Perform the following steps to set sub-accounts and authorizations.

  1. Create a subaccount.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click Identities > Users.
    3. Click Create User.

    4. InCreate user, create a subaccount which has the same permissions as the primary account to access MPS.

      Note Tick Programmatic Access.
    5. Generate AccessKey for this account, copy and save the AccessKey for subsequent access.

  2. Create a role.
    1. In the left-side navigation pane, click RAM Roles.
    2. Click Create RAM Role.

    3. In Select type of trusted entity, select Alibaba Cloud Account.

      In Select Trusted Alibaba Cloud Account, select Current Alibaba Cloud Account, and click OK.

    4. In RAM Roles, click the created role.

    5. In Basic Information, copy ARN parameter acs:ram::example:role/mps.

  3. Set the role authorization.
    1. On the page of the created role, click Add Permissions.
    2. Select policy.

      Note To adjust the STS permissions of the subaccount (for example, to modify, add, or delete a permission), return to this step.
      You can create a policy in Custom Policy and add this policy in editing policy to grant the minimum permission required by the upload SDK. The full policy content is as follows:
           "Statement": [
               "Action": [
               "Effect": "Allow",
               "Resource": [
           "Version": "1"
  4. Associate the subaccount with the role.
    1. Log on to the RAM console, and click Permissions > Policies in the left-side navigation pane.
    2. Click Create Policy.

    3. In Create Custom Policy, set Resource field to ARN parameter acs:ram::example:role/mps.

    4. In the left-side navigation pane, click Identities > Users.
    5. Select the subaccount you have set, and click Add Permissions.
    6. Enter the created test policy and teststspolicy is displayed.