You can use a RAM role to grant permissions across Alibaba Cloud accounts. This way, an enterprise can access the ApsaraMQ for RabbitMQ instance of another enterprise.

Background information

Enterprise A has activated ApsaraMQ for RabbitMQ and requires Enterprise B to manage the ApsaraMQ for RabbitMQ resources of Enterprise A, such as instances, topics, and consumer groups. The following items describe the detailed requirements of Enterprise A:
  • Enterprise A can focus on its business systems and act only as the owner of ApsaraMQ for RabbitMQ. Enterprise A can authorize Enterprise B to maintain, monitor, and manage ApsaraMQ for RabbitMQ.
  • If an employee joins or leaves Enterprise B, Enterprise A does not need to make modifications to the granted permissions. Enterprise B can grant its RAM users fine-grained permissions on the cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.
  • If the agreement between Enterprise A and Enterprise B is terminated, Enterprise A can revoke the authorization from Enterprise B.

Step 1: Enterprise A creates a RAM role

Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and create a RAM role. This RAM role will be assigned to the Alibaba Cloud account of Enterprise B.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. In the RAM Role Name field, enter a RAM role name. Set the Select Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account of Enterprise B. Then, click OK.
    Note
    • The RAM role name can be up to 64 characters in length and can contain letters, digits, and hyphens (-).
    • You can view the ID of the Alibaba Cloud account on the Basic Information page in the Account Center.

Step 2: Enterprise A grants permissions to the RAM role

Grant the RAM role the permissions that you want to grant to Enterprise B to access the ApsaraMQ for RabbitMQ resources of Enterprise A.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, select System Policy or Custom Policy. Enter the keyword of the policy that you want to attach to the RAM role in the search box, click the RAM role to add it to the Selected list, and then click OK.
    Note For information about the policies that you can use to authorize RAM roles and RAM users to access ApsaraMQ for RabbitMQ, see RAM policies.
  5. In the Add Permissions panel, check the authorization information and click Complete.

Step 3: Enterprise B creates a RAM user

Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.
    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.

Step 4: Enterprise B grants permissions to the RAM user

Attach the AliyunSTSAssumeRoleAccess permission policy to the RAM user.

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, click System Policy. Enter AliyunSTSAssumeRoleAccess in the search box, click the displayed policy to add it to the Selected list, and then click OK.
  5. In the Add Permissions panel, check the authorization information and click Complete.

What to do next

The RAM user of Enterprise B can access the ApsaraMQ for RabbitMQ resources of Enterprise A by using the following methods:

  • Use the console
    1. Open the RAM User Logon page in a browser.
    2. On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Log On.
      Note The name of the RAM user is in <$username>@<$AccountAlias> format or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the alias of the RAM user. If you do not specify an alias, the ID of the Alibaba Cloud account is used by default.
    3. On the homepage of the console, move the pointer over the profile picture in the upper-right corner and click Switch Role.
    4. On the Switch Role page, specify the Enterprise Alias/Default Domain Name parameter for Enterprise A, specify the Role Name parameter, and then click Submit.
      Note
      • To view the enterprise alias, use the Alibaba Cloud account of Enterprise A to log on to the Alibaba Cloud user center. Move the pointer over the profile picture in the upper-right corner. The enterprise alias is displayed.
      • To view the default domain name, use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.
  • API
    1. Call the AssumeRole operation to obtain the AccessKey ID, AccessKey secret, and Security Token Service (STS) token. For more information, see AssumeRole.
    2. Use the obtained AccessKey ID, AccessKey secret, and STS token to call a specific API operation to access the corresponding ApsaraMQ for RabbitMQ resources.