Community Blog Friday Blog - Week 28 - Questions From The Vault

Friday Blog - Week 28 - Questions From The Vault

Join us as we answer a couple of burning questions from this month's live training sessions!

Jeremy Pedersen

Questions From The Vault

Today, we will take a look back at a few questions I have received during live training sessions and classes.

But first...Happy Friday! If you're in China, Happy National Day also!

Ok, let's get started!

Q: I need to allow access to my Alibaba Cloud account so that a third party (say, a contractor) can do some work for me. What's the best way to do this?

Good question. It depends! Let's consider a few different scenarios.

Scenario 1: The third party only needs SSH or RDP access

If the contractor just needs to SSH or RDP into a virtual machine and make operating system level changes, you might want to look at Bastion Host. This will give you a single point-of-logon for all your employees and third party contractors, and has the added benefit that it records what commands were carried out, so you can make sure nobody is doing anything they aren't supposed to be doing.

Scenario 2: The third party needs to perform console or API operations for you (like making disk snapshots), and does not have an Alibaba Cloud account

In this case, your best approach would be to create a RAM User by following this Quick Start guide, then attach one or more RAM Policies to the RAM user. You want to make sure you provide only the minimum necessary permissions to the RAM user, so you'll need to learn how to write custom RAM policies. You can get some examples here.

Scenario 3: The third party needs to perform console or API operations for you and does have an Alibaba Cloud account

The very best way to provide access to third parties is via a RAM Role. This way, your contractor or third party developer can access your account from a RAM user that they create and maintain themselves under their own account. They just need to use the AssumRole function in RAM to "switch over" to a RAM role in your account, whenever they need access.

This is also good for you because it makes revoking the third party's permissions very easy...simply delete the RAM Role they are using. This won't affect the RAM user that the third party has set up in their own account, but will make it impossible for them to access your account via AssumeRole. Easy!

I want each team within my organization to have their own Alibaba Cloud account, but I want to centralize log collection and set policies around what those accounts can and cannot do. How do I achieve this on Alibaba Cloud?

First, to create and organize multiple accounts, you should be using Resource Directory.

Note that you can only use this service if you have created an Enterprise Account on Alibaba Cloud. This involves going through a process to verify your business name and registration info (your tax number, company ID, etc...). So if you haven't done that already, you should get started now!

Once you have created a Resource Directory, you can set up an organizational structure using "folders", and create one or more new Alibaba Cloud accounts within this structure.

You can then apply Control Policies to the folders within Resource Directory, which will affect what your accounts can and cannot do. Easy!

Read the documentation (links above) to get a clearer idea of how this works. Control Policy in Resource Directory is basically "RAM Policy on steroids", so if you already know how to create RAM policies, you should have no trouble with Control Policy.

That's it for this week! Enjoy your weekend!

I've Got A Question!

Great! Reach out to me at jierui.pjr@alibabacloud.com and I'll do my best to answer in a future Friday Q&A blog.

You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.

Not a LinkedIn person? We're also on Twitter and YouTube.

0 0 0
Share on


72 posts | 143 followers

You may also like



72 posts | 143 followers

Related Products

  • Alibaba Cloud Academy

    Alibaba Cloud provides beginners and programmers with online course about cloud computing and big data certification including machine learning, Devops, big data analysis and networking.

    Learn More
  • RAM(Resource Access Management)

    Secure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groups

    Learn More
  • Resource Management

    Organize and manage your resources in a hierarchical manner by using resource directories, folders, accounts, and resource groups.

    Learn More
  • Dedicated Host

    DDH is a solution for security and regulation implementation and flexible resource deployment. It offers dedicated resources in Alibaba Cloud for industries such as government departments, enterprises, and financial institutions.

    Learn More