Today, we will take a look back at a few questions I have received during live training sessions and classes.
But first...Happy Friday! If you're in China, Happy National Day also!
Ok, let's get started!
Good question. It depends! Let's consider a few different scenarios.
If the contractor just needs to SSH or RDP into a virtual machine and make operating system level changes, you might want to look at Bastion Host. This will give you a single point-of-logon for all your employees and third party contractors, and has the added benefit that it records what commands were carried out, so you can make sure nobody is doing anything they aren't supposed to be doing.
In this case, your best approach would be to create a RAM User by following this Quick Start guide, then attach one or more RAM Policies to the RAM user. You want to make sure you provide only the minimum necessary permissions to the RAM user, so you'll need to learn how to write custom RAM policies. You can get some examples here.
The very best way to provide access to third parties is via a RAM Role. This way, your contractor or third party developer can access your account from a RAM user that they create and maintain themselves under their own account. They just need to use the AssumRole function in RAM to "switch over" to a RAM role in your account, whenever they need access.
This is also good for you because it makes revoking the third party's permissions very easy...simply delete the RAM Role they are using. This won't affect the RAM user that the third party has set up in their own account, but will make it impossible for them to access your account via AssumeRole. Easy!
First, to create and organize multiple accounts, you should be using Resource Directory.
Note that you can only use this service if you have created an Enterprise Account on Alibaba Cloud. This involves going through a process to verify your business name and registration info (your tax number, company ID, etc...). So if you haven't done that already, you should get started now!
Once you have created a Resource Directory, you can set up an organizational structure using "folders", and create one or more new Alibaba Cloud accounts within this structure.
You can then apply Control Policies to the folders within Resource Directory, which will affect what your accounts can and cannot do. Easy!
Read the documentation (links above) to get a clearer idea of how this works. Control Policy in Resource Directory is basically "RAM Policy on steroids", so if you already know how to create RAM policies, you should have no trouble with Control Policy.
That's it for this week! Enjoy your weekend!
Great! Reach out to me at
email@example.com and I'll do my best to answer in a future Friday Q&A blog.
You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.
JDP - April 30, 2021
JDP - August 27, 2021
JDP - June 4, 2021
JDP - July 9, 2021
JDP - May 7, 2021
JDP - April 9, 2021
Alibaba Cloud provides beginners and programmers with online course about cloud computing and big data certification including machine learning, Devops, big data analysis and networking.Learn More
Secure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groupsLearn More
Organize and manage your resources in a hierarchical manner by using resource directories, folders, accounts, and resource groups.Learn More
DDH is a solution for security and regulation implementation and flexible resource deployment. It offers dedicated resources in Alibaba Cloud for industries such as government departments, enterprises, and financial institutions.Learn More
More Posts by JDP