An Alibaba Cloud account (for example, account A) can grant permission to another Alibaba Cloud account (for example, account B) so that account B can access the OSS buckets owned by account A. Then, account B can grant the same permission to a RAM user created by it. This tutorial describes the process that the owner of an OSS bucket grants permissions to another Alibaba Cloud account so that it can perform all operations on the bucket.
Assume that account A (account ID = 11223344, enterprise alias = company-a) needs to grant OSS operation permissions to the employee Anne of account B (account ID = 12345678, enterprise alias = company-b). The process is as follows:
- Account A creates a role that account B can assume.
- Account A grants permissions to the role.
- Account B creates a RAM user and authorizes it to assume the role.
Note: For more information about enterprise alias, see the Set your enterprise alias section of Set up RAM in the RAM Quick Start.
Log on to the RAM console using account A.
Click RAM Roles in the left-side menu, and then click Create RAM Role.
In the Create RAM Role dialog box, select Alibaba Cloud Account for Select type of trusted entity.
Select Other Alibaba Cloud Account for Select Trusted Alibaba Cloud Account Enter Type, and then enter the ID of account B as the trusted Alibaba Cloud account ID. In this example, enter 12345678.
In the RAM Role Name textbox, enter the name of the role to be created. In this example, enter oss-admin, and then click OK.
After creating the role, account A can view the information about the role by clicking the role in the RAM Role Name list. In this example, the global name ARN of the role is acs:ram::11223344:role/oss-admin. The authorization policy of the role is as follows:
The preceding policy allows account B to assume this role.
In this step, account A attaches the authorization policy
AliyunOSSFullAccess to the role so that the role can access OSS resources.
To grant permission to the role, follows these steps:
Click RAM Roles, find the role created in Step 1, and click Add Permissions on the right of the role.
Note: You can also click Permissions > Grants > Grant Permission, and then add permissions to the role after entering the role created in Step 1.
Click the AliyunOSSFullAccess policy in the Policy Name column to add it to the Selected area, and then click OK.
Note: This step grants full OSS access permissions to the role. If you want to grant specified permissions on OSS buckets and folders to a role, Tutorial: Control access to buckets and folders.
Log on to the RAM console using account B.
Click Identities > Users in the left-side menu, and then click Create User.
In the Create User dialog box, enter a user name in the Logon Name textbox. In this example, enter Anne.
Enter a custom name in the Display Name textbox.
Select Console Password Logon for Access Mode, set the password as required, and then click OK.
Select the created RAM user and click Add Permissions.
Note: You can also add permissions to the RAM user as follows: 1. Click Back. 2. Find the created RAM user in the User Logon Name/Display Name list. 3. Click Add Permissions on the right of the created RAM user.
Click the AliyunSTSAssumeRoleAccess policy in the Policy Name column to add it to the Selected area, and then click OK.
Log on to the RAM console using the RAM user (Anne) created in Step 3.
Note: The logon information is displayed in the upper right corner.
Move the mouse pointer to the user name and click Switch Role.
Enter company-a in the Enterprise Alias / Default Domain Name textbox and oss-admin in the Role Name textbox, and then click Switch.
Perform operations on the OSS resources owned by account A.