All Products
Search

This Product

    Enterprise Distributed Application Service:Use a RAM role to access resources that belong to another Alibaba Cloud account

    Document Center

    Enterprise Distributed Application Service:Use a RAM role to access resources that belong to another Alibaba Cloud account

    Last Updated:Mar 24, 2025

    Use the Alibaba Cloud account (primary account) of enterprise A to create and authorize the RAM role, and assign the role to Enterprise B. in this way, you can use the primary account of Enterprise B or its RAM user (sub-account) to access the Alibaba Cloud resources of Enterprise A.

    Background information

    Assume that enterprise A purchases multiple types of cloud resources to carry out business, and needs to authorize Enterprise B to carry out part of the business on its behalf, the RAM role can be used for this purpose. A ram role is a virtual user without a fixed identity authentication accesskey. It must be played by a trusted real user before it can be used properly. To meet the needs of enterprise A, follow these steps:

    1. Create a ram role for enterprise A

    2. Enterprise A attaches the AliyunEDASFullAccess policy to the RAM role.

    3. Create a RAM user for enterprise B

    4. Enterprise B attaches the AliyunSTSAssumeRoleAccess policy to the RAM user.

    5. The RAM user of enterprise B accesses the resources of enterprise A through the console or API.

    The policy AliyunEDASFullAccess can be attached to the RAM role. This policy grants full permissions on Enterprise Distributed Application Service (EDAS).

    Note

    • The role to be assumed must be attached with the AliyunEDASFullAccess policy.

    • RAM users can assume RAM roles that do not belong to the same Alibaba Cloud account. Therefore, the RAM user created by Enterprise B can assume only the RAM role that is created and attached with the AliyunEDASFullAccess policy by Enterprise A. If the RAM user assumes a RAM role that is created by Enterprise B, the RAM user cannot access EDAS. In this case, you must log off first.

    • After the RAM user assumes a role that has the AliyunEDASFullAccess permission, the RAM user is granted the same permissions as the relevant Alibaba Cloud account on EDAS.

    Step 1: Enterprise A creates a RAM role

    Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and then create a RAM role.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.

      image

      • Current Account: If you want a RAM user or RAM role that belongs to your Alibaba Cloud account to assume the RAM role, select Current Account.

      • Other Account: If you want a RAM user or RAM role that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts. You can view the ID of your Alibaba Cloud account on the Security Settings page.

    5. In the Configure Role step, enter a role name in the RAM Role Name field.

      Note

      The RAM role name can be up to 64 characters in length and can contain letters, digits, and hyphens (-).

    Step 2: Enterprise A grants permissions to the RAM role

    The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.

      image

      You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.

    4. In the Grant Permission panel, grant permissions to the RAM role.

      1. Select the authorization scope.

        • Account: The authorization takes effect on the current Alibaba Cloud account.

        • ResourceGroup: The authorization takes effect in a specific resource group.

          Note

          If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Specify the principal.

        The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify another RAM user.

      3. Click the policy to add it to the Selected Policy list on the right side of the section, and then click Grant permissions.

        Note

        The policies that can be added are listed in the overview section in this topic.

    5. Click Close.

    Step 3: Enterprise B creates a RAM user

    Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and then create a RAM user.

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User. image

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select Using permanent AccessKey to access, and then click OK.

      Note

      For security purposes, select only one access mode.

      • If you select Console Access, complete further settings. For example, select Automatically Regenerate Default Password or Rest Custom Password for Set Logon Password, Required at Next Logon or Not Required for Password Reset, and Required or Not Required for Enable MFA.

      • If you select Using permanent AccessKey to access, RAM automatically generates an AccessKey pair for the RAM user. Then, the RAM user can access resources by calling API operations.

        Important

        For security reasons, the RAM console allows you to view or download an AccessKey secret only once. Therefore, you must keep the related AccessKey secret strictly confidential when you create an AccessKey pair.

    6. In the Security Verification dialog box, click Verify now, enter the verification code that is sent to your mobile phone, and then click Verify Now.

      The RAM user that you create appears on the Users page.

    Step 4: Enterprise B grants permissions to the RAM user

    Enterprise B must attach the AliyunSTSAssumeRoleAccess policy to a RAM user of Alibaba Cloud account B. This way, the RAM user can assume the RAM role that is created by Enterprise A.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      image

      You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

    4. In the Grant Permission panel, configure the Resource Scope parameter. In the Policy section, enter a keyword in the search box to search for the AliyunSTSAssumeRoleAccess policy. Click the policy to add it to the Selected Policy list on the right side, and then click Grant permissions.

    5. Click Close.

    What to do next

    After the preceding operations are complete, the RAM user of Enterprise B can log on to the console or call API operations to access the cloud resources of Enterprise A. To access the cloud resources of Enterprise A, perform the following operations:

    • Log on to the console to access the cloud resources of Enterprise A.

      1. Open the RAM User Logon page in your browser.

      2. On the RAM User Logon page, enter the logon name of the RAM user, and then click Next. Enter the password, and then click Log On.

        Note

        The format of the logon name of a RAM user is <username>@<default domain name> or <username>@<enterprise alias>. For example, the logon name of a RAM user can be username@company-alias.onaliyun.com or username@company-alias.

      3. On the homepage of the console, move the pointer over the user avatar in the upper-right corner and click Switch Identity.

      4. On the Switch Role page, specify Enterprise Alias, Domain, or Account UID of Enterprise A, specify Role Name, and then click Submit.

      5. Manage the Alibaba Cloud resources of Enterprise A.

    • Access the cloud resources of Enterprise A by calling API operations with the RAM user of Enterprise B.

      To access the cloud resources of Enterprise A by calling API operations with the RAM user of Enterprise B, make sure that the code contains the AccessKey ID, AccessKey secret, and security token of the RAM user. The security token is temporary.