All Products
Search

This Product

    Managed Service for Prometheus:Use a RAM role to access ARMS resources across Alibaba Cloud accounts

    Document Center

    Managed Service for Prometheus:Use a RAM role to access ARMS resources across Alibaba Cloud accounts

    Last Updated:Mar 11, 2026

    When multiple Alibaba Cloud accounts need to share cloud resources, the account that owns the resources (the resource owner) can delegate access to another account (the accessing account) through RAM role delegation. This avoids sharing permanent credentials between accounts while maintaining fine-grained access control.

    The resource owner creates a RAM role, attaches permission policies such as Application Real-Time Monitoring Service (ARMS) policies, and establishes a trust relationship with the accessing account. A RAM user from the accessing account then assumes that role to work with the shared resources.

    How cross-account access works

    A RAM role is a virtual identity with no permanent credentials. It can only be used after a trusted entity assumes it. Cross-account access involves five steps:

    1. The resource owner creates a RAM role and sets the accessing account as a trusted entity.

    2. The resource owner attaches ARMS permission policies to the RAM role.

    3. The accessing account creates a RAM user.

    4. The accessing account attaches the AliyunSTSAssumeRoleAccess policy to the RAM user.

    5. The RAM user assumes the role to access the resource owner's resources through the console or API.

    ARMS permission policies

    ARMS provides two system policies:

    PolicyPermissions
    AliyunARMSFullAccessFull permissions on ARMS. RAM users can view, edit, and delete instances across all sub-services.
    AliyunARMSReadOnlyAccessRead-only permissions on ARMS. RAM users can view instance information of each sub-service but cannot modify or delete anything.
    If you attach AliyunARMSFullAccess, you do not need to also attach AliyunARMSReadOnlyAccess.
    Important

    To grant read-only access to all ARMS features within a specific resource group, attach both the AliyunARMSReadOnlyAccess policy and the ReadTraceApp permission to that resource group. Without both, ARMS cannot display the application list for the authorized resource group.

    Prerequisites

    Before you begin, make sure that you have:

    • Administrator access to the RAM console for both the resource owner account and the accessing account

    • The Alibaba Cloud account ID of the accessing account (viewable on the Security Settings page)

    Step 1: Create a RAM role (resource owner)

    Create a RAM role under the resource owner account and designate the accessing account as a trusted entity.

    1. Log on to the RAM console with a RAM user that has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      Create Role button on the Roles page

    4. On the Create Role page, set the Principal Type to Cloud Account, then configure the trusted account:

      • Current Account: Select this if a RAM user or RAM role within your own account will assume the role.

      • Other Account: Select this if a RAM user or RAM role from a different Alibaba Cloud account will assume the role. Enter the ID of the accessing account.

      For cross-account access, select Other Account and enter the accessing account's ID.

      Create Role page with Principal Type settings

      For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts. To find your account ID, go to the Security Settings page.

    5. (Optional) To restrict which RAM user or RAM role from the trusted account can assume this role, click Switch to Policy Editor and modify the trust policy.

      The editor supports both Visual editor and JSON modes. The following example allows only the RAM user Alice from account 100******0719 to assume the role:

      • Visual editor

        Set a RAM user for the Principal element.

        Visual editor Principal element

        Visual editor Principal specification

      • JSON

        Specify a RAM user in the RAM field of the Principal parameter:

           {
     "Version": "1",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "RAM": "acs:ram::100******0719:user/Alice"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }

    6. In the Create Role dialog box, set the Role Name and click OK.

    Step 2: Grant permissions to the RAM role (resource owner)

    The newly created RAM role has no permissions by default. Attach permission policies to grant the access level you need.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the target role and click Grant Permission in the Actions column.

      Grant Permission action on the Roles page

      Tip: Select multiple RAM roles and click Grant Permission at the bottom of the list to grant permissions in bulk.

    4. In the Grant Permission panel, configure the following settings:

      1. Resource Scope: Choose the authorization scope.

        • Account: The authorization applies to the entire Alibaba Cloud account.

        • Resource Group: The authorization applies to a specific resource group.

        Note: If you select Resource Group, make sure that the target cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Principal: The current RAM role is automatically selected.

      3. Policy: Select one or more policies to attach. You can select multiple policies at a time.

        • System policies: Predefined by Alibaba Cloud and not editable. For more information, see Services that work with RAM.

          Note: The system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless necessary.

        • Custom policies: Created and managed by you. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.

    Step 3: Create a RAM user (accessing account)

    Create a RAM user under the accessing account. This user will assume the RAM role created in Step 1.

    1. Log on to the RAM console with the accessing account's Alibaba Cloud account or a RAM user with administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

      Create User button on the Users page

    4. In the User Account Information section, configure the following parameters:

      • Logon Name: Up to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: Up to 128 characters.

      • Tag: Click the edit icon icon and enter a tag key-value pair. Tags help you organize and manage RAM users.

      Tip: Click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select an access mode.

      To keep credentials separate, select only one access mode per RAM user.

      • Console Access (for human users)

        Allows the RAM user to log on with a username and password. Configure the following options:

        • Set Console Password: Choose Automatically Regenerate Default Password or Reset Custom Password. For custom passwords, the password must meet complexity requirements. For more information, see Configure a password policy for RAM users.

        • Password Reset: Whether the user must reset the password on next logon.

        • Enable MFA: Whether to enable multi-factor authentication (MFA). If enabled, bind an MFA device to the user. For more information, see Bind an MFA device to a RAM user.

      • Using permanent AccessKey to access (for programmatic access)

        The system generates an AccessKey ID and AccessKey secret for API access. For more information, see Obtain an AccessKey pair.

        Important

        The AccessKey secret is displayed only at creation time. Save it immediately. For production workloads, use Security Token Service (STS) tokens instead of permanent AccessKey pairs to reduce credential leak risks. For more information, see Best practices for using an access credential to call API operations.

    6. Click OK.

    7. Complete security verification as prompted.

    Step 4: Grant the AssumeRole permission to the RAM user (accessing account)

    Attach the AliyunSTSAssumeRoleAccess policy to the RAM user so it can assume the resource owner's RAM role.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

      Add Permissions action on the Users page

      Tip: Select multiple RAM users and click Add Permissions at the bottom of the page to grant permissions in bulk.

    4. In the Grant Permission panel, configure the following settings:

      1. Resource Scope: Choose the authorization scope.

        • Account: The authorization applies to the entire Alibaba Cloud account.

        • ResourceGroup: The authorization applies to a specific resource group.

        Important

        Important: If you select ResourceGroup, make sure that the target cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

      2. Principal: The current RAM user is automatically selected.

      3. Policy: Search for and select the AliyunSTSAssumeRoleAccess system policy.

        • System policies: Predefined by Alibaba Cloud and not editable. For more information, see Services that work with RAM.

          Note: The system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless necessary.

        • Custom policies: Created and managed by you. For more information, see Create a custom policy.

      4. Click Grant permissions.

    5. Click Close.

    Verify cross-account access

    After completing the setup, the RAM user from the accessing account can access the resource owner's cloud resources through the console or API.

    Log on to the console

    1. Open the Alibaba Cloud Management Console and log on as the RAM user.

    2. On the RAM User Logon page, enter the username in one of the following formats and click Next:

      FormatExample
      <UserName>@<AccountAlias>.onaliyun.com (default domain)alice@company-alias.onaliyun.com
      <UserName>@<AccountAlias> (account alias)alice@company-alias
      <UserName>@<DomainAlias> (domain alias, if configured)alice@example.com

      RAM User Logon page

      For more information about domain names and aliases, see Terms, View and modify the default domain name, and Create and verify a domain alias.

    3. Enter the logon password and click Log On.

    4. (Optional) If MFA is enabled, complete multi-factor authentication.

      For more information, see Multi-factor authentication (MFA) and Bind an MFA device to a RAM user.

    Call API operations

    To access the resource owner's cloud resources through API calls, the RAM user must first call the STS AssumeRole operation to get a temporary security token. Use the returned AccessKeyId, AccessKeySecret, and SecurityToken in your API requests.

    What's next