When multiple enterprises collaborate on EventBridge, the resource owner often needs to delegate specific operations -- such as publishing events to an event bus -- to another account without sharing credentials. Resource Access Management (RAM) solves this through cross-account role assumption: the resource owner creates a RAM role, grants it the required EventBridge permissions, and assigns the trusted entity to the authorized account. Users under the authorized account then assume this role to access the owner's resources.
This approach provides three benefits:
No credential sharing: The resource owner delegates tasks while retaining full control over permissions and resources.
Independent user management: When employees join or leave the authorized account, the resource owner does not need to update any permissions. The authorized account manages its own RAM users and controls their access to the owner's resources.
Instant revocation: The resource owner can revoke all delegated access at any time by removing the RAM role or detaching its policies.
Scenario
Enterprise A (the resource owner) owns EventBridge resources and wants to authorize Enterprise B (the authorized account) to perform specific operations, such as publishing events to an event bus.
The following steps walk through the complete setup, alternating between the two accounts:
| Step | Performed by | Action |
|---|---|---|
| 1 | Enterprise A | Create a RAM role trusted by Enterprise B |
| 2 (optional) | Enterprise A | Create a custom policy for fine-grained control |
| 3 | Enterprise A | Attach a policy to the RAM role |
| 4 | Enterprise B | Create a RAM user |
| 5 | Enterprise B | Grant the RAM user permission to assume the role |
| 6 | Enterprise B | Access Enterprise A's EventBridge resources |
Step 1: Create a RAM role (Enterprise A)
Log on to the RAM console with Enterprise A's Alibaba Cloud account and create a RAM role with Enterprise B's Alibaba Cloud account as the trusted entity.
For detailed steps, see Create a RAM role for a trusted Alibaba Cloud account.
Step 2 (optional): Create a custom policy (Enterprise A)
If the available system policies do not meet your requirements, create a custom policy for fine-grained access control. EventBridge supports resource-level permissions.
For the full list of supported actions and resources, see Policies.
For steps to create a custom policy, see Create a custom policy.
Step 3: Attach a policy to the RAM role (Enterprise A)
A newly created RAM role has no permissions. Attach a system policy or the custom policy you created in Step 2.
For detailed steps, see Grant permissions to a RAM role.
Follow the principle of least privilege. Grant only the permissions that Enterprise B needs for its specific tasks. Avoid attaching broad policies such as AdministratorAccess to cross-account roles.
Step 4: Create a RAM user (Enterprise B)
Log on to the RAM console with Enterprise B's Alibaba Cloud account and create a RAM user.
For detailed steps, see Create a RAM user.
Step 5: Grant the AssumeRole permission (Enterprise B)
Attach the AliyunSTSAssumeRoleAccess system policy to the RAM user created in Step 4. This policy allows the RAM user to call the Security Token Service (STS) AssumeRole operation to assume the RAM role created by Enterprise A.
For detailed steps, see Grant permissions to a RAM user.
Step 6: Access Enterprise A's resources (Enterprise B)
After completing Steps 1 through 5, Enterprise B's RAM user can access Enterprise A's EventBridge resources through the console or API.
Access through the console
Open the RAM user logon portal in your browser.
Enter the RAM user name and click Next. Then enter the password and click Login.
NoteThe RAM user name uses the format
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.com.<$AccountAlias>is the account alias. If no alias is set, the default Alibaba Cloud account ID is used.On the console homepage, hover over the profile picture in the upper-right corner and click Switch Role.
On the Switch Role page, enter the Enterprise Alias/Default Domain Name of Enterprise A and the Role Name, then click Switch.
Perform operations on Enterprise A's EventBridge resources.
Access through the API
To call API operations as Enterprise B's RAM user, obtain temporary credentials by calling the AssumeRole operation with the ARN of Enterprise A's RAM role. Include the following temporary credentials returned by AssumeRole in your API requests:
| Credential | Description |
|---|---|
AccessKeyId | The temporary AccessKey ID returned by AssumeRole |
AccessKeySecret | The temporary AccessKey secret returned by AssumeRole |
SecurityToken | The temporary security token returned by AssumeRole |
Temporary credentials returned by STS have an expiration time. Refresh them before they expire to avoid request failures.