Use RAM for authorizing applications to access Alibaba Cloud resources

Edit in GitHub

Last Updated: Apr 26, 2020 Edit in GitHub

This topic describes how to use a temporary STS token of a RAM role for authorizing applications to access Alibaba Cloud resources.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.

Background information

An enterprise has purchased Elastic Compute Service (ECS) instances and wants to deploy its applications on these ECS instances.

To allow the applications to use AccessKey pairs for calling API operations of other Alibaba Cloud services, the enterprise can use one of the following methods:

Include the AccessKey pairs in application code.
Save the AccessKey pairs in the configuration files of the applications.

However, if the preceding methods are used, the following issues occur:

AccessKey pair disclosure: If AccessKey pairs are stored in the ECS instances in plaintext, the AccessKey pairs may be disclosed by the sharing of snapshots and images or by ECS instances created from images.
Complex O&M: The AccessKey pairs are stored in the ECS instances. If the AccessKey pairs are changed due to AccessKey pair rotations or user identity changes, all ECS instances and images must be updated and redeployed. This increases the difficulty in managing the ECS instances and images.

Solution

To resolve the preceding issues, the enterprise can use an integrated feature of RAM to control the permissions of ECS instances. This feature allows the enterprise to create a RAM role for each ECS instance and grant the required permissions to each RAM role. The applications can use the temporary STS token of the corresponding RAM role to call Alibaba Cloud API operations.

Use RAM for authorizing applications to access Alibaba Cloud

Procedure

The enterprise creates a RAM role named MyApplicationRole.

Note Alibaba Cloud Service is selected as the trusted entity and Elastic Compute Service is selected as the trusted service. This allows ECS to assume the RAM role and then access Alibaba Cloud resources.

For more information, see Create a RAM role for a trusted Alibaba Cloud service.
The enterprise grants the required permissions to the RAM role.

For more information, see Grant permissions to a RAM role.

Note If the temporary STS token lacks specific permissions, the enterprise must assign required policies to the RAM role. After the policies are assigned, the permissions that are attached to the temporary STS token take immediate effect without the need to restart the corresponding ECS instance.
The enterprise uses its Alibaba Cloud account to create a RAM user.

For more information, see Create a RAM user.
The enterprise grants the required permissions to the RAM user.
- If the RAM user has the same responsibilities as an administrator, the AdministratorAccess permission policy must be attached to the RAM user.
- If the responsibilities of the RAM user are different from those of an administrator, the permission on the PassRole operation must be granted to the RAM user.
  The enterprise creates a custom policy in the RAM console and attaches the custom policy to the RAM user. The custom policy is as follows:
```
{
   "Statement": [
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "acs:ram:*:*:role/MyApplicationRole"//Replace MyApplicationRole with the name of the RAM role.
    }
  ],
  "Version": "1"
}                
```
  Note
  - Only authorized RAM users can create RAM roles for ECS instances. This prevents against abuse of RAM roles.
  - When a RAM user who has access only to ECS attempts to create an ECS instance and configure a RAM role, ECS checks whether the RAM user has the ram:PassRole permission on the RAM role. If the RAM user does not have the permission, the ECS instance fails to be created.
For more information, see Grant permissions to a RAM user.
The RAM user starts the ECS instance, and then configures the RAM role.
ECS calls the AssumeRole STS API operation to obtain the temporary STS token of the RAM role.

Note The STS service verifies the identity of ECS and the policies attached to the RAM role. If the verification succeeds, a temporary STS token is issued. If the verification fails, the request is denied.

For more information, see Use the instance RAM role by calling APIs.
STS returns the temporary STS token to ECS.
ECS includes the temporary STS token in the metadata of the ECS instance, and sends the metadata to the application deployed on the ECS instance.
- In a Linux system, applications can query the instance metadata to obtain a temporary STS token and its validity period. For more information, see Access other Cloud Product APIs by the Instance RAM Role.
  Sample request:
```
$ curl http://100.100.100.200/latest/meta-data/ram/security-credentials/MyApplicationRole
```
  Sample response:
```
[root@local ~]# curl http://100.100.100.200/latest/meta-data/ram/security-credentials/MyApplicationRole
{
"AccessKeyId" : "STS.J8XXXXXXXXXX4",
"AccessKeySecret" : "9PjfXXXXXXXXXBf2XAW",
"Expiration" : "2017-06-09T09:17:19Z",
"SecurityToken" : "CAIXXXXXXXXXXXwmBkleCTkyI+",
"LastUpdated" : "2017-06-09T03:17:18Z",
"Code" : "Success"
}
```
- If the applications use an Alibaba Cloud SDK, the SDK can obtain the temporary STS token of the RAM role from the ECS instance metadata. No AccessKey pair-related configurations are required in the SDK. For more information, see Configure RamRole to achieve non-AK access to ECS instances.
  
  Note The applications can call Alibaba Cloud API operations when the temporary STS token is valid. The temporary STS token expires after one hour. Before the temporary STS token expires, it is refreshed by ECS.
The applications use the temporary STS token to call Alibaba Cloud API operations.

Note Applications deployed on other Alibaba Cloud services such as Function Compute and MaxCompute can also use temporary STS tokens of RAM roles to call Alibaba Cloud API operations.