All Products
Search
Document Center

IoT Platform:Manage permissions by using STS

Last Updated:Apr 21, 2023

Security Token Service (STS) has more requirements on permission management than Resource Access Management (RAM). If you use STS to grant RAM users temporary permissions on resources, you must follow a complicated procedure.

Background information

RAM users and the permissions that are granted to RAM users are permanently valid. You can only manually delete RAM users or revoke permissions from RAM users. If the information of a RAM user is leaked and you do not delete the RAM user or revoke permissions from the RAM user, your Alibaba Cloud resources and information are exposed to risks. Therefore, we recommend that you use STS to manage key permissions or permissions that do not require long-term validity.

Figure 1. Procedure for granting temporary permissions to a RAM userSTS

Step 1: Create a RAM role

A RAM role is a virtual entity that has a set of permissions.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
  5. Configure parameters for the RAM role.
    1. Specify RAM Role Name.
    2. Optional:Specify Note.
    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
        Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
  6. Click OK.
  7. Click Close.

Step 2: Create a RAM policy

A RAM policy defines the permissions that you want to grant to roles for resource access.

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next to edit policy information.
    For more information about the syntax and structure of policies, see Policy structure and syntax.

    The following sample code shows a policy that defines read-only permissions on the resources of IoT Platform:

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "rds:DescribeDBInstances",
                    "rds:DescribeDatabases",
                    "rds:DescribeAccounts",
                    "rds:DescribeDBInstanceNetInfo"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":"ram:ListRoles",
                "Effect":"Allow",
                "Resource":"*"
            },
            {
                "Action":[
                    "mns:ListTopic"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "dhs:ListProject",
                    "dhs:ListTopic",
                    "dhs:GetTopic"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "ots:ListInstance",
                    "ots:ListTable",
                    "ots:DescribeTable"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "log:ListShards",
                    "log:ListLogStores",
                    "log:ListProject"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Effect":"Allow",
                "Action":[
                    "iot:Query*",
                    "iot:List*",
                    "iot:Get*",
                    "iot:BatchGet*"
                ],
                "Resource":"*"
            }
        ]
    }

    The following sample code shows a policy that defines read and write permissions on the resources of IoT Platform:

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "rds:DescribeDBInstances",
                    "rds:DescribeDatabases",
                    "rds:DescribeAccounts",
                    "rds:DescribeDBInstanceNetInfo"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":"ram:ListRoles",
                "Effect":"Allow",
                "Resource":"*"
            },
            {
                "Action":[
                    "mns:ListTopic"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "dhs:ListProject",
                    "dhs:ListTopic",
                    "dhs:GetTopic"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "ots:ListInstance",
                    "ots:ListTable",
                    "ots:DescribeTable"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "log:ListShards",
                    "log:ListLogStores",
                    "log:ListProject"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Effect":"Allow",
                "Action":"iot:*",
                "Resource":"*"
            }
        ]
    }
  6. Specify the Name and Description fields.
  7. Click OK.

After a policy is created, you can attach the policy to a RAM role. This way, the permissions that are defined in this policy are granted to the RAM role.

Step 3: Authorize a RAM role

Only authorized RAM roles can access resources. To authorize a single RAM role, you can click Add Permissions in the Actions column of the RAM role on the Roles page in the RAM console. For more information, see Grant permissions to a RAM role. To authorize multiple RAM roles at a time, perform the following steps:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Grant Permissions panel, grant permissions to the RAM role.
    1. Set the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM role to which permissions are granted.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

After you authorize RAM roles, you can grant a RAM user the permissions required to assume RAM roles.

Step 4: Grant a RAM user the permissions to assume a RAM role

After a policy is attached to a RAM role, the RAM role obtains the permissions that are defined in the policy. However, a RAM role is only a virtual identity. The RAM role can be used to perform the allowed operations only after the role is assumed by a RAM user. If all RAM users can assume a RAM role, security risks may exist. To prevent such risks, only authorized RAM users can assume RAM roles.

To authorize a RAM user to assume a RAM role, you can create a custom policy in which the value of the Resource parameter is set to the ID of the RAM role. Then, you can use this policy to authorize the RAM user.

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy document and click Next to edit policy information.
    Note In the policy statement, set the value of the Resource element to the Alibaba Cloud Resource Name (ARN) of a RAM role. To view the ARN of a RAM role, go to the Roles page and click the name of the RAM role. You can view the ARN of the RAM role in the Basic Information section.

    Example:

    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":"iot:QueryProduct",
                "Resource":"ARN of a RAM role"
            }
        ]
    }
  6. Specify the Name and Description fields.
  7. Click OK.
  8. After the policy is created, return to the RAM console homepage.
    1. In the left-side navigation pane, choose Identities > Users.
    2. In the list of RAM users, select the RAM user that you want to authorize and click Add Permissions below the list of RAM users.
    3. In the Add Permissions panel, select the created policy and click OK.

After authorization is complete, the RAM user obtains the permissions to assume a specific RAM role. Then, you can use STS to obtain the temporary identity credentials that are required to access resources.

Step 5: Obtain temporary identity credentials for a RAM user

Authorized RAM users can call the STS API operations or use STS SDKs to obtain the temporary identity credentials. The temporary identity credentials include an AccessKey ID, AccessKey secret, and security token. For more information about the STS API and STS SDKs, see STS API reference and STS SDK reference.

The following parameters are required when you use the STS API or SDK to obtain temporary identity credentials:

  • RoleArn: the ARN of the RAM role that the RAM user wants to assume.
  • RoleSessionName: the name of the temporary identity credentials. This is a custom parameter.
  • Policy: the policy that specifies the permissions that are granted to the RAM user. This parameter is used to generate a token with limited permissions of the RAM role. If you do not set this parameter, a token that has all permissions of the RAM role is returned.
  • DurationSeconds: the validity period of the temporary identity credentials. This parameter is measured in seconds. The default value is 3600 and the value ranges from 900 to 3600.
  • id and secret: the AccessKey ID and AccessKey secret of the RAM user that wants to assume the RAM role.

The following examples show how to obtain temporary identity credentials.

Example of using the API: The RAM user calls the AssumeRole operation of STS to obtain the temporary identity credentials.

https://sts.aliyuncs.com?Action=AssumeRole
&RoleArn=acs:ram::1234567890123456:role/iotstsrole
&RoleSessionName=iotreadonlyrole
&DurationSeconds=3600
&Policy=<url_encoded_policy>
&<Common request parameters>

Example of using the SDK: The RAM user uses the Python command-line interface (CLI) for STS to obtain the temporary identity credentials.

$python ./sts.py AssumeRole RoleArn=acs:ram::1234567890123456:role/iotstsrole RoleSessionName=iotreadonlyrole Policy='{"Version":"1","Statement":[{"Effect":"Allow","Action":"iot:*","Resource":"*"}]}' DurationSeconds=3600 --id=id --secret=secret

After the request succeeds, the temporary identity credentials are returned. The credentials include an AccessKey ID, AccessKey secret, and security token.

Step 6: Access resources as a RAM user

After a RAM user obtains the temporary identity credentials, the RAM user can pass in the credentials in SDK requests to assume the specific RAM role.

The following sample code shows that a RAM user uses STS SDK for Java to assume a RAM role. The RAM user passes in the AccessKey ID, AccessKey secret, and security token in the request and creates the IAcsClient object.

IClientProfile  profile = DefaultProfile.getProfile("cn-hangzhou", AccessKeyId,AccessKeySecret);
RpcAcsRequest request.putQueryParameter("SecurityToken", Token);
IAcsClient client = new DefaultAcsClient(profile);
AcsResponse response = client.getAcsResponse(request);