This topic describes how to use a temporary STS token of a RAM role for authorizing
applications to access Alibaba Cloud resources.
Background information
An enterprise has purchased Elastic Compute Service (ECS) instances and wants to deploy
its applications on these ECS instances.
To allow the applications to use AccessKey pairs for calling API operations of other
Alibaba Cloud services, the enterprise can use one of the following methods:
- Include the AccessKey pairs in application code.
- Save the AccessKey pairs in the configuration files of the applications.
However, if the preceding methods are used, the following issues occur:
- AccessKey pair disclosure: If AccessKey pairs are stored in the ECS instances in plaintext,
the AccessKey pairs may be disclosed by the sharing of snapshots and images or by
ECS instances created from images.
- Complex O&M: The AccessKey pairs are stored in the ECS instances. If the AccessKey
pairs are changed due to AccessKey pair rotations or user identity changes, all ECS
instances and images must be updated and redeployed. This increases the difficulty
in managing the ECS instances and images.
Solution
To resolve the preceding issues, the enterprise can use an integrated feature of RAM
to control the permissions of ECS instances. This feature allows the enterprise to
create a RAM role for each ECS instance and grant the required permissions to each
RAM role. The applications can use the temporary STS token of the corresponding RAM
role to call Alibaba Cloud API operations.
Procedure
- The enterprise creates a RAM role named MyApplicationRole.
Note Alibaba Cloud Service is selected as the trusted entity and Elastic Compute Service is selected as the trusted service. This allows ECS to assume the RAM role and then
access Alibaba Cloud resources.
For more information, see Create a RAM role for a trusted Alibaba Cloud service.
- The enterprise grants the required permissions to the RAM role.
For more information, see Grant permissions to a RAM role.
Note If the temporary STS token lacks specific permissions, the enterprise must assign
required policies to the RAM role. After the policies are assigned, the permissions
that are attached to the temporary STS token take immediate effect without the need
to restart the corresponding ECS instance.
- The enterprise uses its Alibaba Cloud account to create a RAM user.
- The enterprise grants the required permissions to the RAM user.
- If the RAM user has the same responsibilities as an administrator, the
AdministratorAccess
permission policy must be attached to the RAM user.
- If the responsibilities of the RAM user are different from those of an administrator,
the permission on the
PassRole
operation must be granted to the RAM user.
The enterprise creates a custom policy in the RAM console and attaches the custom
policy to the RAM user. The custom policy is as follows:
{
"Statement": [
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/MyApplicationRole"//Replace MyApplicationRole with the name of the RAM role.
}
],
"Version": "1"
}
Note
- Only authorized RAM users can create RAM roles for ECS instances. This prevents against
abuse of RAM roles.
- When a RAM user who has access only to ECS attempts to create an ECS instance and
configure a RAM role, ECS checks whether the RAM user has the
ram:PassRole
permission on the RAM role. If the RAM user does not have the permission, the ECS
instance fails to be created.
- The RAM user starts the ECS instance, and then configures the RAM role.
- ECS calls the AssumeRole STS API operation to obtain the temporary STS token of the RAM role.
Note The STS service verifies the identity of ECS and the policies attached to the RAM
role. If the verification succeeds, a temporary STS token is issued. If the verification
fails, the request is denied.
For more information, see Use the instance RAM role by calling APIs.
- STS returns the temporary STS token to ECS.
- ECS includes the temporary STS token in the metadata of the ECS instance, and sends
the metadata to the application deployed on the ECS instance.
- In a Linux system, applications can query the instance metadata to obtain a temporary
STS token and its validity period. For more information, see Access other Cloud Product APIs by the Instance RAM Role.
Sample request:
$ curl http://100.100.100.200/latest/meta-data/ram/security-credentials/MyApplicationRole
Sample response:
[root@local ~]# curl http://100.100.100.200/latest/meta-data/ram/security-credentials/MyApplicationRole
{
"AccessKeyId" : "STS.J8XXXXXXXXXX4",
"AccessKeySecret" : "9PjfXXXXXXXXXBf2XAW",
"Expiration" : "2017-06-09T09:17:19Z",
"SecurityToken" : "CAIXXXXXXXXXXXwmBkleCTkyI+",
"LastUpdated" : "2017-06-09T03:17:18Z",
"Code" : "Success"
}
- If the applications use an Alibaba Cloud SDK, the SDK can obtain the temporary STS
token of the RAM role from the ECS instance metadata. No AccessKey pair-related configurations
are required in the SDK. For more information, see Configure RamRole to achieve non-AK access to ECS instances.
Note The applications can call Alibaba Cloud API operations when the temporary STS token
is valid. The temporary STS token expires after one hour. Before the temporary STS
token expires, it is refreshed by ECS.
- The applications use the temporary STS token to call Alibaba Cloud API operations.
Note Applications deployed on other Alibaba Cloud services such as Function Compute and
MaxCompute can also use temporary STS tokens of RAM roles to call Alibaba Cloud API
operations.