All Products
Search

This Product

    ApsaraMQ for Kafka:Grant cross-account access to ApsaraMQ for Kafka

    Document Center

    ApsaraMQ for Kafka:Grant cross-account access to ApsaraMQ for Kafka

    Last Updated:Mar 11, 2026

    When multiple enterprises collaborate on Alibaba Cloud, one enterprise often owns ApsaraMQ for Kafka resources (instances, topics, and consumer groups) while another handles day-to-day operations. Resource Access Management (RAM) roles let you delegate access across Alibaba Cloud accounts without sharing credentials -- the resource owner retains control, and access is revocable at any time.

    How cross-account access works

    Cross-account access relies on a trust relationship between two Alibaba Cloud accounts:

    1. Account A (resource owner) creates a RAM role that trusts Account B, then attaches ApsaraMQ for Kafka permissions to that role.

    2. Account B (operator) creates a RAM user, grants it the AliyunSTSAssumeRoleAccess policy, and the RAM user calls the Security Token Service (STS) AssumeRole operation to obtain temporary credentials for Account A's resources.

    This model provides three advantages:

    • No per-employee changes on Account A -- When employees join or leave Account B, only Account B updates its own RAM user permissions. Account A's configuration stays the same.

    • Fine-grained control -- Account A chooses exactly which ApsaraMQ for Kafka actions Account B can perform.

    • Revocable access -- Account A can remove the trust relationship or detach the policy at any time.

    Permissions summary

    Before you start, review the permissions required on each account:

    AccountActionPurpose
    Account ACreate a RAM role that trusts Account BEstablishes the trust relationship
    Account AAttach ApsaraMQ for Kafka policies to the RAM roleDefines what Account B can do
    Account BCreate a RAM userProvides an identity to assume the role
    Account BAttach AliyunSTSAssumeRoleAccess to the RAM userAllows the RAM user to call STS AssumeRole

    Prerequisites

    Before you begin, make sure that you have:

    • An Alibaba Cloud account for each enterprise (Account A and Account B)

    • RAM administrator access on both accounts

    • The Alibaba Cloud account ID of Account B -- to find it, log on to the Account Management console and go to Security Settings

    Step 1: Create a RAM role on Account A

    Create a RAM role on Account A that trusts Account B. This role defines what Account B's users can do with Account A's ApsaraMQ for Kafka resources.

    1. Log on to the RAM console with Account A.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. Select Alibaba Cloud Account as the role type and click Next.

    5. Configure the role:

      ParameterDescription
      RAM Role NameA name for the role. Up to 64 characters. Can contain letters, digits, and hyphens (-).
      Select Trusted Alibaba Cloud AccountSelect Other Alibaba Cloud Account and enter the account ID of Account B.

    6. Click OK.

    Step 2: Attach ApsaraMQ for Kafka permissions to the RAM role

    Attach the policies that define what Account B can do with Account A's ApsaraMQ for Kafka resources.

    1. Log on to the RAM console with Account A.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. Find the RAM role you created and click Grant Permission in the Actions column.

      Note

      Tip: To grant permissions to multiple roles at once, select the roles and click Grant Permission at the bottom of the list.

    4. In the Policy section of the Grant Permission panel, search for the policy to attach, select it from the results to add it to the Selected Policy list, and then click Grant permissions.

      Note

      For information about the policies that you can attach to authorize RAM roles and RAM users to access ApsaraMQ for Kafka, see RAM policies.

    Step 3: Create a RAM user on Account B

    Create a RAM user on Account B that will assume the cross-account role.

    1. Log on to the RAM console with Account B.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section, configure the following parameters:

      Note

      Click Add User to create multiple RAM users at once.

      ParameterDescription
      Logon NameUp to 64 characters. Can contain letters, digits, periods (.), hyphens (-), and underscores (_).
      Display NameUp to 128 characters.
      Tag(Optional) Click the edit icon to add one or more key-value tags for the RAM user.

    5. In the Access Mode section, select an access mode:

      Select only one access mode per RAM user to separate human access from programmatic access.

      • Console Access -- For users who log on through a browser. Configure:

        • Set Console Password: Select Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet the password policy.

        • Password Reset: Specify whether the user must reset the password on next logon.

        • Enable MAF: Enable multi-factor authentication (MFA). After you enable MFA, bind an MFA device to the user.

      • Using permanent AccessKey to access -- For programmatic access. The system generates an AccessKey ID and AccessKey secret automatically. For more information, see Obtain an AccessKey pair.

        Important

        • The AccessKey secret is displayed only at creation time. Back it up immediately -- you cannot retrieve it later.

        • Permanent AccessKey pairs pose security risks if leaked. For production workloads, use STS temporary credentials instead. For more information, see Best practices for access credentials.

    6. Click OK and complete security verification.

    Step 4: Grant the RAM user permission to assume roles

    Attach the AliyunSTSAssumeRoleAccess policy to the RAM user so it can call the STS AssumeRole operation.

    1. Log on to the RAM console with Account B.

    2. In the left-side navigation pane, choose Identities > Users.

    3. Find the RAM user and click Add Permissions in the Actions column.

      Note

      Tip: To grant permissions to multiple users at once, select the users and click Add Permissions at the bottom of the page.

    4. In the Policy section of the Grant Permission panel, search for AliyunSTSAssumeRoleAccess, select it, and click Grant permissions.

    Access Account A's ApsaraMQ for Kafka resources

    After setup, the RAM user on Account B can access Account A's ApsaraMQ for Kafka resources through the console or API.

    Console access

    1. Open the RAM User Logon page.

    2. Enter the RAM user name and click Next, then enter the password and click Log On.

      Note

      The RAM user name uses one of these formats:

      • <username>@<AccountAlias>

      • <username>@<AccountAlias>.onaliyun.com

      Replace <AccountAlias> with Account B's account alias. If no alias is set, use the Alibaba Cloud account ID.

    3. In the upper-right corner, hover over the profile icon and click Switch Identity.

    4. On the Switch Role page, enter Account A's enterprise alias or default domain name and the RAM role name, then click Submit.

      Note

      • Enterprise alias: Log on with Account A, go to the Expenses and Costs console, and hover over the profile icon to view the alias.

      • Default domain name: Log on with Account A, go to the RAM console, and check the Advanced tab on the Settings page.

    API access

    To access ApsaraMQ for Kafka resources programmatically, follow these two steps:

    1. Call the AssumeRole operation with the RAM user's credentials to obtain temporary credentials: an AccessKey ID, an AccessKey secret, and an STS token.

    2. Use the temporary credentials to call ApsaraMQ for Kafka API operations. Pass the AccessKey ID, AccessKey secret, and STS token with each request.