All Products
Search

This Product

    ApsaraMQ for RocketMQ:Grant cross-account access to ApsaraMQ for RocketMQ by using a RAM role

    Document Center

    ApsaraMQ for RocketMQ:Grant cross-account access to ApsaraMQ for RocketMQ by using a RAM role

    Last Updated:Mar 11, 2026

    When multiple teams or organizations need to share ApsaraMQ for RocketMQ resources across Alibaba Cloud accounts, sharing credentials creates security risks and operational overhead. Resource Access Management (RAM) roles let a resource-owning account (Account A) delegate specific permissions to another account (Account B) without sharing credentials. Account A creates a RAM role with the required permissions, and RAM users from Account B assume that role to publish messages, subscribe to messages, or manage resources.

    Use cases

    Scenario Description
    Delegated operations Account A owns ApsaraMQ for RocketMQ resources but needs a partner or vendor (Account B) to handle day-to-day operations such as publishing or subscribing to messages
    Independent user management Account B manages its own RAM users, including employees or applications. When employees join or leave Account B, Account A does not need to update any permission settings
    Revocable access Account A can revoke all cross-account access at any time by removing the RAM role or its trust policy, for example when a contract ends

    How it works

    The setup has two phases:

    1. Set up the RAM role (Account A) -- Create a RAM role in the resource-owning account, attach the required permissions, and authorize Account B to assume the role.

    2. Access resources cross-account (Account B) -- Log on to the console or call API operations by assuming the role.

    Prerequisites

    Before you begin, make sure that you have:

    • Two Alibaba Cloud accounts -- Account A (resource owner) and Account B (delegated operator)

    • Access to the RAM console for both accounts

    Step 1: Create a RAM role and attach permissions (Account A)

    1.1 Create a RAM role for a trusted account

    1. Log on to the RAM console with Account A.

    2. Create a RAM role for Account B's Alibaba Cloud account. For detailed instructions, see Create a RAM role for a trusted Alibaba Cloud account.

    1.2 (Optional) Create a custom policy

    If the built-in system policies do not meet your requirements, create a custom policy to define fine-grained permissions.

    ApsaraMQ for RocketMQ supports permission management at three levels: instances, topics, and groups.

    Follow the principle of least privilege. Grant permissions at the narrowest scope that satisfies business requirements.

    For policy syntax and examples, see Custom policies for ApsaraMQ for RocketMQ. To create the policy, see Create custom policies.

    1.3 Attach a policy to the RAM role

    A newly created RAM role has no permissions. Attach a system policy or the custom policy you created in step 1.2.

    For detailed instructions, see Grant permissions to a RAM user.

    1.4 Prepare Account B's RAM user (Account B)

    1. Log on to the RAM console with Account B.

    2. Create a RAM user for the employee or application that needs cross-account access. For detailed instructions, see Create a RAM user.

    3. Attach the AliyunSTSAssumeRoleAccess system policy to the RAM user. This policy allows the RAM user to assume the RAM role created by Account A. For detailed instructions, see Grant permissions to a RAM user.

    Step 2: Access resources cross-account (Account B)

    After you complete Step 1, Account B's RAM users can access Account A's ApsaraMQ for RocketMQ resources by assuming the RAM role. Choose one of the following methods.

    Access resources through the console

    1. Open the RAM user logon page in your browser.

    2. In the Username field, enter the logon name of the RAM user and click Next. Enter the password and click Log On.

      The logon name uses the format <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the alias of Account B. If no alias is set, the Alibaba Cloud account ID is used instead.

    3. In the upper-right corner of the console, hover over the profile icon and click Switch Identity.

    4. On the Switch Role page, fill in the following fields:

      Field Value
      Enterprise Alias / Domain / Account UID The enterprise alias, domain name, or Alibaba Cloud account ID of Account A
      Role Name The name of the RAM role created in step 1.1

    5. Click Submit. The console now operates under the assumed role with Account A's ApsaraMQ for RocketMQ permissions.

    Access resources through API operations

    Account B's RAM users can also access Account A's resources by calling the API operations provided by ApsaraMQ for RocketMQ. For more information, see Make API requests.