Use the Alibaba Cloud account of enterprise A to create A RAM role, authorize this role, and assign this role to Enterprise B. You can use the Alibaba Cloud account of Enterprise B or the corresponding RAM users to access the Alibaba Cloud resources of Enterprise A.
Assume that Enterprise A has purchased multiple types of cloud resources to carry out its businesses and needs to grant Enterprise B the permission to carry out certain businesses on behalf of Enterprise A. In this case, you can use the resource access management (RAM) role to perform this task. A RAM role does not have a specific logon password or AccessKey pair. A RAM user can be used only after the RAM user is assumed by a trusted entity. To meet the needs of enterprise A, you can perform the following operations:
- Create A RAM role for enterprise A
- Enterprise A attaches the required permissions to the RAM role
- Enterprise B creates a RAM user
- Enterprise B adds AliyunSTSAssumeRoleAccess permissions
- A RAM user of Enterprise B uses the console or API to access the resources of Enterprise A.
The following table lists the Web+ system permission policies that can be attached to a RAM role.
- WebPlusFullAccess: Web app service full permissions.
- WebPlusReadOnlyAccess: Web app service read-only permissions.
Step 1: Create A RAM role for enterprise A
You need to use the Alibaba Cloud account of enterprise A to log on to the RAM console and create A RAM role.
- Login RAM console. In the left-side navigation pane, choose RAM roles, and in RAM roles page, click create a RAM role.
- In create a RAM role in the panel, do the following and click close.
- In current trusted entity type area box, select alibaba Cloud account, and click next Step.
- In RAM role name enter a RAM role name in the text box. Select Alibaba Cloud account area box, select other Alibaba Cloud account and enter the cloud account of Enterprise B in the textbox. Then click complete.
Note The name of the RAM role can contain letters, digits, and hyphens (-). It can be up to 64 characters in length.
Step 2: enterprise A attaches the required permissions to the RAM role
A newly created ram role does not have any permissions. Therefore, enterprise A must grant permissions to this role.
- In RAM console in the left-side navigation pane, choose RAM roles.
- In RAM roles click the target role on the page. Operation column in the add permissions.
- In add permissions panel's select permissions in the left-side navigation pane, search for the policy by keyword, and click the Policies tab to add it to selected list, and then click confirm.
Note For more information about the permissions that you can add, see the background information.
- In the Authorization Result section of the Add Permissions pane, view the authorized permission information, and click Complete.
Step 3: Enterprise B creates a RAM user
Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.
- Login RAM console. In the left-side navigation pane, choose , and in user page, click create User.
- In create User page's user account information in the area box, enter logon name and display name.
Note The logon name can contain lowercase letters, digits, periods (.), underscores (_), and hyphens (-). The length cannot exceed 128 characters. The display name cannot exceed 24 characters or Chinese characters.
- (Optional) If you want to create multiple RAM users at a time, click Add User, and repeat the previous step.
- In access Mode in the area box, select console password logon or programmatic access, and click confirm.
Note For security purposes, select only one access mode.
- If console password logon, complete the settings. You need to determine whether to automatically generate a default password or custom password, whether to require you to reset your password, and whether to enable MFA.
- If programmatic access, RAM automatically creates an AccessKey for the RAM user (API access key).
Notice For security reasons, the RAM console only provides the opportunity to view or download AccessKeySecret once. Therefore, the AccessKey is created. Keep the AccessKeySecret recorded in a safe place.
- In mobile phone verification dialog box, click obtain verification code, and enter the received phone verification code, and then click confirm. The created RAM user is displayed in user page.
Step 4: Enterprise B attaches permissions to the RAM users
Enterprise B must add AliyunSTSAssumeRoleAccess to allow A RAM user to assume A RAM role created by Enterprise A.
- In RAM console in the left-side navigation pane, choose .
- In user to find the target user, click operation column in the add permissions.
- In add permissions panel's select permissions area, search by keyword AliyunSTSAssumeRoleAccess policy, and click the policy to add it to the selected list, and then click confirm.
- On the Add Permissions page, view the authorization information summary in the Authorization Result section, and then click Finished.
After completing the preceding operations, the RAM user of Enterprise B can log on to the console to access the cloud resources of Enterprise A or call APIs as follows.
- Log on to the console to access the cloud resources of Enterprise A.
- Open the RAM user logon portal in a browserhttps://signin.aliyun.com/login.htm.
- InRAM user logonEnter the RAM user logon name and clickNext, Enter the RAM user password, and then clickLog on.
Note The RAM user logon name format is <subuser name >@< default domain name> or <subuser name >@< enterprise alias>, such as firstname.lastname@example.org or username @ company-alias.
- InSubuser User CenterMove the pointer to the picture in the upper-right corner and clickIdentity switching.
- InAlibaba Cloud-role switchingEnter theEnterprise aliasOrDefault domain name, AndRole name, And then clickSwitch.
- Perform operations on the Alibaba Cloud resources of Enterprise A.
- Use RAM users of Enterprise B to access cloud resources of Enterprise A by using APIs
To use the RAM user of Enterprise B to access the cloud resources of enterprise A through APIs, the RAM user's AccessKeyId, AccessKeySecret, and SecurityToken (temporary security token) must be provided in the code. For more information about how to use STS to obtain a temporary security token, see Download Alibaba Cloud SDKs.