This topic describes how to use RAM roles to grant permissions across accounts when an enterprise wants to entrust part of its businesses to another enterprise.

Background information

Account A and Account B are created respectively for Enterprise A and Enterprise B. Enterprise A has purchased various Alibaba Cloud resources, such as ECS instances, ApsaraDB for RDS instances, SLB instances, and OSS buckets.

  • Enterprise A wants to focus on its business system and entrust tasks such as cloud resource O&M, monitoring, and management to Enterprise B.
  • Enterprise B is allowed to grant access permissions for the resources owned by Enterprise A to one or more employees, implementing fine-grained control on the cloud resources of Enterprise A.
  • If either party terminates the entrustment agreement, Enterprise A can revoke the permissions of Enterprise B at any time.

Requirement analysis

  • Enterprise A is the resource owner and wants to grant Enterprise B permissions to manage certain resources.
  • Enterprise B needs to further grant permissions to its RAM users (employees or apps) to allow RAM users to access the relevant resources. Enterprise A does not have to change the permissions, regardless of how the employees of Enterprise B change.
  • If either party terminates the entrustment agreement, Enterprise A can revoke the permissions of Enterprise B at any time.

Solution

A RAM role can be used to authorize users to access resources across accounts.

  • Enterprise A creates a RAM role, grants the appropriate permissions to the role, and allows Enterprise B to use this role.

    For more information, see Cross-account authorization.

  • If an employee (RAM user) of Enterprise B needs to use this role, the role can be assumed by the RAM user at the discretion of Enterprise B. RAM users under Account B can use the role to perform operations on the cloud resources of Account A.

    For more information, see Cross-account resource access.

  • If either party terminates the entrustment agreement, Enterprise A only needs to revoke the Enterprise B's permission for this role. Once the permissions are revoked, RAM users of Enterprise B can no longer use this role.

    For more information, see Revoke cross-account authorization.

Cross-account authorization

Assume that Enterprise A (account ID: 11223344, alias: company-a) needs to grant permissions for ECS resources to the employees of Enterprise B (account ID: 12345678, alias: company-b).


Use a RAM role for cross-account authorization
  1. Enterprise A creates the RAM role named ecs-admin and selects Other Alibaba Cloud Account (account ID: 12345678) as the trusted account.

    For more information, see RAM roles.

    After creating the role, Enterprise A can view basic information about the role on the Role Details page.

    • The Alibaba Cloud Resource Name (ARN) of the role is as follows:
      acs:ram::11223344:role/ecs-admin
    • The following policy of the role indicates that only Enterprise B can assume this role:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "RAM": [
           "acs:ram::12345678:root"
         ]
       }
      }
      ],
      "Version": "1"
      }
  2. Enterprise A attaches the AliyunECSFullAccess policy to the ecs-admin role.

    For more information, see Permission granting in RAM.

  3. Enterprise B creates a RAM user named John for one of its employees and sets a logon password. Then, Enterprise B attaches the AliyunSTSAssumeRoleAccess system policy to grant John the permissions to call the AssumeRole API operation.

Cross-account resource access

After being authorized, John can access ECS resources of Enterprise A.

  1. John logs on to the RAM console.

    To log on, John must enter the correct enterprise alias (company-b), username (John), and password (123456).

  2. After successfully logging on, John moves the pointer over the profile picture in the upper-right corner and clicks Switch Role.

    Then, John enters the correct enterprise alias (company-a) and role name (ecs-admin) to switch the role.

Note John can now manage the ECS resources of Enterprise A.

Revoke cross-account authorization

Enterprise A can also revoke Enterprise B's permissions to use the ecs-admin role.

  1. Enterprise A logs on to the RAM console, finds the ecs-admin role on the Roles page, and click the role name.
  2. In the left-navigation pane, Enterprise A clicks Role Authorization Policies. Then, click Revoke Authorization.