Use the Alibaba Cloud account (primary account) of enterprise A to create and authorize the RAM role, and assign the role to Enterprise B. in this way, you can use the primary account of Enterprise B or its RAM user (sub-account) to access the Alibaba Cloud resources of Enterprise A.

Background information

Assume that enterprise A purchases multiple types of cloud resources to carry out business, and needs to authorize Enterprise B to carry out part of the business on its behalf, the RAM role can be used for this purpose. A ram role is a virtual user without a fixed identity authentication accesskey. It must be played by a trusted real user before it can be used properly. To meet the needs of enterprise A, follow these steps:

  1. Create a ram role for enterprise A
  2. Enterprise A attaches the AliyunEDASFullAccess permission policy to the RAM role.
  3. Create a RAM user for enterprise B
  4. Enterprise B attaches the AliyunSTSAssumeRoleAccess permission policy to the RAM user.
  5. The RAM user of enterprise B accesses the resources of enterprise A through the console or API.

The permission policy AliyunEDASFullAccess can be attached to the RAM role. This permission policy grants full permissions on Enterprise Distributed Application Service (EDAS).

Note
  • The role to be assumed must be attached the AliyunEDASFullAccess permission policy.
  • RAM users can assume RAM roles that do not belong to the same Alibaba Cloud account. Therefore, the RAM user created by Enterprise B can assume only the RAM role that is created and attached the AliyunEDASFullAccess permission policy by Enterprise A. If the RAM user assumes a RAM role that is created by Enterprise A, the RAM user cannot access EDAS. In this case, you must log off first.
  • After the RAM user assumes a role that has the AliyunEDASFullAccess permission, the RAM user is granted the same permissions as the relevant Alibaba Cloud account on EDAS.

Step 1: Create a ram role for enterprise A

First, you must use the Alibaba Cloud account (primary account) of enterprise A to log on to the RAM console and create a ram role.

  1. Log on RAM console. In the left-side navigation pane, choose RAM role management, And in RAM role management, Click Create a RAM role.
  2. In Create a RAM role Perform the following operations on the Panel and click Completed.
    1. In Select a type of trusted entity Select Region Alibaba Cloud account, And click Next.
    2. In Role name enter the RAM role name in the text box.
      Note A ram role name can contain English letters, numbers, and hyphens (-). It cannot exceed 64 characters in length.
    3. In Select an Alibaba Cloud account Select Region Other Alibaba cloud accounts, And enter the cloud account of Enterprise B in the text box.

Step 2: enterprise A adds permissions to the RAM role

A newly created role does not have any permissions. Therefore, enterprise A must grant permissions to this role.

  1. In RAM console. In the left-side navigation pane, choose RAM role management.
  2. In RAM role management. Click the target role Operation Column Add permissions.
  3. In Add permissions. Panel Select permissions Area, search for the policy you want to add by keyword, and click policy to add it to the right Selected. In the list, click OK.
    Note For more information about the permissions that can be added, see background information.
  4. In Add permissions of Authorization result. View the authorization summary, and click Completed.

Step 3: Create a RAM user for enterprise B

Next, use the Alibaba Cloud account (primary account) of Enterprise B to log on to the RAM console and create a RAM user.

  1. Log on RAM console. In the left-side navigation pane, choose Personnel Management > User, And in User. Click Create a user.
  2. In Create a user. Page User account information Area, enter Logon name. And Display name.
    Note The logon name can contain English letters, numbers, periods (.), underscores (_), and hyphens (-). It cannot exceed 128 characters in length. The display name cannot exceed 24 characters.
  3. (Optional) if you want to create multiple users at a time, click Add a user, And repeat the previous step.
  4. In Access method region, Select Console password logon or Programmatic access and click OK.
    Note Select only one access mode to improve security.
    • If selected Console password logon to complete further settings, including automatically generating the default password or customizing the logon password, whether to require password reset upon logon, and whether to enable MFA (multi-factor authentication).
    • If selected Programmatic access, RAM automatically creates an AccessKey (API access key) for the RAM user.
      Notice For security reasons, the RAM console only allows you to view or download the AccessKeySecret once when creating an AccessKey. Therefore, you must record the AccessKeySecret in a secure place.
  5. In Mobile phone verification dialog box, click Get verification code, and enter the phone verification code that you received, then click OK.
    The created RAM user is displayed in User page.

Step 4: Grant permissions to RAM users

Enterprise B must add RAM users under its primary account AliyunSTSAssumeRoleAccess permissions, RAM users can assume the RAM role created by Enterprise A.

  1. In RAM console in the left-side navigation pane, choose Personnel Management > User.
  2. In User find the user to be authorized and click Operation column Add permissions.
  3. In Add permissions panel Select permissions area, search by keyword AliyunSTSAssumeRoleAccess and click the policy to add it to the Selected. In the list, click OK.
  4. In Add permissions of Authorization result. View the authorization summary, and click Completed.

What to do next

After the preceding operations are complete, the RAM user of Enterprise B can log on to the console or call API operations to access the cloud resources of Enterprise A. To access the cloud resources of Enterprise A, perform the following operations:

  • Log on to the console to access the cloud resources of Enterprise A.
    1. Open the RAM Account Login page in the browser.
    2. On the RAM Account Login page, enter the logon name of the RAM user, click Next, enter the password, and then click Login.
      Note The format of the logon name of a RAM user is <username>@<default domain name> or <username>@<enterprise alias>. For example, the logon name of a RAM user can be username@company-alias.onaliyun.com or username@company-alias.
    3. On the homepage of the console, move the pointer over the user avatar in the upper-right corner and click Switch Role.
    4. On the Alibaba Cloud - Switch Role page, specify Enterprise Alias / Default Domain Name / Root Account UID: of Enterprise A, specify Role Name, and then click Switch.
    5. Manage the Alibaba Cloud resources of Enterprise A.
  • Access the cloud resources of Enterprise A by calling API operations with the RAM user of Enterprise B.

    To access the cloud resources of Enterprise A by calling API operations with the RAM user of Enterprise B, make sure that the code contains the AccessKey ID, AccessKey secret, and security token of the RAM user. The security token is temporary.