edit-icon download-icon

Set a subaccount and authorization

Last Updated: Apr 18, 2018

Back to: Overview


Set a subaccount and authorization includes four steps, that is, Create a subaccount > Create a role > Set the role permissions > Associate the subaccount with the role.

  1. Create a subaccount.

    Log on to the RAM console, and click Users.


    Note: Select Automatically generate an Access key for this user, and properly store the AccessKey. The AccessKey of the subaccount will be used to obtain the token of STS.

  2. Create a role.

    Log on to the RAM console and click Roles.

    • Select a role.

      Select User Role.


    • Select an Alibaba Cloud account.

      Select Current Alibaba Cloud Account. Trusted Alibaba Cloud Account ID is set to your current Alibaba Cloud account ID by default, which does not need to be specified. Click Next.


    • Enter the Role Name.

      Enter the role name as required. teststs is used in the following figure.


    • Obtain the role Arn parameter.

      Click the created role to go to the Role Details page. Record the Arn parameter acs:ram::1351140512345678:role/teststs.


  3. Set the role authorization.

    • Click Role Authorization Policies of the created role.


    • Edit Authorization Policy.

      Note: To adjust the STS permissions of the subaccount (for example, to modify, add, or delete a permission), return to this step.

      For convenience, the following section uses the full access authorization of OSS as an example.


      You can create an authorization policy in Custom Authorization Policy and add this policy in Edit Authorization Policy to grant the minimum permission required by the upload SDK. The full policy content is as follows:

      1. {
      2. "Statement": [
      3. {
      4. "Action": [
      5. "oss:PutObject",
      6. "oss:AbortMultipartUpload",
      7. "oss:ListMultipartUploads",
      8. "oss:ListParts"
      9. ],
      10. "Effect": "Allow",
      11. "Resource": [
      12. "*"
      13. ]
      14. }
      15. ],
      16. "Version": "1"
      17. }
  4. Associate the subaccount with the role.

    To associate the subaccount with the role, create aCustom Authorization Policyfor the role and grant theCustom Authorization Policyto the subaccount.

    1. Create aCustom Authorization Policyfor the role.

      Log on to the RAM console, and click Policies > Create Authorization Policy.

      • Select a template.

        Enter the keyword STS in the text box of All Templates. Select the template forAliyunSTSAssumeRoleAccessand go to the next step.


      • Edit the authorization content.

        Enter the authorization policy name as required, and set the Resource field in Policy Content to the Arn parameteracs:ram::1351140512345678:role/teststsof the role obtained in the preceding steps.


    2. Grant thecustom authorization policy to the subaccount.

      1. Log on to the RAM console, and click Users to Authorize.


      2. Click Authorize to edit your authorization policy. You can set search criteria to search for authorization policies. For example, enter test, the createdteststspolicy is displayed.


After the preceding settings, the subaccount has the role permissions. You can use a temporary token of STS to access and upload video files.

Next step: Set CORS

Thank you! We've received your feedback.