The following steps show how User A grants a function owned by user B permissions to access the cloud resources of user A:

  1. User A creates a Resource Access Management (RAM) role whose authorized user is user-B@fc.aliyuncs.com. Then, User A specifies the RAM role as the service role.
  2. User B invokes the function and use the context.credentials to assume the role created in Step 1.
  3. User B uses the credentials from this role to access the resources owned by user A.
Note You may encounter similar scenarios when you use Log Service (SLS). For example, you may need to upload the logs of user A to the Object Storage Service (OSS) bucket of user B.