All Products
Search

This Product

    Object Storage Service:Tutorial: Authorize a RAM user of another Alibaba Cloud account by creating a RAM role

    Document Center

    Object Storage Service:Tutorial: Authorize a RAM user of another Alibaba Cloud account by creating a RAM role

    Last Updated:Jul 14, 2025

    By default, Object Storage Service (OSS) resources can be accessed only by their owners. To authorize another user to access your OSS resources, you can grant permissions to the user by creating a Resource Access Management (RAM) role.

    Background information

    Example: Company A wants to authorize Company B to access the OSS resources of Company A. However, Company A does not want to provide Company B with the credentials of a RAM user. In this case, Company A can create a RAM role and grant the RAM role the permissions to access the OSS resources of Company A. Company B can use a RAM user to assume the RAM role. This way, Company B can access the OSS resources of Company A.

    Step 1: Company A creates a RAM role and grants the RAM role the permissions to access the OSS resources of Company A

    Company A must create a RAM role that has the permissions to access the OSS resources of Company A.

    1. Create a RAM role.

      1. Log on to the RAM console as Company A.

      2. In the left-side navigation pane, choose Identities > Roles.

      3. On the Roles page, click Create Role.

      4. On the Create Role page, select Cloud Account for Principal Type, Other Account for Principal Name and specify the Alibaba Cloud Account ID of Company B, then click OK. In this example, the Alibaba Cloud Account ID of Company B is set to 17464958576******.

      5. In the Create Role dialog box, specify the Role Name and click OK. In this example, the Role Name is set to admin-oss.

        Note

        After the RAM role is created, the RAM role can be assumed by all RAM users and RAM roles of the trusted Alibaba Cloud account (Alibaba Cloud account of Company B) by default. If you want to specify that the RAM role can be assumed only by specific RAM users or RAM roles, you can change the trusted policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.

    2. Grant permissions to the RAM role.

      1. On the Roles page, click Grant Permission in the Actions column of the admin-oss role.

      2. In the Grant Permission panel, select the AliyunOSSReadOnlyAccess policy.

        Important

        The AliyunOSSReadOnlyAccess policy grants a RAM role the read-only permissions on OSS resources. You can create a custom policy to grant the permissions to access only specific buckets or specific directories in a bucket. For more information about custom policies, see RAM policies.

      3. Click Grant permissions. .

    Step 2: Company B creates a RAM user and grants the RAM user the permissions to assume RAM roles

    Company B must create a RAM user that has the permissions to assume RAM roles. Company B can use the RAM user to assume the RAM role that is created by Company A.

    1. Create a RAM user.

      1. Log on to the RAM console as Company B.

      2. In the left-side navigation pane, choose Identities > Users.

      3. On the Users page, click Create User.

      4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.

      5. In the Access Mode section, select Console Access and specify the Set Logon Password, Password Reset, and Enable MFA parameters based on your business requirements.

        Note

        If you select Reset Custom Password for the Set Logon Password parameter, you must specify a password that meets the password complexity requirements. For more information about the password complexity requirements, see Configure a password policy for RAM users.

      6. Click OK.

    2. Grant the required permissions to the RAM user.

      1. On the Users page, find the RAM user to which you want to grant the required permissions. Then, click Add Permissions in the Actions column.

      2. In the Grant Permission panel, select System Policy from the drop-down list in the policy section and click AliyunSTSAssumeRoleAccess.

      3. Click Grant permissions.

    Step 3: Company B uses the created RAM user to log on to the Alibaba Cloud Management Console and assume the RAM role that is created by Company A

    Company B uses the created RAM user to log on to the Alibaba Cloud Management Console and switches the identity to the RAM role that is created by Company A.

    1. Log on to the Alibaba Cloud Management Console as the RAM user of Company B. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

    2. In the upper-right corner of the console, move the pointer over the profile picture, and click Switch Identity.

    3. On the Switch Role page, enter information about the RAM role and click Submit.

      Enter the following information about the RAM role:

      • Enterprise Alias/Default Domain Name: Enter the alias, default domain name, or UID of Company A. For more information, see Terms.

        In this example, the default domain name 178810717******.onaliyun.com is used. 178810717****** is the UID of an Alibaba Cloud account that belongs to Company A.

      • Role Name: Enter admin-oss, which is the name of the RAM role created by Company A.

    4. Log on to the OSS console and manage the OSS resources of Company A.

    References

    You can also authorize a RAM user of another Alibaba Cloud account by configuring a bucket policy. For more information, see Tutorial: Authorize a RAM user in another Alibaba Cloud account by adding a bucket policy.