Document Center

Example for Cross-account Access

Last Updated: Mar 28, 2017

Premise

Assume that the user xiaoming@aliyun.com has created an Server Load Balancer instance whose LoadBalancerId is 139a00604ad-cn-east-hangzhou-01

Objective

Now, xiaoming@aliyun.com wants to authorize beibei@aliyun.com to manage the instance.

  • beibei@aliyun.com is only allowed to perform such four operations as SetLoadBalancerStatus (configuring the LoadBalancer status), DescribeLoadBalancerAttribute (querying the LoadBalancer information), AddBackendServers (adding the backend server) and RemoveBackendServers (deleting the backend server) on the instance via Server Load Balancer API.

Authorization steps

To authorize the preceding operations, XiaoMing needs to execute the following steps:

  1. Add Beibei into the user space of Xiaoming in RAM.

    Call the AddUser interface of RAM in Xiaoming’s identity.

    Parameter UserName=ALIYUN$beibei@aliyun.com; 

    1.      https://ram.aliyuncs.com/?Action=AddUser
    2.      &UserName=ALIYUN$beibei@aliyun.com
    3.      &<other common request parameter>

  2. Prepare the authorization Policy.

    Policy is a JSON string containing the following elements:

    1.      {
    2.      "Version": "1",
    3.      "Statement":[
    4.      {
    5.          "Effect": "Allow",
    6.          "Action": ["slb:SetLoadBalancerStatus","slb:DescribeLoadBalancerAttribute", "slb: AddBackendServers","slb:RemoveBackendServers"],
    7.              "Resource": ["acs:slb:*:LoadBalancerId/139a00604ad-cn-east-hangzhou-01"]
    8.      }]
    9.      }

  3. Xiaoming calls the PutPolicy interface of RAM and sets the Policy for Beibei;

    web_front_server_policy, the value of the parameter PolicyName, is the name given to the policy by Xiaoming. 

    1.   https://ram.aliyuncs.com/?Action=PutUserPolicy
    2.   &UserName=ALIYUN$beibei@aliyun.com
    3.   &PolicyName=web_slb_policy
    4.   &PolicyDocument=$the policy prepared in Step 2
    5.   &<other common request parameter>

  4. By this time, Beibei initiates the Server Load Balancer API call to operate the Server Load Balancer instance, for example, SetLoadBalancerStatus (configuring the LoadBalancer status).

    To execute this call, use the parameter ResourceOwnerAccount to indicate that this API is called to operate Xiaoming’s resources. 

    1.   https://slb.aliyuncs.com/?Action=SetLoadBalancerStatus
    2.   &LoadBalancerId=139a00604ad-cn-east-hangzhou-01
    3.   &ResourceOwnerAccount=xiaoming@aliyun.com
    4.   &<other common request parameter>

Revoke authorization

  • To revoke Beibei’s authority, Xiaoming needs to call DeleteUserPolicy of RAM to delete the policy. 

    1.       https://ram.aliyuncs.com/?Action=DeleteUserPolicy
    2.       &UserName=ALIYUN$beibei@aliyun.com
    3.       &PolicyName=web_slb_policy
    4.       &<other common request parameter>

  • Now, to call Server Load Balancer API to access this Server Load Balancer instance again, Beibei will be denied and receive the following response: 

    1.       {
    2.       "RequestId": "7463B73D-35CC-4D19-A010-6B8D65D242EF",
    3.       "HostId": "slb.aliyuncs.com",
    4.       "Code": " Forbidden",
    5.       "Message": " User not authorized to operate on the specified resource."
    6.       }
Thank you! We've received your feedback.
Free Trial Free Trial