This topic uses two enterprises (Enterprise A and Enterprise B) as examples. It describes how to use a RAM role to grant permissions across Alibaba Cloud accounts. By using a RAM role, Enterprise A can authorize Enterprise B to access or manage specified resources of Enterprise A.

Prerequisites

An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.

Background information

Enterprise A has purchased multiple Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB for RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Enterprise A requires a method to authorize Enterprise B. This authorization will allow Enterprise B to access specified resources of Enterprise A.

The requirements of Enterprise A are as follows:

  • Enterprise A only serves as a cloud resource owner. Enterprise A can authorize Enterprise B to maintain, monitor, and manage specified cloud resources of Enterprise A.
  • If an employee joins or leaves Enterprise B, Enterprise B does not need to change permissions. Enterprise B can grant permissions to its RAM users (employees or applications) and perform fine-grained access control on its cloud resources.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B at any time.

Solution

In this solution, Enterprise A requires a method to authorize employees of Enterprise B. This authorization will allow these employees to manage ECS resources of Enterprise A. Enterprise A has an Alibaba Cloud account named Account A and Enterprise B has an Alibaba Cloud account named Account B.

  • The ID of Account A is 123456789012**** and the enterprise alias is company-a.
  • The ID of Account B is 134567890123**** and the enterprise alias is company-b.
  1. Enterprise A uses Account A to create a RAM role, grants the relevant permissions to the RAM role, and authorizes Account B to use this role.

    For more information, see Grant permissions across Alibaba Cloud accounts.

  2. If an employee (a RAM user) in Account B needs to assume this role, Account B can grant the relevant permissions to the RAM user. Then, the RAM user assumes the RAM role to manage the resources of Account A.

    For more information, see Access resources across Alibaba Cloud accounts.

  3. If the agreement between Enterprise A and Enterprise B ends, Enterprise A only needs to revoke the permissions from Account B. Then, all RAM users in Account B no longer have the permissions associated with the RAM role.

    For more information, see Revoke permissions across Alibaba Cloud accounts.

Grant permissions across Alibaba Cloud accounts

Grant permissions across Alibaba Cloud accounts
  1. Enterprise A uses its Alibaba Cloud account to create a RAM role named ecs-admin. Alibaba Cloud account is selected as the trusted entity type.
    Note When the RAM role is created, Other Alibaba Cloud Account is selected and 134567890123**** is specified as the trusted Alibaba Cloud account. This ensures that RAM users in Account B can assume the RAM role.

    For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    After creating a RAM role, Enterprise A can view the role information on the basic information page.

    • In this example, the Alibaba Cloud Resource Name (ARN) of the RAM role is acs:ram::123456789012****:role/ecs-admin.
    • The trust policy of the RAM role is illustrated as follows.
      Note The following trust policy indicates that RAM users in Account B can assume the RAM role. 
      {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "RAM": [
     "acs:ram::134567890123****:root"
   ]
 }
}
],
"Version": "1"
}
  2. Account A attaches the AliyunECSFullAccess policy to the RAM role ecs-admin.

    For more information, see Grant permissions to a RAM role.

  3. Account B creates a RAM user named Alice.

    For more information, see Create a RAM user.

  4. Account B sets a logon password (123456****) for the RAM user and attaches the AliyunSTSAssumeRoleAccess system policy to the RAM user. This allows the RAM user to assume the RAM role.

    For more information, see Grant permissions to a RAM user.

Access resources across Alibaba Cloud accounts

After obtaining the relevant permissions from Account A, the RAM user Alice in Account B can access ECS resources of Account A by assuming the RAM role. The procedure is as follows:

  1. Log on to the RAM console as the RAM user Alice.
    Note On the logon page, enter the enterprise alias company-b, username Alice, and password 123456****.

    For more information, see Log on to the console as a RAM user.

  2. Move the pointer over the profile picture and click Switch Role.
    Note On the page that appears, you must enter the enterprise alias company-a and role name ecs-admin.

    For more information, see Assume a RAM role.

Revoke permissions across Alibaba Cloud accounts

Account A can revoke the permission of using the RAM role ecs-admin from Account B. The procedure is as follows:

  1. Log on to the RAM console by using Account A.
  2. In the left-side navigation pane, click RAM Roles.
  3. In the RAM Role Name column, click the RAM role ecs-admin.
  4. On the Trust Policy Management tab, click Edit Trust Policy, and then delete "acs:ram::134567890123****:root".
    Note Account A can also delete the RAM role to revoke the permission of using the RAM role ecs-admin from Account B. Before the RAM role is deleted, the policies attached to the RAM role must be detached. For more information, see Remove permissions from a RAM role.