All Products
Search
Document Center

:Cross-account access

Last Updated:Jun 20, 2026

If you manage multiple Alibaba Cloud accounts, you can centralize monitoring and enable cross-account tracing for your applications. To achieve this, send application data to a single account and use RAM users or RAM roles to grant other users permission to view or manage the data.

Before you begin

Cross-account monitoring requires you to manually manage data reporting, authorization, billing, and fine-grained permissions for each account. This adds operational overhead. For most multi-account organizations, managing applications within each account is simpler. Evaluate whether centralized monitoring justifies the added complexity before proceeding.

Terminology

TermDefinition
Monitoring account (Account A)The Alibaba Cloud account that runs ARMS and receives monitoring data from other accounts.
Source account (Account B)The Alibaba Cloud account whose applications report data to the monitoring account.

Solution

This topic provides a solution for the following scenario: An organization uses two Alibaba Cloud accounts, Account A and Account B. ARMS is activated in Account A, and ACK is activated in Account B. The goal is to connect applications from Account B to ARMS in Account A for centralized monitoring.

  1. In Account A, create a RAM user and grant the AliyunARMSFullAccess and AliyunSTSAssumeRoleAccess permissions. For more information, see Create a RAM user.

  2. Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.

  3. Install the Application Monitoring eBPF agent for the applications in Account B. For more information, see Manually connect applications to Application Monitoring eBPF.

  4. In the ACK console for the target cluster, navigate to the Application > Helm page. Find the ack-arms-cmonitor component and click Update in the Actions column.

  5. Replace accessKey and accessKeySecret with the AccessKey ID and secret obtained in Step 2, and replace uid_id with the UID of Account A. Then, click OK.

    The ACK applications in Account B then begin reporting data to ARMS in Account A.

    In the Update Release dialog box, locate and replace these parameters in the YAML configuration editor.

  6. Manage applications by using a RAM user from Account A.

    • Method 1: Use the RAM user that you created in Step 1 to manage applications.

    • Method 2: Create a dedicated RAM user in Account A to manage applications.

      Create a RAM user in Account A and grant full ARMS permissions by attaching the AliyunARMSFullAccess policy, or grant fine-grained permissions with a custom policy. For more information about how to create a custom policy, see Custom RAM authorization for Application Monitoring.

    Note

    You can also use a RAM user from Account B to manage applications by assuming a RAM role. For more information, see (Optional) Use a RAM role to manage applications.

(Optional) Manage applications with a RAM role

You can also authorize a RAM user from Account B to access ARMS. This allows the user to access ARMS by switching their identity.

Step 1: Grant permissions to Account B

  1. Use Account A to create a RAM role for a trusted Alibaba Cloud account. For this example, name the role arms-admin. Select Account B as the trusted account.

  2. Grant permissions to the arms-admin RAM role in Account A. You can grant full ARMS permissions by attaching the AliyunARMSFullAccess policy, or grant fine-grained permissions with a custom policy.

  3. Create a RAM user in Account B.

    For more information, see Create a RAM user.

    Important

    Save the logon name and password of the RAM user.

  4. Grant the AliyunSTSAssumeRoleAccess permission to the RAM user in Account B. This permission lets the RAM user assume a RAM role.

    For more information, see Grant permissions to a RAM user.

Step 2: Manage applications as a RAM user from Account B

  1. Log on to the RAM console as the RAM user from Account B.

  2. After you log on, move the pointer over the profile icon in the upper-right corner and click Switch Identity.

  3. Enter the UID of Account A and the name of the RAM role you created for Account A in Step 1.

    For more information, see Assume a RAM role.

  4. Log on to the ARMS console. In the left-side navigation pane, choose Application Monitoring eBPF Edition > Application List to view your applications.