You can use the Alibaba Cloud account of enterprise A to create a Resource Access Management (RAM) role, authorize this role, and assign this role to enterprise B. In this way, the Alibaba Cloud account of enterprise B or the corresponding RAM user under the Alibaba Cloud account of enterprise B can be used to access Alibaba Cloud resources of enterprise A.

Background information

Enterprise A has purchased Message Queue for Apache RocketMQ to carry out businesses, and wants to grant some businesses to enterprise B.

The requirements are as follows:

  • Enterprise A wants to focus on its business systems and only functions as the resource owner. Enterprise B is entrusted or authorized to execute the tasks such as message delivery and subscription.
  • Enterprise A hopes for no permission changes when an employee joins or leaves enterprise B. Enterprise B can further assign the resource access permissions of enterprise A to its RAM users (employees or applications) and precisely control the access and operation permissions of its employees or applications on resources.
  • Enterprise A also wants to revoke its authorization to enterprise B at any time if the contract is terminated.

Procedure

  1. You need to use the Alibaba Cloud account of enterprise A to log on to the RAM console and create a RAM role for the Alibaba Cloud account of enterprise B.
  2. Optional: Enterprise A creates a custom policy for the new RAM role.

    For more information, see Create a custom policy.

    Currently, Message Queue for Apache RocketMQ supports permission setting for instances, topics, and groups. For more information, see Permission policies.

  3. A new RAM role does not have any permissions. Therefore, enterprise A must assign permissions for the role. You can add system policies or custom policies.
    For more information, see Grant permissions to a RAM role.
  4. Use the Alibaba Cloud account of enterprise B to log on to the RAM console and create a RAM user.
  5. Enterprise B assigns the AliyunSTSAssumeRoleAccess permission for the RAM user.

    For more information, see Grant permissions to a RAM user.

    Enterprise B must assign the AliyunSTSAssumeRoleAccess permission for the RAM users under its Alibaba Cloud account so that the RAM users can assume the RAM role created by enterprise A.

  6. The RAM users of enterprise B access the resources of enterprise A in the console or by calling API operations.
    For more information, see What to do next.

What to do next

After completing the preceding operations, the RAM users of enterprise B can log on to the console to access the cloud resources of enterprise A or call API operations as follows.

  • Log on to the console to access the cloud resources of enterprise A.
    1. Open a browser and access the RAM user logon page at https://signin.aliyun.com/login.htm.
    2. On the RAM User Logon page, enter the RAM user name, click Next, enter the RAM user password, and then click Log on.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. In the format, <$AccountAlias> is the account alias. If no account alias is set, the value defaults to the ID of the Alibaba Cloud account.
    3. On the RAM user center page, move the pointer to the portrait in the upper-right corner and click Switch Role.
    4. On the Alibaba Cloud - Switch Role page, set Enterprise Alias / Default Domain Name and Role Name, and click Switch.
    5. Perform operations on the Alibaba Cloud resources of enterprise A.
  • Use a RAM user of enterprise B to access the resources of enterprise A in the console or by calling API operations.

    To use a RAM user of enterprise B to access the cloud resources of enterprise A by calling API operations, ensure that the code contains the RAM user's AccessKeyId, AccessKeySecret , and SecurityToken (temporary security token). For more information about how to use Security Token Service (STS) to obtain a temporary security token, see AssumeRole.

Use STS in Message Queue for Apache RocketMQ

Notice STS is applicable only to Java SDK 1.7.8.Final and later of Message Queue for Apache RocketMQ.
  • When initializing the Message Queue for Apache RocketMQ client, you only need to enter the obtained AccessKeyId, AccessKeySecret, and SecurityToken values to the following attributes:
    Properties properties = new Properties();
    // The AccessKey ID of your STS account.
    properties.put(PropertyKeyConst.AccessKey,"STS.XXX");
    // The AccessKey secret of your STS account.
    properties.put(PropertyKeyConst.SecretKey, "XXX");
    // The security token of your STS account.
    properties.put(PropertyKeyConst.SecurityToken, "XXX");
    // Other properties.
    properties.put(PropertyKeyConst.NAMESRV_ADDR, "XXX");
    ...
    Producer client = ONSFactory.createProducer(properties);
    client.start();                    
  • When the security token expires, call the updateCredential method to dynamically update the token.
    Properties properties = new Properties();
    // The AccessKey ID of your STS account.
    properties.put(PropertyKeyConst.AccessKey,"STS.XXX");
    // The AccessKey secret of your STS account.
    properties.put(PropertyKeyConst.SecretKey, "XXX");
    // The security token of your STS account.
    properties.put(PropertyKeyConst.SecurityToken, "XXX");
    client.updateCredential(properties);                    

References