Use the Alibaba Cloud account (primary account) of enterprise A to create and authorize the RAM role, and assign the role to Enterprise B. in this way, you can use the primary account of Enterprise B or its RAM user (sub-account) to access the Alibaba Cloud resources of Enterprise A.

Background information

Assume that enterprise A purchases multiple types of cloud resources to carry out business, and needs to authorize Enterprise B to carry out part of the business on its behalf, the RAM role can be used for this purpose. A ram role is a virtual user without a fixed identity authentication accesskey. It must be played by a trusted real user before it can be used properly. To meet the needs of enterprise A, follow these steps:

  1. Create a ram role for enterprise A
  2. Enterprise A assigns the AliyunEDASFullAccess permission to the Resource Access Management (RAM) role.
  3. Create a RAM user for enterprise B
  4. Enterprise B assigns the AliyunSTSAssumeRoleAccess permission to the RAM user.
  5. The RAM user of enterprise B accesses the resources of enterprise A through the console or API.

The Enterprise Distributed Application Service (EDAS) system policies that can be assigned to the RAM role include AliyunEDASFullAccess, the full EDAS permissions.

Note
  • The accessed role must have the AliyunEDASFullAccess permission.
  • The RAM user can only assume a role with the AliyunEDASFullAccess permission under another Alibaba Cloud account. That is, the RAM user cannot assume a role under the Alibaba Cloud account to which the RAM user belongs. If a RAM user assumes the role of its own Alibaba Cloud account, you cannot use the RAM user to access EDAS. In this case, you need to log off from the role and access EDAS again.
  • After the RAM user assumes a role with the AliyunEDASFullAccess permission, the RAM user has all EDAS permissions under the assumed role of the Alibaba Cloud account.

Step 1: Create a ram role for enterprise A

First, you must use the Alibaba Cloud account (primary account) of enterprise A to log on to the RAM console and create a ram role.

  1. Log onRAM console. In the left-side navigation pane, chooseRAM role management, And inRAM role managementClickCreate a RAM role.
  2. InCreate a RAM rolePerform the following operations on the Panel and clickCompleted.
    1. InSelect a type of trusted entitySelect RegionAlibaba Cloud account, And clickNext.
    2. InRole nameEnter the RAM role name in the text box.
      Note A ram role name can contain English letters, numbers, and hyphens (-). It cannot exceed 64 characters in length.
    3. InSelect an Alibaba Cloud accountSelect RegionOther Alibaba cloud accounts, And enter the cloud account of Enterprise B in the text box.

Step 2: enterprise A adds permissions to the RAM role

A newly created role does not have any permissions. Therefore, enterprise A must grant permissions to this role.

  1. InRAM consoleIn the left-side navigation pane, chooseRAM role management.
  2. InRAM role managementClick the target roleOperationColumnAdd permissions.
  3. InAdd permissionsPanelSelect permissionsArea, search for the policy you want to add by keyword, and click policy to add it to the rightSelectedIn the list, clickOK.
    Note For more information about the permissions that can be added, see background information.
  4. InAdd permissionsOfAuthorization resultView the authorization summary, and clickCompleted.

Step 3: Create a RAM user for enterprise B

Next, use the Alibaba Cloud account (primary account) of Enterprise B to log on to the RAM console and create a RAM user.

  1. Log onRAM console. In the left-side navigation pane, choosePersonnel Management > User, And inUserClickCreate a user.
  2. InCreate a userPageUser account informationArea, enterLogon nameAndDisplay name.
    Note The logon name can contain English letters, numbers, periods (.), underscores (_), and hyphens (-). It cannot exceed 128 characters in length. The display name cannot exceed 24 characters.
  3. (Optional) if you want to create multiple users at a time, clickAdd a user, And repeat the previous step.
  4. InAccess methodRegion, SelectConsole password logonOrProgrammatic access, And clickOK.
    Note Select only one access mode to improve security.
    • If selectedConsole password logonTo complete further settings, including automatically generating the default password or customizing the logon password, whether to require password reset upon logon, and whether to enable MFA (multi-factor authentication).
    • If selectedProgrammatic access, RAM automatically creates an AccessKey (API access key) for the RAM user.
      Notice For security reasons, the RAM console only allows you to view or download the AccessKeySecret once when creating an AccessKey. Therefore, you must record the AccessKeySecret in a secure place.
  5. InMobile phone verificationDialog box, clickGet verification code, And enter the phone verification code that you received, then clickOK.
    The created RAM user is displayed inUserPage.

Step 4: Grant permissions to RAM users

Enterprise B must add RAM users under its primary accountAliyunSTSAssumeRoleAccessPermissions, RAM users can assume the RAM role created by Enterprise A.

  1. InRAM consoleIn the left-side navigation pane, choosePersonnel Management > User.
  2. InUserFind the user to be authorized and clickOperationColumnAdd permissions.
  3. InAdd permissionsPanelSelect permissionsArea, search by keywordAliyunSTSAssumeRoleAccessAnd click the policy to add it to theSelectedIn the list, clickOK.
  4. InAdd permissionsOfAuthorization resultView the authorization summary, and clickCompleted.

Subsequent steps

After completing the preceding operations, the RAM user of Enterprise B can log on to the console to access the cloud resources of Enterprise A or call APIs as follows.

  • Log on to the console to access the cloud resources of Enterprise A.
    1. Open the RAM user logon portal in a browserhttps://signin.aliyun.com/login.htm.
    2. InRAM user logonEnter the RAM user logon name and clickNext, Enter the RAM user password, and then clickLog on.
      Note The RAM user logon name format is <subuser name >@< default domain name> or <subuser name >@< enterprise alias>, such as username@company-alias.onaliyun.com or username @ company-alias.
    3. InSubuser User CenterMove the pointer to the picture in the upper-right corner and clickIdentity switching.
    4. InAlibaba Cloud-role switchingEnter theEnterprise aliasOrDefault domain name, AndRole name, And then clickSwitch.
    5. Perform operations on the Alibaba Cloud resources of Enterprise A.
  • Use RAM users of Enterprise B to access cloud resources of Enterprise A by using APIs

    To use the RAM user of Enterprise B to access the cloud resources of enterprise A through APIs, the RAM user&#39;s AccessKeyId, AccessKeySecret, and SecurityToken (temporary security token) must be provided in the code. For more information about how to use STS to obtain a temporary security token, seeGetting started with STS.