All Products
Search

This Product

    Simple Log Service:Use a RAM role for cross-account resource access

    Document Center

    Simple Log Service:Use a RAM role for cross-account resource access

    Last Updated:Jun 20, 2026

    Use a RAM role to access resources in another Alibaba Cloud account or to allow another Alibaba Cloud account to access your resources. This topic describes how to create and use a RAM role.

    Overview

    A RAM role is a virtual user that can be granted policies. Unlike a RAM user, a RAM role does not have permanent credentials, such as a logon password or an AccessKey. A RAM role must be assumed by a trusted principal. After a trusted principal assumes the role, it obtains a temporary STS token to access authorized resources.

    For example, to authorize a RAM user from Company B to access Company A's Simple Log Service resources, use a RAM role. The process is as follows:

    1. Company A creates a RAM role.

    2. Company A grants permissions to the RAM role.

    3. Company B creates a RAM user.

    4. Company B grants the AliyunSTSAssumeRoleAccess permission to the RAM user.

    5. The RAM user from Company B assumes the RAM role to access the resources of Company A.

    Step 1: Create a RAM role in Company A

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Role.

    3. On the Role page, click Create Role.

    4. On the Create Role page, set Principal Type to Alibaba Cloud Account, set Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, enter the account ID of the root account of Company B, and then click OK.

    5. In the Create Role dialog box, enter a Role Name, such as aliyunlogreadrole.

    Step 2: Grant permissions to the RAM role

    Note

    By default, a new RAM role has no permissions. You must grant permissions to it. RAM provides the following two system policies for Simple Log Service. We recommend that you follow the principle of least privilege and grant only the necessary permissions to the RAM role.

    • AliyunLogFullAccess: Grants full management access to Simple Log Service.

    • AliyunLogReadOnlyAccess: Grants read-only access to Simple Log Service.

    If the system policies do not meet your requirements, you can create a custom policy for fine-grained permission management. For more information, see Create custom policies. For policy examples, see Examples of custom policies and Grant permissions on Simple Log Service to a RAM user.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities >  >  > Role.

    3. On the Role page, find the target RAM role and click Create Authorization in the Actions column.

      You can also select multiple RAM roles and click Create Authorization at the bottom of the role list to grant permissions in batches.

    4. In the Create Authorization panel, select a policy, such as AliyunLogReadOnlyAccess, and click OK.

    5. Click Close.

    Step 3: Create a RAM user in Company B

    1. Log on to the RAM console with your Alibaba Cloud account or as a RAM administrator.

    2. In the left-side navigation pane, choose Identities >  >  > Users.

    3. On the Users page, click Create User.

    4. On the Create User page, in the User Account Information section, configure the basic information for the user.

      • Logon Name: The name can be up to 64 characters long and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The name can be up to 128 characters long.

      • Tag: Click edit, and then enter a tag key and tag value. You can add tags to the RAM user to facilitate tag-based user management.

        Note

        Click Add User to create multiple RAM users at a time.

    5. In the Access Method section, select an access mode and configure its parameters.

      For security purposes, we recommend that you select only one of the following access modes to separate human users from application users.

      • Console Access

        If the RAM user represents an individual, we recommend that you enable console access, which allows the user to access Alibaba Cloud with a username and password. You must configure the following parameters:

        • Console Password: Select whether to automatically generate a password or customize a password. A custom password must meet the password complexity rules. For more information, see Set a password policy for RAM users.

        • Required upon Next Logon: Select whether the RAM user must reset the password upon the next logon.

        • Enable MFA: Select whether to enable multi-factor authentication (MFA) for the RAM user. If you enable MFA, you must also bind an MFA device. For more information, see Bind an MFA device for a RAM user.

      • Programmatic Access

        If the RAM user represents an application, it can access Alibaba Cloud programmatically by using a permanent AccessKey. If you enable this option, the system automatically generates an AccessKey ID and an AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

        Important

        • The AccessKey secret of a RAM user is displayed only when the AccessKey is created and cannot be retrieved later. Store the AccessKey secret in a secure manner.

        • An AccessKey is a long-term credential for programmatic access. If an AccessKey is leaked, all resources in your account are at risk. We recommend that you use temporary credentials such as an STS token to reduce the risk of credential leakage. For more information, see Best practices for managing access credentials.

    6. Click OK.

    Step 4: Grant permissions to the RAM user

    Company B must grant the AliyunSTSAssumeRoleAccess permission to its RAM user before the user can assume the RAM role created by Company A.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities >  >  > Users.

    3. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

      You can also select multiple RAM users and click Add Permissions at the bottom of the user list to grant permissions in batches.

    4. In the Create Authorization panel, in the Policy section, search for and select AliyunSTSAssumeRoleAccess under System Policy, and then click OK.

    5. Click Close.

    Step 5: Obtain the STS token

    Once the RAM user from Company B has the AliyunSTSAssumeRoleAccess permission, it can call the AssumeRole API operation to obtain an STS token. The user then uses this token to assume the RAM role from Step 1: Create a RAM role in Company A to access the resources of Company A.

    Note

    • For more information about how to call the AssumeRole API operation, see STS SDK for Java.

    • After you obtain the AccessKey ID, AccessKey secret, and SecurityToken by using the STS SDK, use the Simple Log Service SDK to access Simple Log Service. For more information, see SDK Reference Overview.