How to have cross-account access to ECS resources

Last Updated: Mar 29, 2017

If you need to use ECS APIs to access others’ resources, make sure the other party has authorized you the privilege for operations on the resources via RAM. To learn about how to implement the authorization, refer to RAM product documentation and API documentation.

When you access others’ resources via ECS APIs, you need to specify one more public parameter when you access your own resources: ResourceOwnerAccount to indicate whose resources you want to access. E.g.:

  1. https://ecs.aliyuncs.com/?Action=StartInstance
  2. &InstanceId=I-instance1
  3. &ResourceOwnerAccount=use_X@aliyun.com
  4. &AccessKeyId=user_Y_keyid
  5. &<Other Public Request Parameters>

The example indicates that user_Y initiates API access to perform the StartInstance operation on the ECS instance I-instance1 of user_X. If the ResourceOwnerAccount parameter is not used in the request to specify the resource owner, or the specified owner is inconsistent with the actual resource owner, or user_X@aliyun.com does not assign the StartInstance operation permission for this instance to the caller in advance, the API call is denied for the reason that the caller is unauthorized to access the specified resource.

Thank you! We've received your feedback.