Use a RAM role to access resources across Alibaba Cloud accounts - Application Real-Time Monitoring Service

When two enterprises share Application Real-Time Monitoring Service (ARMS) resources, the resource-owning account (Account A) creates a RAM role and grants it ARMS permissions. The other account (Account B) then assumes this role to access Account A's ARMS resources through temporary Security Token Service (STS) credentials, with no need for permanent credentials in Account A.

How it works

A RAM role is a virtual identity with no permanent password or AccessKey pair. A trusted entity must assume the role through STS to obtain temporary, scoped credentials. This makes RAM roles well-suited for cross-account access.

The end-to-end workflow involves five steps across two accounts:

Account A creates a RAM role that trusts Account B.
Account A attaches ARMS permissions to the RAM role.
Account B creates a RAM user (if one does not already exist).
Account B grants the RAM user permission to assume the role (AliyunSTSAssumeRoleAccess).
Account B's RAM user assumes the role to access Account A's ARMS resources through the console or API.

ARMS permission policies

ARMS provides two system policies. Choose one based on the level of access required:

Policy	Permissions
AliyunARMSFullAccess	Full access to all ARMS sub-services. RAM users can view, edit, and delete instances
AliyunARMSReadOnlyAccess	Read-only access to all ARMS sub-services. RAM users can view instance information but cannot modify or delete it

If you attach AliyunARMSFullAccess, you do not need to also attach AliyunARMSReadOnlyAccess.

Important

To grant read-only access to ARMS within a specific resource group, attach both the AliyunARMSReadOnlyAccess policy and the ReadTraceApp permission. Without ReadTraceApp, ARMS cannot display the application list for that resource group.

Prerequisites

Before you begin, make sure that you have:

Two separate Alibaba Cloud accounts (referred to as Account A and Account B in this guide)
Administrative access to the RAM console for both accounts
The Alibaba Cloud account ID of Account B (available on the Security Settings page)

Step 1: Create a RAM role (Account A)

Create a RAM role under Account A that trusts Account B.

Log on to the RAM console with Account A.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.

Set Principal Type to Cloud Account, select Other Account, and enter the Alibaba Cloud account ID of Account B. Click OK.

Option	When to select
Current Account	A RAM user or RAM role under your own account will assume this role
Other Account	A RAM user or RAM role from a different account will assume this role. Enter the target account ID. Find the account ID on the Security Settings page

Create Role page with Principal Type selection

(Optional) Restrict which RAM users can assume the role. Click Switch to Policy Editor and modify the trust policy to specify an individual RAM user. The editor supports Visual editor and JSON modes. The following JSON example allows only the RAM user Alice under account 100******0719 to assume this role:
In the Visual editor, specify the RAM user in the Principal element.
```
   {
     "Version": "1",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "RAM": "acs:ram::100******0719:user/Alice"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
```
Enter a Role Name and click OK.

Step 2: Grant ARMS permissions to the RAM role (Account A)

The newly created RAM role has no permissions. Attach an ARMS policy so that anyone who assumes this role can access ARMS resources.

Log on to the RAM console with Account A.
In the left-side navigation pane, choose Identities > Roles.
Find the RAM role and click Grant Permission in the Actions column.
To grant permissions to multiple RAM roles at once, select them and click Grant Permission at the bottom of the list.

In the Grant Permission panel, configure the following parameters:

Warning

The system flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless strictly necessary.

Parameter	Description
Resource Scope	Account -- applies to the entire Alibaba Cloud account. Resource Group -- applies to a specific resource group. The cloud service must support resource groups
Principal	The RAM role to receive permissions. Auto-populated with the current role
Policy	Select one or more policies. Choose `AliyunARMSFullAccess` or `AliyunARMSReadOnlyAccess` from the system policies. You can also create a custom policy for fine-grained control

Click Grant permissions, then click Close.

Step 3: Create a RAM user (Account B)

Create a RAM user under Account B. This RAM user will assume the RAM role created by Account A.

Log on to the RAM console with Account B.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.

In the User Account Information section, configure the following parameters:

Click Add User to create multiple RAM users at once.

Parameter	Description
Logon Name	Up to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_)
Display Name	Up to 128 characters
Tag	(Optional) Add one or more key-value tags to organize RAM users

In the Access Mode section, select an access mode:
- Console Access -- For human users who sign in to the Alibaba Cloud Management Console. Configure the console password, password reset requirement, and multi-factor authentication (MFA). For MFA details, see Bind an MFA device to a RAM user.
- Using permanent AccessKey to access -- For programmatic access. The system generates an AccessKey ID and AccessKey secret.
Important
The AccessKey secret is displayed only at creation time. Save it immediately. For production workloads, use STS tokens instead of permanent AccessKey pairs. For details, see Best practices for using access credentials.
Click OK and complete the security verification.

Step 4: Grant the RAM user permission to assume the role (Account B)

Attach the AliyunSTSAssumeRoleAccess policy to the RAM user so it can call STS to assume Account A's RAM role.

Log on to the RAM console with Account B.
In the left-side navigation pane, choose Identities > Users.
Find the RAM user and click Add Permissions in the Actions column.
To grant permissions to multiple RAM users at once, select them and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following parameters:
Parameter Description
Resource Scope Account or ResourceGroup
Principal Auto-populated with the current RAM user
Policy Search for and select AliyunSTSAssumeRoleAccess
Click Grant permissions, then click Close.

Parameter	Description
Resource Scope	Account or ResourceGroup
Principal	Auto-populated with the current RAM user
Policy	Search for and select `AliyunSTSAssumeRoleAccess`

Verify cross-account access

After the setup is complete, Account B's RAM user can access Account A's ARMS resources through the console or API.

Log on to the console

Open the Alibaba Cloud Management Console and select RAM User Logon.
Enter the RAM user's logon name in one of these formats: For details on domain and account aliases, see View and modify the default domain name.
Format Example
Default domain username@company-alias.onaliyun.com
Account alias username@company-alias
Domain alias username@example.com
Click Next, enter the password, and click Log On.
(Optional) Complete MFA verification if enabled. See MFA overview.

Format	Example
Default domain	`username@company-alias.onaliyun.com`
Account alias	`username@company-alias`
Domain alias	`username@example.com`

Call API operations

Call the STS AssumeRole API to get temporary credentials, then use those credentials to call ARMS API operations.

The AssumeRole response includes three values to include in subsequent API calls:

Credential	Description
`AccessKeyId`	Temporary AccessKey ID
`AccessKeySecret`	Temporary AccessKey secret
`SecurityToken`	STS security token

The following Python example assumes the role and retrieves temporary credentials:

import os
from alibabacloud_sts20150401.client import Client as StsClient
from alibabacloud_sts20150401.models import AssumeRoleRequest
from alibabacloud_tea_openapi.models import Config

# Get Account B's RAM user credentials from environment variables
access_key_id = os.environ.get("ALIBABA_CLOUD_ACCESS_KEY_ID")
access_key_secret = os.environ.get("ALIBABA_CLOUD_ACCESS_KEY_SECRET")

# Initialize the STS client
config = Config(
    access_key_id=access_key_id,
    access_key_secret=access_key_secret,
    endpoint="sts.aliyuncs.com"
)
sts_client = StsClient(config)

# Assume the RAM role created by Account A
request = AssumeRoleRequest(
    role_arn="<role-arn>",
    role_session_name="arms-cross-account-session"
)
response = sts_client.assume_role(request)

# Use the temporary credentials for ARMS API calls
temp_access_key_id = response.body.credentials.access_key_id
temp_access_key_secret = response.body.credentials.access_key_secret
security_token = response.body.credentials.security_token

Replace the following placeholder with the actual value:

Placeholder	Description	Example
`<role-arn>`	ARN of the RAM role created by Account A	`acs:ram::100******0719:role/arms-cross-account`

What's next

Create a custom policy for fine-grained ARMS access control
Use a RAM role to grant permissions across Alibaba Cloud accounts for general cross-account access patterns
Services that work with RAM to see which services support RAM policies