This topic describe how to use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts. Two enterprises (Enterprise A and Enterprise B) are used as examples. To authorize Enterprise B to access specified resources of Enterprise A, Enterprise A can create and assign a RAM role to Enterprise B. Then, Enterprise B can assume the RAM role and access the specified resources.
Prerequisites
An alias is set for your Alibaba Cloud account. For more information, see Manage the default domain name.
Background information
An enterprise (Enterprise A) has purchased multiple types of Alibaba Cloud resources, such as ECS instances, RDS instances, SLB instances, and OSS buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.
Enterprise A has the following requirements:
- Enterprise A only serves as a cloud resource owner. Enterprise A can authorize Enterprise B to maintain, monitor, and manage specified cloud resources of Enterprise A.
- If an employee joins or leaves Enterprise B, Enterprise B does not need to change permissions. Enterprise B can grant fine-grained permissions on cloud resources of Enterprise A to its RAM users (employees or applications).
- If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B based on business requirements.
Solution
In this example, Enterprise A needs to authorize employees of Enterprise B to manage ECS resources of Enterprise A. Enterprise A has an Alibaba Cloud account named Account A and Enterprise B has an Alibaba Cloud account named Account B.
- The ID of Account A is
123456789012****
and the account alias iscompany-a
. - The ID of Account B is
134567890123****
and the account alias iscompany-b
.
- Enterprise A uses Account A to create a RAM role, grants the required permissions
to the RAM role, and then authorizes Account B to assume this role.
For more information, see Grant permissions across Alibaba Cloud accounts.
- If an employee (a RAM user) under Account B needs to assume this role, Account B can
grant the required permissions to the RAM user. Then, the RAM user assumes the RAM
role to access the resources of Account A.
For more information, see Access resources across Alibaba Cloud accounts.
- If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke
the permissions from Account B. Then, all RAM users of Account B no longer have the
permissions of the RAM role.
For more information, see Revoke permissions across Alibaba Cloud accounts.
Grant permissions across Alibaba Cloud accounts
Access resources across Alibaba Cloud accounts
After Enterprise A uses Account A to grant required permissions to Account B, the
RAM user Alice
of Account B can access ECS resources of Account A by assuming the RAM role. An employee
of Enterprise B can perform the following steps to assume the RAM role as a RAM user:
Revoke permissions across Alibaba Cloud accounts
Enterprise A can use Account A to revoke the permission to assume the RAM role ecs-admin
from Account B. Enterprise A can perform the following steps to revoke the permission
to assume the RAM role: