You can use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts so that an enterprise can access the Message Queue for Apache Kafka instance of another enterprise.
Background information
- Enterprise A wants to focus on its business systems and only act as the owner of Message Queue for Apache Kafka. Enterprise A can authorize Enterprise B to maintain, monitor, and manage Message Queue for Apache Kafka.
- If an employee joins or leaves Enterprise B, no permission change is required. Enterprise B can grant its RAM users fine-grained permissions on cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.
- If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Step 1: Enterprise A creates a RAM role
Use the Alibaba Cloud account of Enterprise A to log on to the RAM console, and create a RAM role for the Alibaba Cloud account of Enterprise B.
Step 2: Enterprise A grants permissions to the RAM role
Assign the RAM role the permission to access Message Queue for Apache Kafka of Enterprise A. The permission is granted to Enterprise B.
Step 3: Enterprise B creates a RAM user
Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.
Step 4: Enterprise B grants permissions to the RAM user
Assign the AliyunSTSAssumeRoleAccess permission to the RAM user.
- In the left-side pane, choose .
- On the Users page, find the RAM user and click Add Permissions in the Actions column.
- In Select Policy section of the Add Permissions dialog box, click System Policy, enter AliyunSTSAssumeRoleAccess in the search box, click the policy to add it to the Selected list, and then click OK.
- In the Add Permissions dialog box, view the authorization information and click Complete.
What to do next
The RAM user of Enterprise B can access Message Queue for Apache Kafka of Enterprise A in the following ways:
- Console
- Open the RAM User Logon page in your browser.
- On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Login.
Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is set, the ID of the Alibaba Cloud account is used.
- On the RAM user center page, move the pointer to the profile in the upper-right corner and click Switch Role.
- On the Alibaba Cloud - Switch Role page, set the enterprise alias or default domain name of Enterprise A, and the RAM
role name, and click Switch.
Note
- Enterprise alias: Use the Alibaba Cloud account of Enterprise A to log on to the Alibaba Cloud user center, move the pointer over the profile picture in the upper-right corner, and view the value on the floating layer.
- Default domain name: Use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.
- API
- Call the AssumeRole operation to obtain the AccessKey ID, AccessKey secret, and SecurityToken. SecurityToken is the temporary security token. For more information, see AssumeRole.
- Use the obtained AccessKey ID, AccessKey secret, and SecurityToken to call an API operation in the code to access Message Queue for Apache Kafka.