This topic describes how to use a Security Token Service (STS) token of a Resource Access Management (RAM) role to authorize applications to access Alibaba Cloud resources.

Background information

An enterprise has purchased Elastic Compute Service (ECS) instances and wants to deploy applications on these ECS instances. The applications need to use AccessKey pairs to call the operations of other Alibaba Cloud services.

In this case, the enterprise can use one of the following methods:

  • Includes the AccessKey pairs in application code.
  • Saves the AccessKey pairs in the configuration files of the applications.

However, if the preceding methods are used, the following issues may occur:

  • AccessKey pair disclosure: If AccessKey pairs are stored in the ECS instances in plaintext, the AccessKey pairs may be disclosed after snapshots and images are shared or ECS instances are created from images.
  • Complex O&M: The AccessKey pairs are stored in the ECS instances. If the AccessKey pairs are changed due to AccessKey pair rotations or user identity changes, all ECS instances and images must be updated and redeployed. This increases the difficulties in managing the ECS instances and images.

Solution

To resolve the preceding issues, the enterprise can use RAM to manage the permissions of ECS instances. RAM is a resource access control service that allows the enterprise to assign a RAM role that is attached with specific policies to each ECS instance. The applications can use an STS token of the specific RAM role to call Alibaba Cloud operations.

Process

  1. The enterprise creates a RAM role named MyApplicationRole.
    Note Alibaba Cloud Service is selected as the trusted entity, and Elastic Compute Service is selected as the trusted service. This allows ECS to assume the RAM role and access Alibaba Cloud resources.

    For more information, see Create a RAM role for a trusted Alibaba Cloud service.

  2. The enterprise attaches the required policies to the RAM role.

    For more information, see Grant permissions to a RAM role.

    Note If the STS token cannot grant the required permissions, the enterprise can attach policies to the RAM role based on business requirements. After the policies are attached, the permissions that are attached to the STS token immediately take effect without requiring you to restart the specific ECS instance.
  3. The enterprise uses its Alibaba Cloud account to create a RAM user.

    For more information, see Create a RAM user.

  4. The enterprise attaches the required policies to the RAM user.
    • If the RAM user has the same responsibilities as an administrator, the AdministratorAccess policy must be attached to the RAM user.
    • If the RAM user has different responsibilities from those of an administrator, the enterprise must create the following custom policy in the RAM console and attach the policy to the RAM user:
      {
         "Statement": [
          {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/MyApplicationRole" //Replace MyApplicationRole with the name of the RAM role.
          }
        ],
        "Version": "1"
      }                
      Note
      • Only authorized RAM users can configure RAM roles for ECS instances. This prevents the abuse of RAM roles.
      • When a RAM user that can only manage ECS instances attempts to create an ECS instance and configure a RAM role, ECS checks whether the RAM user is allowed to perform the ram:PassRole action on the RAM role. If the RAM user is not allowed, the ECS instance fails to be created.

    For more information, see Grant permissions to a RAM user.

  5. The RAM user that is created in Step 3 assigns the RAM role that is created in Step 1 to a specific ECS instance.
    For more information, see Step 3: Bind the instance RAM role.
  6. ECS includes the STS token in the metadata of the ECS instance and sends the metadata to the application that is deployed on the ECS instance.
    • In a Linux system, applications can query the instance metadata to obtain an STS token and its validity period. For more information, see Use RAM roles to access other Alibaba Cloud services.

      Sample request

      curl http://100.100.100.200/latest/meta-data/ram/security-credentials/MyApplicationRole

      Sample response

      {
          "AccessKeyId": "STS.J8XXXXXXXXXX4",
          "AccessKeySecret": "9PjfXXXXXXXXXBf2XAW",
          "Expiration": "2017-06-09T09:17:19Z",
          "SecurityToken": "CAIXXXXXXXXXXXwmBkleCTkyI+",
          "LastUpdated": "2017-06-09T03:17:18Z",
          "Code": "Success"
      }
    • If the applications use an Alibaba Cloud SDK, the SDK can automatically obtain the STS token of the RAM role from the ECS instance metadata. No AccessKey pair-related configurations are required in the SDK. For more information, see Configure RamRole to achieve non-AK access to ECS instances.
      Note In most cases, an STS token is valid for one hour. The applications can call Alibaba Cloud operations when the STS token is valid. Before the STS token expires, the token is updated by ECS.
  7. The applications use the STS token to call Alibaba Cloud operations.
Note Applications deployed on other Alibaba Cloud services such as Function Compute and MaxCompute can also use STS tokens of RAM roles to call Alibaba Cloud operations.