edit-icon download-icon

Use RAM roles to control cross account resource access

Last Updated: Sep 15, 2017

Assume that an enterprise A has bought a lot of cloud resources, such as ECS instances, RDS instances, Server Load Balancer instances, and OSS buckets for its business requirements.

  • Enterprise A wants to focus on its business systems, so it grants cloud resource O&M, monitoring management, and other tasks to the enterprise B.

  • Enterprise B can then further delegate O&M tasks to its employees. Enterprise B needs to precisely control the delegate operations that its employees can perform on the cloud resources of the enterprise A.

  • If A and B terminate this O&M entrustment contract, enterprise A is able to revoke the permissions of the enterprise B as needed.


  • Authorization between two Alibaba Cloud accounts, A and B.

  • Account A is the resource owner and wants to grant B permissions to perform operations on its resources.

  • Account B needs to further allocate permissions to its sub-users (employees or applications).

  • If an employee of B joins or leaves the company, A does not have to make any changes to the permissions.

  • If A and B terminate their cooperation, A is able to revoke B’s permissions as needed.

Solution: Use RAM-Roles for cross-account authorization

1. Cross-account authorization procedure

Cross-account Authorization Using RAM-Roles

Assume that enterprise A (AccountID=11223344, alias: company-a) needs to grant ECS operation permissions to the employees of enterprise B (AccountID=12345678, alias: company-b). The operation procedure is as follows:

Step 1: Enterprise A creates a role

  1. A logs on to the RAM console and goes to Roles > Create Role.

  2. In the Create Role window, A selects Other Alibaba Cloud Account as the trusted account and enters the ID of the trusted account (for example, 12345678), and then enters a role name such as “ecs-admin”.

    After creating the role, enterprise A can get the role information on the details page. In this example, the role’s global name ARN is:

    1. acs:ram::11223344:role/ecs-admin

    The role’s policy (only enterprise B can assume this role) is as follows:

    1. {
    2. "Statement": [
    3. {
    4. "Action": "sts:AssumeRole",
    5. "Effect": "Allow",
    6. "Principal": {
    7. "RAM": [
    8. "acs:ram::12345678:root"
    9. ]
    10. }
    11. }
    12. ],
    13. "Version": "1"
    14. }

Step 2: A grants permissions to the role

After creating the role in the previous step, enterprise A can follow the dialog box to attach authorization policies. Or A goes to the role details page and then clicks Edit Authorization Policy to attach authorization policies.

In the authorization window, enterprise A adds the system authorization policy AliyunECSFullAccess and then clicks OK.

Step 3: Enterprise B creates sub-users and authorizes them to assume the role

  1. B logs on to the RAM console and goes to Users > Create User.

  2. In the Create User window, B enters a username such as “AAA” and sets a logon password for this user.

  3. In the user list, B clicks the created user to open the User Details page and then clicks User Authentication Policies > Edit Authentication Policy.

  4. In the Edit Individual Authorization Policy window, B adds the system authorization policy AliyunSTSAssumeRoleAccess for this user, and then clicks OK.

2. Cross-account resource access on the console

  1. B’s sub-user AAA logs on to the console. When a sub-user logs on, the sub-user must enter the enterprise alias, sub-user username, and sub-user password.

  2. After AAA logs on to the console, the user logon information is displayed in the top-right corner. AAA moves the mouse pointer to the username and clicks Switch Role to go to the identity switching page. B enters the enterprise alias of enterprise A (company-a) and the role name (ecs-admin).

  3. AAA can now perform operations on the ECS resources of enterprise A.

Thank you! We've received your feedback.