Permissions for cross-account API error diagnosis
If you lack permissions for other Alibaba Cloud accounts, you cannot analyze API errors or find solutions by using the API error diagnosis tool. Grant cross-account permissions to resolve this issue.
Within an Alibaba Cloud account
Grant permissions to a RAM user so that they can view API diagnosis information for other RAM users and RAM roles within the same account.
Step 1: Create a custom policy
-
Log on to the by using your Alibaba Cloud account or a RAM user with RAM management permissions.
-
In the left-side navigation pane, choose Permissions, and then click Policies.
-
On the Policies page, click Create Policy.
-
On the Create Policy page, click the JSON tab.
The editor displays a default policy template with a
Versionof"1"and aStatementarray that contains a single object. The object has anEffectof"Allow"and emptyAction,Resource, andConditionelements. -
Replace the content in the editor with the following policy and click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "openapiexplorer:GetRequestLog", "ram:DecodeDiagnosticMessage" ], "Resource": "*" } ] }NoteThis policy allows the user to view all API call logs and detailed information about insufficient permissions within the Alibaba Cloud account.
-
Enter a Policy Name and a Description, and then click OK.
Step 2: Grant permissions to a RAM user
Grant permissions to the RAM user by using one of the following methods:
-
To grant permissions to a RAM user, see Manage RAM user permissions.
-
To grant permissions to a RAM user group, see Grant permissions to a RAM user group.
Step 3: View the API diagnosis result
Go to , enter the RequestId, and click Diagnose.
The diagnosis result shows that the cloud service is ECS, the ErrorCode is Forbidden.RAM, and the ErrorMessage indicates that the RAM user is not authorized to operate on the specified resource. The diagnosis details identify the caller as a RAM user attempting the ecs:ModifyInstanceAttribute action, with a decision of insufficient permissions. The recommended solution is to contact an administrator to grant a relevant system policy, such as AliyunECSFullAccess or AliyunECSReadOnlyAccess, or to create a custom policy.
Between different Alibaba Cloud accounts
To view API diagnosis information for another Alibaba Cloud account, assume a role that grants the required permissions.
Account A: The account that encounters an API error.
Account B: The account that needs to view the API diagnosis information.
-
Account A creates a RAM role and grants Account B permission to assume it.
-
Account B creates a RAM user and grants it permission to assume roles.
-
The RAM user from Account B assumes the RAM role from Account A to query the cross-account API diagnosis information.
Step 1: Configure a RAM role in Account A
-
Create a RAM role.
Log on to the RAM console with Account A. Create a RAM role with Principal Type set to Cloud Account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
NoteOn the Create Role page, for Principal Name, select Other Account and enter the UID of Account B.
-
Create a custom policy.
For instructions, see Step 1: Create a custom policy in the previous section.
-
Grant permissions to the RAM role.
Attach the custom policy that you created in the previous step to the RAM role. For more information, see Manage permissions for a RAM role.
Step 2: Configure a RAM user in Account B
-
Create a RAM user.
Log on to the RAM console with Account B and create a RAM user. For more information, see Create a RAM user.
NoteFor security, we recommend that you configure only one access mode for the RAM user based on your needs. Keep console access and programmatic access separate.
In this example, the Logon Name is set to
GetApiLogUser, the Display Name is set to "To query API call logs of another Alibaba Cloud account", and for Access Mode, both console access and programmatic access are selected. -
Grant permissions to the RAM user.
To allow a RAM user to assume a role, attach the
AliyunSTSAssumeRoleAccesspolicy to that user. This policy allows the user to assume any RAM role. For more information, see Manage RAM user permissions.NoteIf you want the RAM user to be able to assume only specific RAM roles, see RAM roles and STS Token FAQs.
Step 3: Assume the role and view diagnosis information
-
Use the RAM user from Account B to log on to the RAM user logon page.
-
Hover over your profile picture in the upper-right corner and click Switch Identity.
-
On the Switch Role page, enter the UID of Account A and the RAM role name, then click Submit.
-
View the API diagnosis information.
Go to , enter the RequestId, and click Diagnose.
The diagnosis result shows that the cloud service is ECS, the ErrorCode is
Forbidden.RAM, and the ErrorMessage isUser not authorized to operate on the specified resource, or this API doesn't support RAM.. The diagnosis details indicate that an identity-based policy at the resource group level denied access. The details also show the caller was a RAM user attempting theecs:ModifyInstanceAttributeaction while logged in with the GetApiLogRole role.