Authorize a RAM user from another account to access OSS by creating a RAM role - Object Storage Service

By default, OSS resources can only be accessed by their owners. To let another Alibaba Cloud account access your OSS resources without sharing long-term credentials, create a Resource Access Management (RAM) role, grant it the required OSS permissions, and let the other account's RAM user assume that role.

Scenario

This tutorial uses two accounts:

Company A — owns the OSS resources and creates the RAM role.
Company B — needs to access those resources and provides the RAM user that assumes the role.

Before you begin

Before you start, note the following constraints:

By default, after Company A creates the RAM role, all RAM users and RAM roles in Company B's account can assume it. To restrict access to specific users or roles, change the trust policy of the RAM role after creation. For details, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
The AliyunOSSReadOnlyAccess policy used in this tutorial grants read-only permissions on OSS resources. To limit access to specific buckets or directories, create a custom policy instead. For details, see RAM policies.

Step 1: Company A creates a RAM role and grants OSS permissions

Log on to the RAM console as Company A.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Principal Type to Cloud Account and Principal Name to Other Account, then enter Company B's Alibaba Cloud Account ID and click OK.
In this example, Company B's account ID is 17464958576******.
In the Create Role dialog box, enter a Role Name and click OK.
In this example, the role name is admin-oss.
On the Roles page, click Grant Permission in the Actions column of the admin-oss role.
In the Grant Permission panel, select the AliyunOSSReadOnlyAccess policy and click Grant permissions.

Step 2: Company B creates a RAM user and grants assume-role permissions

Log on to the RAM console as Company B.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section, enter the Logon Name and Display Name.
In the Access Mode section, select Console Access and configure Set Logon Password, Password Reset, and Enable MFA based on your requirements.
Note: If you select Reset Custom Password for Set Logon Password, the password must meet the complexity requirements. For details, see Configure a password policy for RAM users.
Click OK.
On the Users page, click Add Permissions in the Actions column of the RAM user you created.
In the Grant Permission panel, select System Policy from the policy type drop-down list, select AliyunSTSAssumeRoleAccess, and click Grant permissions.

Step 3: Company B's RAM user assumes the RAM role

Log on to the Alibaba Cloud Management Console as the RAM user of Company B. For details, see Log on to the Alibaba Cloud Management Console as a RAM user.
In the upper-right corner, move the pointer over the profile picture and click Switch Identity.

On the Switch Role page, enter the following information and click Submit:

Field	Value
Enterprise Alias/Default Domain Name	The enterprise alias, default domain name, or UID of Company A. In this example, the default domain name `178810717******.onaliyun.com` is used.
Role Name	`admin-oss`

Log on to the OSS console to access and manage Company A's OSS resources.

Verify access

After assuming the role, confirm that cross-account access is working:

In the OSS console, verify that Company A's buckets are listed.
Open one of the buckets and confirm that you can list objects.

If the buckets are not visible or you receive a permission error, check the following:

Company A's RAM role has the AliyunOSSReadOnlyAccess policy attached (Step 1).
Company B's RAM user has the AliyunSTSAssumeRoleAccess policy attached (Step 2).
The enterprise alias, default domain name, or UID and the role name entered on the Switch Role page are correct (Step 3).

Next steps

This tutorial uses a single system policy for simplicity. In production, consider the following:

Restrict who can assume the role: By default, all RAM users and RAM roles of Company B can assume the admin-oss role. Update the trust policy to limit access to specific RAM users. For details, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
Use a custom policy for least-privilege access: Replace AliyunOSSReadOnlyAccess with a custom policy that grants access only to specific buckets or directories. For details, see RAM policies.
Alternative approach: To configure access at the bucket level rather than through a RAM role, see Tutorial: Authorize a RAM user in another Alibaba Cloud account by adding a bucket policy.