Assume that an enterprise A has bought a lot of cloud resources, such as ECS instances, RDS instances, Server Load Balancer instances, and OSS buckets for its business requirements.
Enterprise A wants to focus on its business systems, so it grants cloud resource O&M, monitoring management, and other tasks to the enterprise B.
Enterprise B can then further delegate O&M tasks to its employees. Enterprise B needs to precisely control the delegate operations that its employees can perform on the cloud resources of the enterprise A.
If A and B terminate this O&M entrustment contract, enterprise A is able to revoke the permissions of the enterprise B as needed.
Authorization between two Alibaba Cloud accounts, A and B.
Account A is the resource owner and wants to grant B permissions to perform operations on its resources.
Account B needs to further allocate permissions to its sub-users (employees or applications).
If an employee of B joins or leaves the company, A does not have to make any changes to the permissions.
If A and B terminate their cooperation, A is able to revoke B’s permissions as needed.
Assume that enterprise A (AccountID=11223344, alias: company-a) needs to grant ECS operation permissions to the employees of enterprise B (AccountID=12345678, alias: company-b). The operation procedure is as follows:
A logs on to the RAM console and goes to Roles > Create Role.
In the Create Role window, A selects Other Alibaba Cloud Account as the trusted account and enters the ID of the trusted account (for example, 12345678), and then enters a role name such as “ecs-admin”.
After creating the role, enterprise A can get the role information on the details page. In this example, the role’s global name ARN is:
The role’s policy (only enterprise B can assume this role) is as follows:
After creating the role in the previous step, enterprise A can follow the dialog box to attach authorization policies. Or A goes to the role details page and then clicks Edit Authorization Policy to attach authorization policies.
In the authorization window, enterprise A adds the system authorization policy
AliyunECSFullAccess and then clicks OK.
B logs on to the RAM console and goes to Users > Create User.
In the Create User window, B enters a username such as “AAA” and sets a logon password for this user.
In the user list, B clicks the created user to open the User Details page and then clicks User Authentication Policies > Edit Authentication Policy.
In the Edit Individual Authorization Policy window, B adds the system authorization policy
AliyunSTSAssumeRoleAccessfor this user, and then clicks OK.
B’s sub-user AAA logs on to the console. When a sub-user logs on, the sub-user must enter the enterprise alias, sub-user username, and sub-user password.
After AAA logs on to the console, the user logon information is displayed in the top-right corner. AAA moves the mouse pointer to the username and clicks Switch Role to go to the identity switching page. B enters the enterprise alias of enterprise A (company-a) and the role name (ecs-admin).
AAA can now perform operations on the ECS resources of enterprise A.