Resource operations and authorization management between enterprises

Last Updated: Aug 02, 2017


Assume that an enterprise A has bought a lot of cloud resources, such as ECS instances, RDS instances, Server Load Balancer instances and OSS buckets for its business requirements. Enterprise A wants to focus on its business systems, so it grants cloud resource O&M, monitoring management, and other tasks to the enterprise B. Enterprise B will then further delegate O&M tasks to its employees. Enterprise B needs to precisely control the delegated operations that its employees can perform on the cloud resources of the enterprise A. If A and B terminate this O&M entrustment contract, enterprise A is able to revoke the permissions of the enterprise B as needed.


  • Authorization between two Alibaba Cloud accounts, A and B.
  • Account A is the resource owner and wants to grant B permissions to perform operations on its resources.
  • Account B needs to further allocate permissions to its sub-users (employees or applications).
  • If an employee of B joins or leaves the company, A does not have to make any changes to permissions.
  • If A and B terminate their cooperation, A is able to revoke B’s permissions as needed.

Solution: Use RAM-Roles for cross-account authorization

1. Cross-account authorization procedure

Cross-account Authorization Using RAM-Roles

Assume that enterprise A (AccountID=11223344, alias: company-a) needs to grant ECS operation permissions to the employees of enterprise B (AccountID=12345678, alias: company-b). The operation procedure is as follows:

Step 1: Enterprise A creates a role

  1. Log on to the RAM console and go to Roles > New Role.

  2. In the Create Role window, select Other Alibaba Cloud Account as the trusted account and enter the ID of the trusted account (for example, 12345678), and then enter a role name such as ecs-admin.

After creating the role, enterprise A can get the role information on the details page. In this example, the role’s global name ARN is:

  1. acs:ram::11223344:role/ecs-admin

The role’s trust policy (only enterprise B can assume this role) is as follows:

  1. {
  2. "Statement": [
  3. {
  4. "Action": "sts:AssumeRole",
  5. "Effect": "Allow",
  6. "Principal": {
  7. "RAM": [
  8. "acs:ram::12345678:root"
  9. ]
  10. }
  11. }
  12. ],
  13. "Version": "1"
  14. }

Step 2: A grants permissions to the role

After creating the role in the previous step, enterprise A can follow the prompts to go to bind authorization policies. Or go to the role details page and then click Edit Authorization Policy to bind authorization policies.

In the authorization window, enterprise A can select a system authorization policy such as AliyunECSFullAccess and then click OK.

Step 3: Enterprise B creates sub-users and authorizes them to assume the role

  1. Log on to the RAM console and go to Users > New User.
  2. In the Create User window, enter a username such as AAA and set a logon password for this user.
  3. Click the created user to open the User Details page and then click User Authentication Policies > Edit Authentication Policy.
  4. In the Edit Individual Authorization Policy window, select a system authorization policy such as AliyunSTSAssumeRoleAccess for this user, and then click OK.

2. Cross-account resource access

Access through the console

  1. B's sub-user AAA logs on to the console. When a sub-user logs on, the sub-user must enter the enterprise alias, sub-username, and sub-user password.

  2. After AAA logs on to the console, the user logon information is shown in the top-right corner. Move the mouse pointer to the username and click Switch Role to go to the identity switching page. Enter the enterprise alias of enterprise A (company-a) and the role name (ecs-admin).

  3. AAA can now perform operations on the ECS resources of enterprise A.

Thank you! We've received your feedback.