All Products
Search
Document Center

Create and authorize RAM user role

Last Updated: Dec 25, 2018

This topic explains how to call OpenAPI across accounts by taking advantage of RAM user roles.

About this task

A RAM user role is a virtual user without a fixed authentication AccessKey, and must be assumed by a trusted real user, such as an Alibaba Cloud account, RAM user account, and cloud service account. After assuming a role, the real user receives a temporary security token of this RAM user role. Then, the user can use this security token to access the authorized resources as a RAM user role.

To grant each trusted real user permission to call ARMS OpenAPI, and allow their subordinate RAM roles to operate on ARMS OpenAPI, follow these steps.

Click the tiles below to jump to the corresponding document.

Set trusted account
Authorize user role
Authorize RAM user
Get security token

Procedure

A. Create a user role and specify a trusted cloud account

  1. In the left-side navigation pane of the RAM console, choose Roles. The Role Management page is displayed.
  2. Click Create Role in the upper-right corner of the page. The Create Role dialog box is displayed.
  3. On the Select Role Type page of the dialog box, click User Role.
  4. On the Enter Type page, in the Trusted Alibaba Cloud Account ID textbox, enter the trusted cloud account ID, and then click Next.
  5. On the Configure Basic page, enter the role name and description, and then click Create. The created role is displayed on the Role Management page.

B. Authorize the RAM user role

Newly created user roles don’t have any permissions. You must grant the user role permission to access ARMS. The trusted cloud account ID specified at the previous step is authorized to assume the RAM user role to use ARMS.

  1. In the left-side navigation pane of the RAM console, choose Roles. The Role Management page is displayed.
  2. Find the role to be authorized on the page, and click Authorize in the Actions column. The Edit Role Authorization Policy dialog box is displayed.

  3. In the dialog box, search for the AliyunARMSFullAccess authorization policy with keywords, click the > button to move it to the Selected Authorization Policy Name list on the right, and then click OK.

C. Authorize the RAM user of the trusted cloud account

A RAM user role must be assumed by a trusted real user to be effective, but the trusted real user cannot assume the user role itself. Instead, it must assume the role as a RAM user. In other words, a RAM user role must be assumed and used by a RAM user. In addition, the trusted cloud account must grant its subordinate RAM user the AliyunSTSAssumeRoleAccess permission, which allows the RAM user to call the AssumeRole interface of STS service. After this is done, the RAM user can assume the RAM user role created at Step A on behalf of the trusted cloud account.

  1. In the left-side navigation pane of the RAM console, choose Users. The User Management page is displayed.
  2. Find the user to be authorized on the page, and click Authorize in the Actions column. The Edit User-Level Authorization dialog box is displayed.

    Tip: If you don’t have a RAM user, follow the instructions of Create and authorize RAM sub-account to create one.

  3. In the dialog box, search for the AliyunSTSAssumeRoleAccess authorization policy with keywords, click the > button to move it to the Selected Authorization Policy Name list on the right, and then click OK.

D. Get the temporary security token of the RAM user

For more information about how to get STS security token, see Temporary authorization for mobile apps.

  1. Add Maven dependency to pom.xml.

    1. <dependency>
    2. <groupId>com.aliyun</groupId>
    3. <artifactId>aliyun-java-sdk-sts</artifactId>
    4. <version>3.0.0</version>
    5. </dependency>
    6. <dependency>
    7. <groupId>com.aliyun</groupId>
    8. <artifactId>aliyun-java-sdk-core</artifactId>
    9. <version>3.5.0</version>
    10. </dependency>
  2. The code for getting STS Token (Example)

    1. String endpoint = "sts.aliyuncs.com";
    2. String regionId = "cn-hangzhou";
    3. String accessKeyId = AK of RAM user";
    4. String accessKeySecret = “SK RAM user";
    5. String roleArn = acs:ram::Primary account ID that creates the RAM role:role/role name";
    6. String roleSessionName = "session-name";
    7. try {
    8. DefaultProfile.addEndpoint(regionId,regionId, "Sts", endpoint);
    9. IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
    10. DefaultAcsClient client = new DefaultAcsClient(profile);
    11. final AssumeRoleRequest request = new AssumeRoleRequest();
    12. request.setMethod(MethodType.POST);
    13. request.setRoleArn(roleArn);
    14. request.setRoleSessionName(roleSessionName);
    15. request.setPolicy(null); //Optional, can be NULL
    16. final AssumeRoleResponse response = client.getAcsResponse(request);
    17. System.out.println("Expiration: " + response.getCredentials().getExpiration());
    18. System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
    19. System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
    20. System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
    21. } catch (Exception e) {
    22. }

    Tip:

    • For more information about the STS Endpoint of each region, see Service address.
    • How to get roleArn: Log on to the RAM console with the primary account that creates the RAM role, and in the left-side navigation pane, choose Users. Then on the Role Management page, click the role name or Manage in the Actions column, and you can find the ARN of the role in the Basic information area of the Role Details page.