All Products
Search

This Product

    Resource Access Management:Delegate access across Alibaba Cloud accounts using RAM roles

    Document Center

    Resource Access Management:Delegate access across Alibaba Cloud accounts using RAM roles

    Last Updated:Mar 31, 2026

    Resource Access Management (RAM) roles are the primary method for delegating permissions to access resources in your account to users from another Alibaba Cloud account. This tutorial shows you how to set up, use, and revoke cross-account access securely.

    Scenario

    Imagine your organization, Company A, needs to grant a third-party partner, Company B, access to manage specific resources in your Alibaba Cloud account. These resources might include Elastic Compute Service (ECS) instances or Object Storage Service (OSS) buckets. In this scenario:

    • Company A is the resource-owning account.

    • Company B is the third-party account that needs access.

    Your goal is to grant access to Company B without sharing long-term credentials like AccessKey pairs, while allowing Company B to manage which of its own employees can access your resources. You also need the ability to revoke access at any time.

    Solution overview

    To solve this, you create a RAM role in your account (Company A) that establishes a trust relationship with Company B's account. This role has two important policies attached to it:

    • A trust policy that specifies Company B's account as a trusted principal, meaning users from that account are allowed to assume the role.

    • One or more permission policies that define exactly what actions the role can perform on your resources (such as reading from an OSS bucket or restarting an ECS instance).

    An administrator in Company B can then grant specific RAM users in their own account permission to assume the role you created. When a user from Company B assumes the role, they temporarily trade their own permissions for the permissions granted by the role in your account.

    image

    Step 1: Create a cross-account role in the resource-owning account (Company A)

    In this step, you (as the administrator of Company A) create the RAM role that Company B will assume.

    1. Log on to the RAM console with your Company A account.

    2. In the left-side navigation pane, choose .

    3. On the Roles page, click Create Role.

    4. For Principal Type, select Cloud Account.

    5. For Principal Name, select Other Account and enter the Account ID of Company B.

    6. Click OK.

      image

    7. In the Create Role dialog box, enter a RAM Role Name (such as Partner-ReadOnly-Access).

    8. On the Roles page, find the role and click Attach Policy in the Actions column to attach the policies that define what the role can do. Follow the principle of least privilege by granting only the minimum necessary permissions. For example, to grant read-only access to ECS, search for and select the AliyunECSReadOnlyAccess policy.

    9. Click OK, then click Close.

    For more information, see Create a RAM role for a trusted Alibaba Cloud account, Manage basic account information, and Manage a RAM role's permissions.

    Step 2: Grant permissions to a user in the third-party account (Company B)

    Now, the administrator of Company B must grant a user the permission to assume the role you just created.

    1. Log on to the RAM console with your Company B account.

    2. Create a RAM user (such as Bob) if one does not already exist. For instructions, see Create a RAM user.

    3. Find the user Bob and click Attach Policy in the Actions column.

    4. On the Attach Policy panel, attach a policy that allows the user to assume roles. For simplicity, you can attach the system policy AliyunSTSAssumeRoleAccess. For more information, see Grant permissions to a RAM user.

      Note

      For better security, you can create a custom policy that only allows the user to assume the specific role you created in Company A's account, rather than any role.

    5. Click OK, then click Close.

    Step 3: Assume the role and access resources

    The user Bob from Company B can now assume the role to access the authorized resources in Company A's account. This can be done through the console or programmatically.

    • Switch roles in the console

      The user Bob logs on to the Alibaba Cloud Management Console. In the upper-right corner, they click their profile picture and click Switch Identity. They then enter the alias or UID for Company A and the name of the role (Partner-ReadOnly-Access) to switch to the cross-account role. For detailed steps, see Assume a RAM role.

    • Assume the role programmatically

      An application running under Bob's identity can call the AssumeRole API operation. This operation returns a set of temporary security credentials that the application can then use to make API calls to the authorized resources in Company A's account.

    Revoke cross-account access

    As the administrator of Company A, you can revoke Company B's access at any time using one of the following methods:

    • Modify the role's trust policy (Recommended)

      This is the quickest and most easily reversible method. Navigate to the role's details page in the RAM console, select the Trust Policy tab, and click Edit Trust Policy. Remove the entry for Company B's account from the Principal element. This immediately prevents any user from Company B from assuming the role. For more information, see Modify a RAM role's trust policy.

      image

    • Delete the RAM role

      Deleting the role permanently revokes access. This action cannot be undone. To grant access again in the future, you would need to create a new role from scratch. For more information, see Delete a RAM role.