All Products
Search

This Product

    Resource Access Management:Delegate access across Alibaba Cloud accounts using RAM roles

    Document Center

    Resource Access Management:Delegate access across Alibaba Cloud accounts using RAM roles

    Last Updated:Nov 26, 2025

    This topic shows you how to use a Resource Access Management (RAM) role to delegate access to resources in your account to a trusted third-party Alibaba Cloud account.

    Scenario

    Imagine you are Company A and you want to grant Company B access to manage resources in your Alibaba Cloud account. These resources include Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, and Object Storage Service (OSS) buckets.

    In this scenario, Company A owns the resources and is the trusting account. Company B is the third-party that will access the resources and is the trusted account. You want to achieve the following objectives:

    • Delegate the O&M of your resources to Company B without sharing long-term credentials like AccessKey pairs.

    • Allow Company B to manage which of its own employees or applications can access your resources. This means you don't need to manage individual user access for Company B.

    • Retain the ability to revoke access for Company B at any time, for example, if a contract ends.

    Solution

    You can achieve this by creating a RAM role in your account (Account A, A@company-a.onaliyun.com) that establishes a trust relationship with Company B's account (Account B, B@company-b.onaliyun.com). This role defines the specific permissions that Company B will have. Company B can then grant its RAM users permission to assume this role. When a user from Company B assumes the role, they receive temporary security credentials that grant them access to the resources in your account.

    image

    This process involves two main parts:

    • Setting up cross-account access: First, you create a RAM role in your account (Company A) and grant it the necessary permissions. Then, an administrator in Company B grants their RAM users permission to assume the role.

      For more information, see Grant permissions across Alibaba Cloud accounts.

    • Revoking cross-account access: If the partnership ends, you can easily revoke Company B's access by deleting the role or modifying its trust policy.

      For more information, see Revoke permissions across Alibaba Cloud accounts.

    Grant permissions across Alibaba Cloud accounts

    Part 1: Steps for the trusting account (Account A)

    1. Create a RAM role that trusts Account B.

      1. Log on to the RAM console with Account A.

      2. On the Roles page, create a RAM role.

        Set Principal Type to Cloud Account and Principal Name to Other Account. Then, enter the UID for Account B. For more information, see Create a RAM role for a trusted Alibaba Cloud account and View an Alibaba Cloud's UID.

        image

    2. Grant access permissions to the RAM role.

      On the Roles or Grants page, attach one or more system policies or custom policies to the RAM role. Follow the principle of least privilege and grant only the necessary permissions. For example, to allow the RAM role to manage ECS instances, you can attach the AliyunECSFullAccess system policy to the role. For more information, see Grant permissions to a RAM role.

    Part 2: Steps for the trusted account (Account B)

    1. Create a RAM user.

      1. Log on to the RAM console with Account B.

      2. On the Users page, create a RAM user for the employee who will access Company A's resources.

        For more information, see Create a RAM user.

    2. Grant the RAM user the permission to assume the role.

      On the Users page or Grants page, attach the AliyunSTSAssumeRoleAccess system policy to the RAM user. For more information, see Grant permissions to a RAM user.

    Part 3: Accessing the resources

    1. Assume the role to access the authorized resources in Account A using one of the following methods:

      • Switching roles in the console

        The RAM user logs on to the console with a username and password, moves the pointer over the profile picture in the upper-right corner of the console, and clicks Switch Identity. They can then enter the details for Account A and the role name to switch to the cross-account role.

      • Using the API

        The RAM user uses an AccessKey pair to call the AssumeRole API operation. This operation returns a Security Token Service (STS) token that can be used to make API calls to resources in Account A.

    Revoke permissions across Alibaba Cloud accounts

    As the administrator of Account A, you can revoke Company B's access at any time using one of the following methods:

    • Modify the RAM role's trust policy

      1. Log on to the RAM console with Account A.

      2. On the Roles page, modify the trust policy for the role.

        Remove the UID of Account B from the Principal element in the policy document. This immediately prevents any user from Account B from assuming the role. For more information, see Edit the trust policy of a RAM role.

        image

    • Delete the RAM role

      1. Log on to the RAM console with Account A.

      2. On the Roles page, delete the RAM role.

        Deleting the role also removes its attached policies and permanently revokes access for Company B. For more information, see Delete a RAM role.