When you use the error diagnosis tool, you might not have the required permissions to query API diagnosis information for other accounts. This can prevent you from analyzing API errors and finding solutions. This topic describes how to grant permissions to query API diagnosis information for other accounts.
Within the same Alibaba Cloud account
You can grant the required permissions to a Resource Access Management (RAM) user who needs to view API diagnosis information. This allows the RAM user to view the API diagnosis information of other RAM users or RAM roles.
Step 1: Create a custom policy
Log on to the by using an Alibaba Cloud account or a RAM administrator account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
In the editor, replace the existing content with the following policy document, and click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "openapiexplorer:GetRequestLog", "ram:DecodeDiagnosticMessage" ], "Resource": "*" } ] }NoteThis policy allows a user to view all API call logs and details about permission-denied errors for the Alibaba Cloud account.
Enter a name and description for the policy and click OK.
Step 2: Grant permissions to a RAM user
You can grant permissions to the RAM user in one of the following ways:
To grant permissions to a RAM user, see Grant permissions to a RAM user.
To grant permissions to a RAM user group, see Grant permissions to a RAM user group.
Step 3: View the API diagnosis result
Navigate to the page, enter the RequestId, and click Diagnose.
Between different Alibaba Cloud accounts
To view API diagnosis information for another Alibaba Cloud account, you can obtain the required permissions by assuming a role.
The process is as follows:
Account A: The account that encounters an error when it calls an API.
Account B: The account that needs to view the API diagnosis information.
In Account A, create a RAM role that trusts Account B, granting Account B permission to assume this role.
In Account B, create a RAM user and attach a policy that allows the user to assume the role in Account A.
The RAM user from Account B assumes the role in Account A to query the API diagnosis information using the error diagnosis tool.
Step 1: Create a RAM role and grant permissions in Account A
Create a RAM role.
Log on to the RAM console with Account A. Create a RAM role and set the Principal Type to Cloud Account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
NoteSelect Other Account for Principal Name and enter the UID of Account B.
Create a custom policy.
For more information, see Step 1: Create a custom policy.
Grant permissions to the RAM role.
Attach the custom policy that you created to the RAM role. For more information, see Grant permissions to a RAM role.
Step 2: Create a RAM user and grant permissions in Account B
Create a RAM user.
Log on to the RAM console with Account B and create a RAM user. For more information, see Create a RAM user.
NoteFor security, configure only one access mode for the RAM user as needed. Keep console access and programmatic access separate.
Grant permissions to the RAM user.
To allow the RAM user to assume the role, attach the
AliyunSTSAssumeRoleAccesspolicy to the RAM user. This policy grants permission to assume any role. For more information, see Grant permissions to a RAM user.NoteIf you want the RAM user to assume only specific RAM roles, see FAQ about RAM roles and STS tokens.
Step 3: Assume the RAM role and view API diagnosis information
Use the RAM user that you created in Account B to log on to the RAM user logon page.
Hover over the profile picture in the upper-right corner and click Switch Identity.
On the Switch Role page, enter the UID of the desired account and the RAM role name, then click Submit to log on. For example, enter the UID of Account A and the RAM role name.
View the API diagnosis information.
Navigate to the page, enter the RequestId, and click Diagnose.
