You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or the RAM user under the Alibaba Cloud account of Enterprise B can access Alibaba Cloud resources of Enterprise A.

Background information

Enterprise A has purchased the EventBridge service to conduct business and wants to authorize part of the business to Enterprise B.

Enterprise A has the following requirements:

  • Enterprise A wants to focus on its business systems and function as only a resource owner. Enterprise A wants to delegate or authorize Enterprise B to execute tasks such as publishing an event.
  • Enterprise A hopes that no permission changes are required when an employee joins or leaves Enterprise B. Enterprise B can assign fine-grained permissions on resources of Enterprise A to RAM users of Enterprise B, including employees or applications.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Enterprise B.

Procedure

  1. Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and then create a RAM role for the Alibaba Cloud account of Enterprise B.
  2. Optional:Create a custom policy for the new RAM role by using the Alibaba Cloud account of Enterprise A.

    For more information, see Create a custom policy.

    EventBridge supports resource-level permission settings. For more information, see Policies.

  3. Enterprise A must grant permissions to the RAM role, because a new RAM role does not have any permissions. Enterprise A can add a system policy or a custom policy.
    For more information, see Grant permissions to a RAM role.
  4. Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and then create a RAM user.

    For more information, see Create a RAM user for Enterprise B.

  5. Enterprise B assigns the AliyunSTSAssumeRoleAccess permission to the RAM user.

    For more information, see Grant permissions to a RAM user.

    Enterprise B must assign the AliyunSTSAssumeRoleAccess permission to the RAM user under its Alibaba Cloud account, so that the RAM user can assume the RAM role created by Enterprise A.

  6. The RAM user of Enterprise B accesses the resources of Enterprise A in the console or by calling API operations.
    For more information, see the "What to do next" section in this topic.

Use STS in EventBridge

When you initialize the EventBridge client, you only need to enter the values of AccessKeyId, AccessKeySecret, and SecurityToken in the corresponding attributes:

package com.aliyun.eventbridge.customer;

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;

public class StsServiceSample {

    public static void main(String[] args) {
        String endpoint = "<sts-endpoint>";
        String accessKeyId = "<access-key-id>";
        String accessKeySecret = "<access-key-secret>";
        String roleArn = "<role-arn>";
        String roleSessionName = "<session-name>";
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"eventbridge:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            // Add an endpoint. You can use the Secure Token Service (STS) endpoint and leave the first two parameters empty. You do not need to add the region ID.
            DefaultProfile.addEndpoint("", "", "Sts", endpoint);
            // Construct a default profile. Leave the parameter empty. You do not need to add the region ID.
            IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
            // Construct a client by using the profile.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy); // If the policy parameter is empty, the user obtains all permissions for the role.
            request.setDurationSeconds(1000L); // Sets the validity period of the credential.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());
        } catch (ClientException e) {
            System.out.println("Failed:");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
            System.out.println("RequestId: " + e.getRequestId());
        }
    }
}
            

References

What is RAM?

What to do next

After the preceding operations are complete, the RAM user of Enterprise B can log on to the console to access the cloud resources of Enterprise A or call API operations based on the following steps.

  • Log on to the console to access the cloud resources of Enterprise A.
    1. Open the RAM user logon portal in your browser.
    2. On the RAM User Logon page, enter the RAM user name and then click Next. Enter the password of the RAM user and then click Login.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If an account alias is not set, the ID of the Alibaba Cloud account is used by default.
    3. On the homepage of the console, move the pointer over the profile picture in the upper-right corner and then click Switch Role.
    4. On the Switch Role page, set Enterprise Alias/Default Domain Name of Enterprise A, set Role Name, and then click Switch.
    5. Perform operations on the Alibaba Cloud resources of Enterprise A.
  • Access the cloud resources of Enterprise A by calling API operations as the RAM user of Enterprise B.

    To access the cloud resources of Enterprise A by calling API operations as the RAM user of Enterprise B, ensure that the code contains the RAM user's AccessKeyId, AccessKeySecret, and SecurityToken, which indicates a temporary security token. For more information about how to obtain a temporary security token by using STS, see AssumeRole.