acs:ram:*:*:role/aliyuncasdefaultrole" ], "Effect": "Allow" } ] }