All Products
Search

This Product

    Simple Message Queue (formerly MNS):Cross-account push authorization

    Document Center

    Simple Message Queue (formerly MNS):Cross-account push authorization

    Last Updated:Oct 14, 2025

    This topic describes how to configure cross-account push authorization for the topic-based model of Simple Message Queue (formerly MNS).

    Prerequisites

    Two Alibaba Cloud accounts, A and B, are required:

    • Alibaba Cloud account A: The account ID is testAccountID.

    • Alibaba Cloud account B: The account ID is testAccountID1.

    This topic uses an example where Alibaba Cloud account A pushes messages to Alibaba Cloud account B.

    Step 1: Create a RAM role for account B

    1. Create a RAM role and allow account A to assume this role.

      1. Log on to the Resource Access Management (RAM) console using Alibaba Cloud account B or a RAM administrator.

      2. In the navigation pane on the left, choose Identity Management > Roles.

      3. On the Roles page, click Create Role.

      4. On the Create Role page, set Trusted Entity Type to Alibaba Cloud Service, select a specific Alibaba Cloud service, and then click OK.

        image

      5. In the Create Role dialog box, enter a Role Name and click OK.

    2. Modify the trust policy of the RAM role.

      1. On the Trust Policy tab, click Edit Trust Policy.

      2. In the editor, modify the trust policy and click OK.

        Note

        Replace "Service": "mns.aliyuncs.com" with "Service": "testAccountID@mns.aliyuncs.com". Replace testAccountID with the ID of Alibaba Cloud account A.

        image

    Step 2: Grant cross-account permissions to the RAM role of account B

    Push to Simple Message Queue (formerly MNS) queue

    1. Log on to the Resource Access Management (RAM) console using Alibaba Cloud account B or a RAM administrator.

    2. In the navigation pane on the left, choose Permission Management > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the Visual Editor tab.

    5. Configure the access policy as follows and click OK.

      1. In the Effect section, select Allow.

      2. In the Service section, select Simple Message Queue (formerly MNS) from the Alibaba Cloud service list.

      3. In the Action section, select Specify Action. Then, select the mns:SendMessage check box under Write.

      4. In the Resource section, select All Resources or Specific Resources.

    6. In the Create Policy dialog box, enter a Policy Name and Note, and then click OK.

    7. In the navigation pane on the left, choose Identity Management > Roles.

    8. On the Roles page, click the name of the RAM role that you created in Step 1.

    9. On the Permission Management tab, click Add Permissions.

    10. In the Add Permissions dialog box, configure the following parameters and click OK.

      • Policy Type: Select Custom Policy.

      • Policy Name: In the text box, enter the name of the policy that you just created.

    Push to Function Compute

    1. Log on to the Resource Access Management (RAM) console using Alibaba Cloud account B or a RAM administrator.

    2. In the navigation pane on the left, choose Identity Management > Roles.

    3. On the Roles page, click the name of the RAM role that you created in Step 1.

    4. On the Permission Management tab, click Add Permissions.

    5. In the Add Permissions dialog box, configure the access policy as follows and click OK.

      • Resource Scope: Select Account Level.

      • Access Policy: Select the AliyunFCInvocationAccess check box.

    Push to ApsaraMQ for Kafka

    1. Log on to the Resource Access Management (RAM) console using Alibaba Cloud account B or a RAM administrator.

    2. In the navigation pane on the left, choose Permission Management > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the Script Editor tab, replace the text in the editor with the following content, and then click OK.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "eventbridge:*EventStreaming",
      "Resource": "*"
    }
  ]
}

    5. In the Create Policy dialog box, enter a Policy Name and Note, and then click OK.

    6. In the navigation pane on the left, choose Identity Management > Roles.

    7. On the Roles page, click the name of the RAM role that you created in Step 1.

    8. On the Permission Management tab, click Add Permissions.

    9. In the Add Permissions dialog box, configure the following parameters and click OK.

      • Policy Type: Select Custom Policy.

      • Policy Name: In the text box, enter the name of the policy that you just created.

    Step 3: Obtain the ARN of the RAM role for cross-account authorization from account B

    Note

    In a cross-account scenario, when you use Alibaba Cloud account A to create a subscription, you must enter the Alibaba Cloud Resource Name (ARN) of the RAM role in the Service-linked Role field.

    1. Log on to the Resource Access Management (RAM) console using Alibaba Cloud account B or a RAM administrator.

    2. In the navigation pane on the left, choose Identity Management > Roles.

    3. On the Roles page, click the name of the RAM role that you created in Step 1.

    4. In the Basic Information section, click Copy next to the ARN.

      image

    References

    For more information about how to subscribe to a Simple Message Queue (formerly MNS) topic across accounts, see the following topics: