All Products
Search
Document Center

IoT Platform:Authorize a RAM user of another account to use server-side subscription

Last Updated:Jun 18, 2026

IoT Platform supports cross-account server-side subscription through RAM role authorization. By creating a RAM role and granting it to another Alibaba Cloud account, you allow that account and its RAM users to access your server-side subscription resources.

Background information

Security Token Service (STS) provides temporary credentials for accessing Alibaba Cloud resources. RAM supports two identity types: RAM user and RAM role.

A RAM role is a virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity, such as a RAM user, an Alibaba Cloud service, or an identity provider (IdP). After assuming a RAM role, the trusted entity obtains an STS token to access the resources authorized to that role.

For more information about the features and benefits of STS, see What is STS?

Scenario

Enterprise A uses its Alibaba Cloud account to activate IoT Platform and wants to authorize the Alibaba Cloud account of Enterprise B to access the server-side subscription resources.

Solution

Enterprise A needs to authorize employees of Enterprise B to access its server-side subscription resources on IoT Platform. In this topic, Account A refers to the Alibaba Cloud account of Enterprise A and Account B refers to the Alibaba Cloud account of Enterprise B. To authorize Account B to access resources that belong to Account A, perform the following steps:

  1. Step 1: Create a RAM role and grant permissions to the RAM role

    Enterprise A uses Account A to create a RAM role, attaches the policy related to server-side subscription to the RAM role, and then allows the RAM user that belongs to Account B to assume this role.

  2. Step 2: Receive AMQP server-side subscription messages across accounts

    After permissions are granted, the RAM user of Account B assumes the RAM role of Account A to obtain the required permissions.

Step 1: Create a RAM role and grant permissions to the RAM role

  1. Create a RAM role for a trusted Alibaba Cloud account: Enterprise A uses Account A to log on to the RAM console and creates a RAM role for Account B of Enterprise B.

    In the Configure Role step of the Create Role wizard, select Other Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter and enter the ID of Account B.

  2. Create a custom policy on the JSON tab: Enterprise A uses Account A to create a custom policy.

    To grant the permission to use server-side subscription, set the Action parameter to iot:sub. The following code shows the policy content:

    {
      "Statement": [
        {
          "Action": "iot:sub",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
  3. Grant permissions to the RAM role: Enterprise A uses Account A to attach the custom policy that was created in the previous step to the RAM role.

  4. Create a RAM user: Enterprise B uses Account B to log on to the RAM console and creates a RAM user.

  5. Grant permissions to the RAM user: Enterprise B uses Account B to grant the AliyunSTSAssumeRoleAccess permission to the RAM user that was created in the previous step so that the RAM user of Account B can assume the RAM role of Account A.

Step 2: Receive AMQP server-side subscription messages across accounts

  1. Configure an AMQP server-side subscription: Enterprise A uses Account A to log on to the IoT Platform console and configures an Advanced Message Queuing Protocol (AMQP) server-side subscription.

  2. Configure an AMQP client to receive server-side subscription messages: Enterprise B connects an AMQP client to IoT Platform as the authorized RAM user to receive device messages from Enterprise A through server-side subscription.