Permissions for cross-account API error diagnosis

Updated at:
Copy as MD

If you lack permissions for other Alibaba Cloud accounts, you cannot analyze API errors or find solutions by using the API error diagnosis tool. Grant cross-account permissions to resolve this issue.

Within an Alibaba Cloud account

Grant permissions to a RAM user so that they can view API diagnosis information for other RAM users and RAM roles within the same account.

Step 1: Create a custom policy

  1. Log on to the by using your Alibaba Cloud account or a RAM user with RAM management permissions.

  2. In the left-side navigation pane, choose Permissions, and then click Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

    The editor displays a default policy template with a Version of "1" and a Statement array that contains a single object. The object has an Effect of "Allow" and empty Action, Resource, and Condition elements.

  5. Replace the content in the editor with the following policy and click OK.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "openapiexplorer:GetRequestLog",
                    "ram:DecodeDiagnosticMessage"
                ],
                "Resource": "*"
            }
        ]
    }
    Note

    This policy allows the user to view all API call logs and detailed information about insufficient permissions within the Alibaba Cloud account.

  6. Enter a Policy Name and a Description, and then click OK.

Step 2: Grant permissions to a RAM user

Grant permissions to the RAM user by using one of the following methods:

Step 3: View the API diagnosis result

Go to , enter the RequestId, and click Diagnose.

The diagnosis result shows that the cloud service is ECS, the ErrorCode is Forbidden.RAM, and the ErrorMessage indicates that the RAM user is not authorized to operate on the specified resource. The diagnosis details identify the caller as a RAM user attempting the ecs:ModifyInstanceAttribute action, with a decision of insufficient permissions. The recommended solution is to contact an administrator to grant a relevant system policy, such as AliyunECSFullAccess or AliyunECSReadOnlyAccess, or to create a custom policy.

Between different Alibaba Cloud accounts

To view API diagnosis information for another Alibaba Cloud account, assume a role that grants the required permissions.

image

Account A: The account that encounters an API error.

Account B: The account that needs to view the API diagnosis information.

  1. Account A creates a RAM role and grants Account B permission to assume it.

  2. Account B creates a RAM user and grants it permission to assume roles.

  3. The RAM user from Account B assumes the RAM role from Account A to query the cross-account API diagnosis information.

Step 1: Configure a RAM role in Account A

  1. Create a RAM role.

    Log on to the RAM console with Account A. Create a RAM role with Principal Type set to Cloud Account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    Note

    On the Create Role page, for Principal Name, select Other Account and enter the UID of Account B.

  2. Create a custom policy.

    For instructions, see Step 1: Create a custom policy in the previous section.

  3. Grant permissions to the RAM role.

    Attach the custom policy that you created in the previous step to the RAM role. For more information, see Manage permissions for a RAM role.

Step 2: Configure a RAM user in Account B

  1. Create a RAM user.

    Log on to the RAM console with Account B and create a RAM user. For more information, see Create a RAM user.

    Note

    For security, we recommend that you configure only one access mode for the RAM user based on your needs. Keep console access and programmatic access separate.

    In this example, the Logon Name is set to GetApiLogUser, the Display Name is set to "To query API call logs of another Alibaba Cloud account", and for Access Mode, both console access and programmatic access are selected.

  2. Grant permissions to the RAM user.

    To allow a RAM user to assume a role, attach the AliyunSTSAssumeRoleAccess policy to that user. This policy allows the user to assume any RAM role. For more information, see Manage RAM user permissions.

    Note

    If you want the RAM user to be able to assume only specific RAM roles, see RAM roles and STS Token FAQs.

Step 3: Assume the role and view diagnosis information

  1. Use the RAM user from Account B to log on to the RAM user logon page.

  2. Hover over your profile picture in the upper-right corner and click Switch Identity.

  3. On the Switch Role page, enter the UID of Account A and the RAM role name, then click Submit.

  4. View the API diagnosis information.

    Go to , enter the RequestId, and click Diagnose.

    The diagnosis result shows that the cloud service is ECS, the ErrorCode is Forbidden.RAM, and the ErrorMessage is User not authorized to operate on the specified resource, or this API doesn't support RAM.. The diagnosis details indicate that an identity-based policy at the resource group level denied access. The details also show the caller was a RAM user attempting the ecs:ModifyInstanceAttribute action while logged in with the GetApiLogRole role.