If you want to authorize a cloud service to access resources of a different cloud service, you must grant permissions across these cloud services. This topic uses example policies to demostrate how to grant permissions across cloud services.

To grant permissions across cloud services, you can use policies of general authorization or fine-grained authorization.

  • General authorization

    Authorized RAM users that belong to an Alibaba Cloud account can authorize a specific cloud service to access resources of other cloud services.

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateRole",
                    "ram:AttachPolicyToRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "*"
                ]
            }
        ],
        "Version": "1"
    }
  • Fine-grained authorization

    Authorized RAM users that belong to an Alibaba Cloud account can authorize a specific cloud service to access resources of another cloud service.

    Note Compared with the policy of general authorization, the policy of fine-grained authorization specifies RAM roles and policy names. In this example, the RAM role is aliyuncasdefaultrole, and the system policy for SSL Certificates Service is AliyunCASRolePolicy.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ram:AttachPolicyToRole",
                    "ram:CreateRole"
                ],
                "Resource": [
                    "acs:ram:*:system:policy/AliyunCASRolePolicy",
                    "acs:ram:*:*:role/aliyuncasdefaultrole"
                ],
                "Effect": "Allow"
            }
        ]
    }