You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or the RAM user that belongs to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.

Background information

Enterprise A has purchased Message Queue for Apache RocketMQ to conduct business and wants to authorize part of the business to Enterprise B.

Enterprise A has the following requirements:

  • Enterprise A wants to focus on its business systems and only functions as the resource owner. Enterprise B is entrusted or authorized to execute the tasks such as message delivery and subscription.
  • Enterprise A hopes that no permission changes are required when an employee joins or leaves Enterprise B. Enterprise B can assign fine-grained permissions on resources of Enterprise A to RAM users of Enterprise B, including employees or applications.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Enterprise B.

Solutions

In this example, Enterprise A needs to authorize employees of Enterprise B to manage Message Queue for Apache RocketMQ resources of Enterprise A. Assume that Enterprise A has Alibaba Cloud account A and Enterprise B has Alibaba Cloud account B. To grant permissions to use resources across Alibaba Cloud accounts of Enterprises A and B, perform the following operations:
  1. Step 1: Create a RAM role and attach policies to it

    Use Alibaba Cloud Account A to create a RAM role, grant permissions to the RAM role based on business scope and needs, and then allow a RAM user of Alibaba Cloud account B to assume the RAM role.

  2. Step 2: Access resources across Alibaba Cloud accounts
    After the RAM role authorization is complete, the RAM user of Alibaba Cloud account B can obtain the permissions on the RAM role by assuming the RAM role. The RAM user can access the resources of Alibaba Cloud account A in one of the following ways:
    • Access resources by using SDKs
    • Access resources in the console
    • Access resources by calling API operations

Step 1: Create a RAM role and attach policies to it

  1. Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and then create a RAM role for the Alibaba Cloud account of Enterprise B.
  2. Optional:Create a custom policy for the new RAM role by using the Alibaba Cloud account of Enterprise A.

    For more information, see Create a custom policy.

    Message Queue for Apache RocketMQ supports permission settings for instances, topics, and groups. For more information, see Policies and examples.

  3. Enterprise A must grant permissions to the RAM role, because new RAM roles do not have permissions. Enterprise A can add a system policy or a custom policy.
    For more information, see Grant permissions to a RAM role.
  4. Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and then create a RAM user.

    For more information, see Create a RAM user for Enterprise B.

  5. Enterprise B assigns the AliyunSTSAssumeRoleAccess permission to the RAM user.

    For more information, see Grant permissions to a RAM user.

    Enterprise B must assign the AliyunSTSAssumeRoleAccess permission to the RAM user of its Alibaba Cloud account, so that the RAM user can assume the RAM role created by Enterprise A.

Step 2: Access resources across Alibaba Cloud accounts

  • Access resources by using SDKs
    RAM users of Enterprise B can access the Message Queue for Apache RocketMQ resources of Enterprise A and send and subscribe to messages by using SDKs. Access by using SDKs can be configured in one of the following ways:
    • Configure a Security Token Service (STS) token: To use the STS token method, you must provide the AccessKey ID, AccessKey secret, and SecurityToken (a temporary security token) of the RAM user in the SDK code. For more information about how to obtain a temporary security token by using STS, see AssumeRole.
      Notice The STS method is applicable only to 1.7.8.Final and later of Message Queue for Apache RocketMQ SDK for Java.
      Example configurations of an STS token
      • When you initialize the Message Queue for Apache RocketMQ client, enter the AccessKey ID, AccessKey secret, and security token in the attributes:
        Properties properties = new Properties();
        // The AccessKey ID of your STS account.
        properties.put(PropertyKeyConst.AccessKey, "STS.XXX");
        // The AccessKey secret of your STS account.
        properties.put(PropertyKeyConst.SecretKey, "XXX");
        // The security token of your STS account.
        properties.put(PropertyKeyConst.SecurityToken, "XXX");
        // Other attributes.
        properties.put(PropertyKeyConst.NAMESRV_ADDR, "XXX");
        ......
        Producer client = ONSFactory.createProducer(properties);
        client.start();                    
      • When the security token expires, call the updateCredential method to dynamically update the token.
        Properties properties = new Properties();
        // The AccessKey ID of your STS account.
        properties.put(PropertyKeyConst.AccessKey,"STS.XXX");
        // The AccessKey secret of your STS account.
        properties.put(PropertyKeyConst.SecretKey, "XXX");
        // The security token of your STS account.
        properties.put(PropertyKeyConst.SecurityToken, "XXX");
        client.updateCredential(properties);                    
    • Configure a RAM role for your Elastic Compute Service (ECS) instance: RAM roles of your ECS instance free you from configuring the AccessKey ID, AccessKey secret, and security token of the RAM user in the SDK. You only need to enter the name of the created RAM role. This facilitates code configuration. However, you must bind the created RAM role to the ECS instance where your application is deployed first, to grant the permissions of the RAM role to the ECS instance. For more information, see Assign a RAM role to an instance.
      Notice RAM roles of ECS instances are applicable only to 1.8.7.3.Final and later of Message Queue for Apache RocketMQ SDK for Java.
      Example configurations of a RAM role for an ECS instance
      Properties properties = new Properties();
      // The name of the RAM role that you create and has been assigned to the ECS instance.
      properties.put(PropertyKeyConst.RAM_ROLE_NAME,"XXX");
  • Access resources in the console
    RAM users of Enterprise B can log on to the console to access Message Queue for Apache RocketMQ resources of Enterprise A.
    1. Open the RAM User Logon page in your browser.
    2. On the RAM User Logon page, enter the logon name of the RAM user, and then click Next. Enter the password, and then click Login.
      Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If an account alias is not set, the ID of the Alibaba Cloud account is used by default.
    3. On the homepage of the console, move the pointer over the profile picture in the upper-right corner and then click Switch Role.
    4. On the Switch Role page, set Enterprise Alias/Default Domain Name of Enterprise A, set Role Name, and then click Submit.
    5. Manage the Message Queue for Apache RocketMQ resources of Enterprise A.
  • Access resources by calling API operations

    RAM users of Enterprise B can access the resources of Enterprise A by calling the API operations provided by Message Queue for Apache RocketMQ. For more information about how to call an API operation, see API call methods.

References