All Products
Search
Document Center

Object Storage Service:Tutorial: Authorize a RAM user of another Alibaba Cloud account by creating a RAM role

Last Updated:Jul 28, 2023

By default, Object Storage Service (OSS) resources can be accessed only by their owners. To authorize another user to access your OSS resources, you can grant permissions to the user by creating a Resource Access management (RAM) role.

Background information

Example: Company A wants to authorize Company B to access the OSS resources of Company A. However, Company A does not want to provide Company B with the credentials of a RAM user. In this case, Company A can create a RAM role and grant the RAM role the permissions to access the OSS resources of Company A. Company B can use a RAM user to assume the RAM role. This way, Company B can access the OSS resources of Company A.

Step 1: Company A creates a RAM role and grants the RAM role the permissions to access the OSS resources of Company A

Company A must create a RAM role that has the permissions to access the OSS resources of Company A.

  1. Create a RAM role.

    1. Log on to the RAM console as Company A.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Account and click Next.

    5. Configure the RAM role.

      1. Specify a name for the RAM role in the Role Name field. In this example, RAM Role Name is set to admin-oss.

      2. Optional:Enter notes in the Note field.

      3. Set Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account and enter the UID of an Alibaba Cloud account that belongs to Company B. In this example, the UID of the Alibaba Cloud account of Company B is 17464958576******.

    6. Click OK.

  2. Grant permissions to the RAM role.

    1. On the Roles page, locate the admin-oss role that you created and click Add Permissions in the Actions column.

    2. In the Add Permissions panel, select System Policy in the Select Policy section and click AliyunOSSReadOnlyAccess.

      Important

      The AliyunOSSReadOnlyAccess policy grants a RAM user the read-only permissions on OSS resources. You can create a custom policy to grant the permissions to access only specific buckets or specific directories in a bucket. For more information, see Overview of RAM policies.

    3. Click OK.

If you want to specify that the RAM role can be assumed only by specified RAM users, you can change the trusted entity of the RAM role. For more information, see Edit the trust policy of a RAM role.

Step 2: Company B creates a RAM user and grants the RAM user the permissions to assume RAM roles

Company B must create a RAM user that has the permissions to assume RAM roles. Company B can use the RAM user to assume the RAM role that is created by Company A.

  1. Create a RAM user.

    1. Log on to the RAM console as Company B.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, set a logon name in the Logon Name field and a display name in the Display Name field.

    5. In the Access Mode section, select Console Password Logon, and set the logon password, password reset policy, and multi-factor authentication based on your business requirements.

      Note

      If you select Reset Custom Password for Set Logon Password, you must specify a password that meets the password complexity requirements. For more information about the password complexity requirements, see Configure a password policy for RAM users.

    6. Click OK.

  2. Grant permissions to the RAM user.

    1. On the Users page, locate the RAM user that you created and click the Add Permissions in the Actions column.

    2. On the Add Permissions page, select System Policy in the Select Policy section and click AliyunSTSAssumeRoleAccess.

    3. Click OK.

Step 3: Company B uses the created RAM user to log on to the Alibaba Cloud Management Console and assume the RAM role that is created by Company A

Company B uses the created RAM user to log on to the Alibaba Cloud Management Console and switches the identity to the RAM role that is created by Company A.

  1. Log on to the Alibaba Cloud Management Console as the RAM user of Company B. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

  2. In the upper-right corner of the console, move the pointer over the profile picture. Click Switch Identity.

  3. On the Switch Role page, enter the information about the RAM role and click Submit.

    Enter the following information for the RAM role:

    • Enterprise Alias/Default Domain Name: Enter the alias or default domain name of Company A. For more information, see Terms.

      In this example, the default domain name 178810717******.onaliyun.com is used. 178810717****** is the UID of an Alibaba Cloud account that belongs to Company A.

    • Role Name: Enter admin-oss, which is the name of the RAM role created by Company A.

  4. Log on to the OSS console and manage the OSS resources of Company A.

References

You can also authorize a RAM user of another Alibaba Cloud account by adding a bucket policy. For more information, see Tutorial: Authorize a RAM user in another Alibaba Cloud account by adding a bucket policy.