All Products
Search
Document Center

Resource Access Management:Grant permissions across cloud services

Last Updated:Dec 12, 2023

If you want to authorize a cloud service to access resources of a different cloud service, you must grant permissions across these cloud services. This topic uses example policies to demonstrate how to grant permissions across cloud services.

To grant permissions across cloud services, you can use policies of general authorization or fine-grained authorization.

  • General authorization

    Authorized RAM users that belong to an Alibaba Cloud account can authorize a specific cloud service to access resources of other cloud services.

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateRole",
                    "ram:AttachPolicyToRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "*"
                ]
            }
        ],
        "Version": "1"
    }
  • Fine-grained authorization

    Authorized RAM users that belong to an Alibaba Cloud account can authorize a specific cloud service to access resources of another cloud service.

    Note

    Compared with the policy of general authorization, the policy of fine-grained authorization specifies RAM roles and policy names. In this example, the RAM role is aliyuncasdefaultrole, and the system policy for SSL Certificates Service is AliyunCASRolePolicy.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ram:AttachPolicyToRole",
                    "ram:CreateRole"
                ],
                "Resource": [
                    "acs:ram:*:system:policy/AliyunCASRolePolicy",
                    "acs:ram:*:*:role/aliyuncasdefaultrole"
                ],
                "Effect": "Allow"
            }
        ]
    }