Creating an Account Role

An account role specifies other accounts that can be trusted and the permissions that can be granted. It allows users in other trusted accounts to use the permissions of the account role to access resources in the account.

Prerequisites

Procedure

  1. Choose Resources > Access > Account.
  2. Click a desired account name and choose Protocol > Object Service > Role.
  3. Click Create.

    The Create Account Role page is displayed.

  4. Set the name of the role.

    • The name contains 1 to 64 characters.
    • The name can contain only letters, digits, and special characters +=,.@-_.
    • This name cannot be modified after the account role is created.

  5. Select a trust policy. Possible values are Recommended and Custom.

    • Recommended:
      1. Select an account.
        • Current Account: grants the role permissions to the current account. In this case, users in the current account can use the permissions of this account role to access resources in the account.
        • Another Account: grants the role permissions to another account. In this case, you need to set the ID of the target account. Users in the target account can use the permissions of this account role to access resources in the account.
      2. Determine whether to select Require an external ID. After selecting this option, you need to set an external ID. You can improve the security of the role by requiring external ID authentication. Only users who have passed external ID authentication can use the role.
        • An external ID contains 2 to 1224 characters.
        • An external ID can contain only letters, digits, and special characters +=,.@:_/-.
    • Custom: configures related parameters as required.

      For details about how to set trust policy parameters, see the description of parameter TrustPolicy in Role Management > Creating a Role in the Object Service Account Management API Description of the corresponding version.

      The policy content must be in JSON format and cannot exceed 2048 characters.

      Example: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:AssumeRole","Principal":{"AWS":"3506696537"}}]}

  6. Select a permission policy and assign permissions to the role.

    Click on the right of Permission Policy and select desired policies from the available policies list. They will be automatically added to the selected policies list on the right.

    You can click Create Permission Policy to create an account permission policy. For details, see Creating an Account Permission Policy.

  7. Click OK.
Parent topic: Managing Account Roles