This topic describes how to grant permissions across Alibaba Cloud accounts to view resources in Function Compute by using the Resource Access Management (RAM) console and an SDK to obtain a Security Token Service (STS) token.

Example

Enterprise A has activated Function Compute and requires Enterprise B to manage Function Compute resources. Enterprise A has the following requirements:
  • Enterprise A can focus on its business systems and act only as the owner of Function Compute. In addition, Enterprise A can authorize Enterprise B to manage specified resources, such as creating services and functions.
  • When an employee joins or leaves Enterprise B, no permission change is required. Enterprise B can grant its RAM users fine-grained permissions on resources of Enterprise A.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Enterprise B.

Use the RAM console

For example, Enterprise A needs to authorize employees of Enterprise B to access all services in Function Compute. Enterprise A has an Alibaba Cloud account named Account A, and Enterprise B has an Alibaba Cloud account named Account B.
  • The ID of Account A is 123456789012****, and the account alias is company-a.
  • The ID of Account B is 134567890123****, and the account alias is company-b.

Step 1: Create a RAM role by using Account A

Use Account A to create a RAM role, grant the required permissions to the RAM role, and then authorize Account B to assume this role.

  1. Use Account A to log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role panel, select Alibaba Cloud Account and click Next in the Select Role Type step.
  5. In the Configure Role step, enter a RAM role name such as fc-admin in the RAM Role Name field, select Other Alibaba Cloud Account, and then enter the ID of Account B.
  6. Click OK.
    If the The Role has been created message appears in the Finish step, the RAM role is created. After the RAM role is created, you can view the information about the RAM role on the basic information page.
    • In this example, the Alibaba Cloud Resource Name (ARN) of the RAM role is acs:ram::123456789012****:role/fc-admin.
    • The following script shows the trust policy of the RAM role:
      Note This policy indicates that only RAM users that belong to Account B can assume the RAM role.
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "RAM": [
                "acs:ram::134567890123****:root"
              ]
            }
          }
        ],
        "Version": "1"
      }
  7. Use Account A to attach the AliyunFCReadOnlyAccess policy to the RAM role fc-admin. For more information, see Grant permissions to a RAM role.

Step 2: Use Account B to create a RAM user

  1. Use Account B to create a RAM user test-demo. For more information, see Create a RAM user.
  2. Use Account B to attach the AliyunSTSAssumeRoleAccess policy to the RAM user. Then, the RAM user can assume the RAM role. For more information, see Grant permissions to a RAM user.

Step 3: Switch the identity for logon

If the RAM user that belongs to Account B needs to access resources within Account A, Account B can be used to grant the required permissions to the RAM user. The RAM user that belongs to Account B assumes the RAM role within Account A to access the resources within Account A. You can perform the following steps:

  1. Use the RAM user that belongs to Account B to log on to the RAM console. For more information, see Log on to the console as a RAM user.
  2. Move the pointer over the profile picture in the upper-right corner and click Switch Identity.
  3. On the Switch Role page, set the parameters.
    For more information, see Assume a RAM role.

Revoke the granted permissions (Optional)

If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Account B. Then, all RAM users that belong to Account B no longer have the permissions of the RAM role. You can perform the following steps:

  1. Use Account A to log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. Find the RAM role fc-admin and click Delete in the Actions column.
    Notice Before you delete the RAM role, you must detach the policies that are attached to the RAM role. For more information, see Remove permissions from a RAM role.

Use an SDK

You can use STS to authorize temporary access to Function Compute. STS is a web service that provides STS tokens for cloud computing users. For example, Alibaba Cloud account B requires the permissions to view all services in Function Compute within Alibaba Cloud account A.

  1. Run the following sample code to obtain an STS token. For more information, see STS SDK overview and AssumeRole.
    const Core = require('@alicloud/pop-core');
     
     // Construct an Alibaba Cloud client to initiate requests. 
     // When you construct the client, specify the AccessKey ID and AccessKey secret. 
     var client = new Core({
       accessKeyId: '<accessKeyId>',
       accessKeySecret: '<accessSecret>',
       endpoint: 'https://sts.aliyuncs.com',
       apiVersion: '2015-04-01'
     });
     
     // Specify request parameters. 
     var params = {
       "RegionId": "cn-hangzhou",
       "RoleArn": "<RoleARN>",
       "RoleSessionName": "<RoleSessionName>"
     }
     
     var requestOption = {
       method: 'POST'
     };
     
     // Initiate a request and obtain a response. 
     client.request('AssumeRole', params, requestOption).then((result) => {
       console.log(JSON.stringify(result));
     }, (ex) => {
       console.log(ex);
     })          
     
    # coding=utf-8
    # encoding: utf-8
    import json
    from aliyunsdkcore import client as AliyunSDK
    from aliyunsdksts.request.v20150401 import AssumeRoleRequest
    
    def main():    
        AccessKeySecret='<accessSecret>'
        AccessKeyId='<accessKeyId>'
        regionId ='cn-hangzhou'
    
        sts_client = AliyunSDK.AcsClient(
                AccessKeyId,
                AccessKeySecret,
                regionId)
        request = AssumeRoleRequest.AssumeRoleRequest()
        request.set_RoleArn("<RoleARN>")
        request.set_RoleSessionName('fc-python-sdk')
        response = sts_client.do_action_with_exception(request)
        response_json = json.loads(response)
        result = json.dumps(response_json['Credentials'])
        print(result)
    
    if __name__ == "__main__":
        main()
     
    Expected output:
    {
      "RequestId": "964E0EC5-575B-4FF5-8FD0-D4BD8025602A",
      "AssumedRoleUser": {
        "Arn": "acs:ram::****:role/wss/wss",
        "AssumedRoleId": "***********:wss"
      },
      "Credentials": {
        "SecurityToken": "*************",
        "AccessKeyId": "STS.*************",
        "AccessKeySecret": "*************",
        "Expiration": "2021-05-28T11:23:19Z"
      }
    }
    Note For more information about common questions that you may have when you obtain the STS token, see FAQ about RAM roles and STS tokens.
  2. Modify the following function code within Alibaba Cloud account B to authorize the RAM user that belongs to Alibaba Cloud account B to view all services in Function Compute within Alibaba Cloud account A.
    const FC = require('@alicloud/fc2');
    // Construct a client. 
    const client = new FC(<accountID>, {
        region: <yourRegionID>,
        accessKeyID: <yourAccessKeyID>,
        securityToken: <yourSecurityToken>,
        accessKeySecret: <yourAccessKeySecret>
    });
    // Query services. 
    client.listServices().then(res => {
        console.log(JSON.stringify(res, null, ' '))
    }).catch(ex=> console.log(ex))
    Notice The role to which the STS token is assigned must have the permissions to query services.