Use the Alibaba Cloud account (primary account) of enterprise A to create and authorize the RAM role, and assign the role to Enterprise B. in this way, you can use the primary account of Enterprise B or its RAM user (sub-account) to access the Alibaba Cloud resources of Enterprise A.

Background information

Assume that enterprise A purchases multiple types of cloud resources to carry out business, and needs to authorize Enterprise B to carry out part of the business on its behalf, the RAM role can be used for this purpose. A ram role is a virtual user without a fixed identity authentication accesskey. It must be played by a trusted real user before it can be used properly. To meet the needs of enterprise A, follow these steps:

  1. Create a ram role for enterprise A
  2. Enterprise A attaches the AliyunEDASFullAccess permission policy to the RAM role.
  3. Create a RAM user for enterprise B
  4. Enterprise B attaches the AliyunSTSAssumeRoleAccess permission policy to the RAM user.
  5. The RAM user of enterprise B accesses the resources of enterprise A through the console or API.

The permission policy AliyunEDASFullAccess can be attached to the RAM role. This permission policy grants full permissions on Enterprise Distributed Application Service (EDAS).

Note
  • The role to be assumed must be attached with the AliyunEDASFullAccess permission policy.
  • RAM users can assume RAM roles that do not belong to the same Alibaba Cloud account. Therefore, the RAM user created by Enterprise B can assume only the RAM role that is created and attached with the AliyunEDASFullAccess permission policy by Enterprise A. If the RAM user assumes a RAM role that is created by Enterprise A, the RAM user cannot access EDAS. In this case, you must log off first.
  • After the RAM user assumes a role that has the AliyunEDASFullAccess permission, the RAM user is granted the same permissions as the relevant Alibaba Cloud account on EDAS.

Step 1: Enterprise A creates a RAM role

Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and then create a RAM role.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
  5. In the Configure Role step, enter a role name in the RAM Role Name field.
    Note The RAM role name can be up to 64 characters in length and can contain letters, digits, and hyphens (-).
  6. In the Select Trusted Alibaba Cloud Account section of the Configure Role tab, select Other Alibaba Cloud Account and enter the Alibaba Cloud account of Enterprise B in the text box.
  7. Click OK.
  8. Click Close.

Step 2: Enterprise A grants permissions to the RAM role

The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM role.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify another RAM user.
    3. Click the permission policy to add it to the Selected list on the right side of the section, and then click OK.
      Note The policies that can be added are listed in the overview section in this topic.
  5. In the Select Policy section, click Custom Policy and enter the keyword of the policy that you want to add in the search box. Click the policy to add it to the Selected list on the right side of the section. Then, click OK.
  6. In the next page of the Add Permissions panel, check the summary of the authorization information and click Complete.

Step 3: Enterprise B creates a RAM user

Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and then create a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select Console Access or Open API Access, and then click OK.
    Note For security purposes, select only one access mode.
    • If you select Console Access, complete further settings. For example, select Automatically Generate Default Password or Custom Logon Password for Console Password, Required at Next Logon or Not Required for Password Reset, and Required to Enable MFA or Not Required for Multi-factor Authentication.
    • If you select Open API Access, RAM automatically generates an AccessKey pair for the RAM user. Then, the RAM user can access resources by calling API operations.
      Important For security reasons, the RAM console allows you to view or download an AccessKey secret only once. Therefore, you must keep the related AccessKey secret strictly confidential when you create an AccessKey pair.
  6. In the Safety Verification dialog box, click Get code , enter the verification code that is sent to your mobile phone, and then click Submit.
    The RAM user that you create appears on the Users page.

Step 4: Enterprise B grants permissions to the RAM user

Enterprise B must attach the AliyunSTSAssumeRoleAccess permission policy to a RAM user of Alibaba Cloud account B. This way, the RAM user can assume the RAM role that is created by Enterprise A.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, set Authorized Scope. In the Select Policy section, enter a keyword in the search box to search for the AliyunSTSAssumeRoleAccess permission policy. Click the policy to add it to the Selected list on the right side, and then click OK.
  5. In the Add Permissions panel, view the summary of the authorization information in the Authorization Result section and click Complete.

What to do next

After the preceding operations are complete, the RAM user of Enterprise B can log on to the console or call API operations to access the cloud resources of Enterprise A. To access the cloud resources of Enterprise A, perform the following operations:

  • Log on to the console to access the cloud resources of Enterprise A.
    1. Open the RAM User Logon page in your browser.
    2. On the RAM User Logon page, enter the logon name of the RAM user, and then click Next. Enter the password, and then click Log On.
      Note The format of the logon name of a RAM user is <username>@<default domain name> or <username>@<enterprise alias>. For example, the logon name of a RAM user can be username@company-alias.onaliyun.com or username@company-alias.
    3. On the homepage of the console, move the pointer over the user avatar in the upper-right corner and click Switch Identity.
    4. On the Alibaba Cloud - Switch Role page, specify Enterprise Alias, Default Domain Name, or Root Account UID of Enterprise A, specify Role Name, and then click Submit.
    5. Manage the Alibaba Cloud resources of Enterprise A.
  • Access the cloud resources of Enterprise A by calling API operations with the RAM user of Enterprise B.

    To access the cloud resources of Enterprise A by calling API operations with the RAM user of Enterprise B, make sure that the code contains the AccessKey ID, AccessKey secret, and security token of the RAM user. The security token is temporary.