edit-icon download-icon

Tutorial: Grant cross-account bucket permissions

Last Updated: Aug 07, 2018

This tutorial explains how to grant cross-account bucket permissions to OSS buckets and folders from one primary account to another primary account.

In this tutorial, we illustrate the permission granting process using the two fictitious account entities, account A and account B. Account A grants aaccount B permission to access its resources. Account B then delegates this permission to RAM users in its account. In this example scenario, a bucket owner grants cross-account permission to another account to perform full bucket operations.

Cross-account authorization process

Assume that account A (account ID = 11223344, enterprise alias = company-a) needs to grant OSS operation permissions to the employee Anne of account B (account ID = 12345678, enterprise alias = company-b). The process is as follows:

  1. Account A creates a role which allows account B to assume the role.
  2. Account A grants permissions to the role.
  3. Account B creates RAM users and authorizes them to assume the role.

Note: For more information about enterprise alias, see the Set your enterprise alias section of Set up RAM in the RAM Quick Start.

Step 1: Account A creates a role

  1. Log on to the RAM console with the primary account credentials of account A.

  2. Select Roles from the menu on the left, and then click Create Role.
    The Create Role wizard page is displayed.

  3. For 1: Select Rule type, select User Role.

  4. For 2: Enter Type, select Other Alibaba Cloud Account, and enter the account ID of account B as the trusted Alibaba Cloud account ID. In this example, enter 12345678.

  5. For 3: Configure Basic, enter a role name. In this example, enter oss-admin, and then click Create.
    After creating the role, account A can view the role information on the Role Details page. In this example, the global name ARN of the role is acs:ram::11223344:role/oss-admin. The authorization policy of the role is as follows:

    1. {
    2. "Statement": [
    3. {
    4. "Action": "sts:AssumeRole",
    5. "Effect": "Allow",
    6. "Principal": {
    7. "RAM": [
    8. "acs:ram::12345678:root"
    9. ]
    10. }
    11. }
    12. ],
    13. "Version": "1"
    14. }

    The preceding policy allows account B to assume this role.

Step 2: Account A grants permission to the role

In this step, account A attaches the authorization policy AliyunOSSFullAccess to the role so that the role can access OSS resources.

To grant permission to the role, follows these steps:

  1. Click Authorize in 4: Role Created, or go to the Role Details page and click Role Authorization Policies.

  2. Click Edit Authorization Policy.
    The Edit Role Authorization Policy page is displayed.

  3. On the Search and Attach tab page, find the AliyunOSSFullAccess policy in the Available Authorization Policy Names pane, add it to the Selected Authorization Policy Name pane, and then click OK.

Note: This step grants full access to OSS resources. If you want to grant specific permissions to OSS buckets and folders, see Tutorial: Control access to buckets and folders.

Step 3: Account B creates RAM users and authorizes them to assume the role

  1. Log on to the RAM console with the primary account credentials of account B.

  2. Select Users from the menu on the left, and then click Create User.
    The Create User page is displayed.

  3. Enter a user name such as Anne. The other information is optional. Then click OK.

  4. In the user name list, click the user name to open the User Details page. Click Enable Console Logon and set the logon password for the RAM user.

  5. Go back to the RAM console and click Dashboard. Find the URL after RAM User Logon Link:. You will provide this URL to RAM users to log on to the console with their RAM user name and password.

  6. Go to the User Details page, click User Authorization Policies, and then click Edit Authorization Policy.
    The Edit User-Level Authorization page is displayed.

  7. Find the AliyunSTSAssumeRoleAccess policy in the Available Authorization Policy Names pane, add it to the Selected Authorization Policy Name pane, and then click OK.

Cross-account resource access on the console

  1. Open the RAM user logon page, and log on to the RAM console with RAM user Anne’s credentials.
    The user logon information is displayed in the upper-right corner.

  2. Move the mouse pointer to the user name and click Switch Role.
    The Switch Role page is displayed.

  3. Enter the enterprise alias of account A company-a and the role name oss-admin, and then click Switch.

  4. Perform operations on the OSS resources of account A.

Thank you! We've received your feedback.