All Products
Search
Document Center

EventBridge:Delegate access across Alibaba Cloud accounts

Last Updated:May 18, 2026

You can use Enterprise A's Alibaba Cloud account to create a RAM role, grant permissions to the role, and then allow Enterprise B's Alibaba Cloud account to assume it. This enables Enterprise B's Alibaba Cloud account or its RAM users to access Enterprise A's Alibaba Cloud resources.

Background

Enterprise A uses the EventBridge service and wants to delegate some tasks to Enterprise B.

The requirements are as follows:

  • Enterprise A wants to remain the resource owner, while delegating tasks like event publishing to Enterprise B.

  • Enterprise A wants to avoid making permission changes when employees join or leave Enterprise B. Enterprise B should be able to manage access for its own RAM users (employees or applications) and define fine-grained permissions for Enterprise A's resources.

  • Enterprise A must be able to revoke Enterprise B's access at any time, for example, if their contract ends.

Procedure

  1. Log on to the RAM console with Enterprise A's Alibaba Cloud account and create a RAM role for Enterprise B's Alibaba Cloud account.

  2. Optional:Create a custom policy for the RAM role.

    For more information, see Create a custom policy.

    EventBridge supports resource-level permissions. For more information, see Policies and examples.

  3. A new RAM role has no permissions. Enterprise A must grant permissions to it by attaching a system policy or a custom policy.

    For more information, see Manage permissions for a RAM role.

  4. Use Enterprise B's Alibaba Cloud account to log on to the RAM console and create a RAM user.

    For more information, see Create a RAM user.

  5. Grant the AliyunSTSAssumeRoleAccess policy to Enterprise B's RAM user.

    For more information, see Grant permissions to a RAM user.

    Enterprise B must grant the AliyunSTSAssumeRoleAccess permission to its RAM user. This allows the RAM user to assume the RAM role created by Enterprise A.

  6. Enterprise B's RAM user can now access Enterprise A's resources through the console or via API calls.

    For detailed instructions, see the Next steps section of this topic.

More information

What is RAM?

Next steps

An Enterprise B RAM user can now access Enterprise A's Alibaba Cloud resources by logging on to the console or by calling an API.

  • Log on to the console to access Enterprise A's resources

    1. Open the RAM user logon portal in your browser.

    2. On the RAM User Logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Logon.

      Note

      The logon name for a RAM user must be in the format <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the ID of the Alibaba Cloud account is used by default.

    3. In the Alibaba Cloud console, move the pointer over your profile picture in the upper-right corner and click Switch Role.

    4. On the Switch Role page, enter the Enterprise Alias or Default Domain for Enterprise A's account and the Role Name. Then, click Switch.

    5. You can now perform operations on Enterprise A's Alibaba Cloud resources.

  • Make API calls to access Enterprise A's resources

    To access Enterprise A's resources via API calls, you must include the RAM user's AccessKeyId, AccessKeySecret, and SecurityToken in your code. The SecurityToken is a temporary security token. To learn how to obtain a temporary security token from STS, see AssumeRole.