All Products
Search
Document Center

Express Connect:Grant permissions to an ECR across Alibaba Cloud accounts

Last Updated:Apr 01, 2026

To associate a virtual private cloud (VPC) or virtual border router (VBR) with an Express Connect Router (ECR) that belongs to a different Alibaba Cloud account, the account that owns the VPC or VBR must grant the ECR permission to accept the association.

This topic uses the following scenario: account B owns a VPC or VBR in the China (Hangzhou) region, and account A owns an ECR. Account B grants account A's ECR the permission to associate, so that account B's VPC or VBR can be linked to account A's ECR.

Two roles are involved:

RoleDescription
ECR owner account (account A)Creates and owns the ECR. Provides its account UID and ECR ID to account B before authorization begins.
Authorizing account (account B)Owns the VPC or VBR. Performs all authorization steps in this topic.

Limitations

Cross-account connection between a VBR and an ECR is disabled by default. To enable it, provide a certificate proving that both Alibaba Cloud accounts belong to the same enterprise or entity, then contact your customer manager to submit the certificate.

The following figure shows an example of the certificate.

image

Prerequisites

Before you begin, make sure that you have:

  • An ECR created under account A (the ECR owner account)

  • The account UID of account A

  • The ECR ID of the ECR under account A

  • The VPC or VBR under account B that you want to associate with the ECR

Grant permissions using a VPC

Perform the following steps using account B (the authorizing account).

  1. Log on to the VPC console.

  2. In the top navigation bar, select the region where the VPC is deployed.

  3. In the left-side navigation pane, click VPC. On the VPC page, find the VPC and click its ID.

  4. On the VPC details page, click the Cross-account authorization tab, then click the ECR tab.

  5. On the ECR tab, click Cross-account Authorization on ECR.

  6. In the ECR Account Authorization dialog box, configure the following parameters and click OK.

    ParameterDescription
    Authorized Account UIDThe account UID of account A, which owns the ECR.
    Associated ECR IDThe ID of the ECR under account A.

After authorization succeeds, the ECR tab displays the authorized account UID, ECR ID, and authorization time. Account B's VPC can now be associated with account A's ECR.

Revoke permissions

  1. On the ECR tab, find the account whose permissions you want to revoke and click Revoke Permission in the Actions column.

  2. In the confirmation dialog box, click OK.

Grant permissions using a VBR

Perform the following steps using account B (the authorizing account).

Important

Before starting, confirm that the cross-account connection feature for VBR and ECR has been enabled for your account. If not, contact your customer manager with the required certificate.

  1. Log on to the Express Connect console.

  2. In the top navigation bar, select the region where the VBR is deployed. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  3. On the Virtual Border Routers (VBRs) page, find the VBR and click its ID.

  4. On the VBR details page, click the ECR Authorization tab, then click ECR Account Authorization.

  5. In the ECR Account Authorization dialog box, configure the following parameters and click OK.

    ParameterDescription
    Authorized Account UIDThe account UID of account A, which owns the ECR.
    Associated ECR IDThe ID of the ECR under account A.

After authorization succeeds, the ECR Authorization tab displays the authorized account UID, ECR ID, and authorization time. Account B's VBR can now be associated with account A's ECR.

Revoke permissions

  1. On the ECR Authorization tab, find the account whose permissions you want to revoke and click Delete in the Actions column.

  2. In the confirmation dialog box, click OK.

What's next

After authorization is complete, associate the VPC or VBR with the ECR. For instructions on managing ECRs, see Create and manage ECRs.