All Products
Search
Document Center

ApsaraMQ for RocketMQ:Grant permissions across Alibaba Cloud accounts by using RAM roles

Last Updated:Aug 23, 2023

You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or the RAM user that belongs to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.

Background information

Enterprise A has activated ApsaraMQ for RocketMQ and wants to authorize Enterprise B to use the service.

Enterprise A has the following requirements:

  • Enterprise A wants to focus on business systems and authorize Enterprise B to perform operations, such as subscribing to messages and publishing messages, on the resources that are owned by Enterprise A.

  • Each time an employee joins or leaves Enterprise B, Enterprise A does not need to change permission settings. Enterprise B can grant permissions on the resources of Enterprise A to the RAM users of Enterprise B for fine-grained access control. The RAM users can be employees or applications.

  • If the contract between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.

Solution

In this example, Enterprise A needs to authorize the employees of Enterprise B to manage the ApsaraMQ for RocketMQ resources of Enterprise A. Enterprise A has Alibaba Cloud account A, and Enterprise B has Alibaba Cloud account B. To grant permissions on the resources of Enterprise A to Enterprise B, perform the following steps:

  1. Step 1: Create a RAM role and grant the required permissions to the role

    Use Alibaba Cloud account A to create a RAM role, grant permissions to the RAM role based on the business scope and requirements, and then authorize the RAM users of Alibaba Cloud account B to assume the RAM role.

  2. Step 2: Access resources across Alibaba Cloud accounts

    After the required permissions are granted to the RAM role, the RAM users of Alibaba Cloud account B can obtain the permissions of the RAM role by assuming the RAM role. The RAM users can access the resources of Alibaba Cloud account A by using one of the following methods:

    • Access resources by using SDKs

    • Access resources by using the console

    • Access resources by calling API operations

Step 1: Create a RAM role and grant the required permissions to the role

  1. Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and then create a RAM role for the Alibaba Cloud account of Enterprise B.

  2. Optional: Create a custom policy for the RAM role by using the Alibaba Cloud account of Enterprise A.

    For more information, see Create a custom policy.

    ApsaraMQ for RocketMQ allows you to configure permissions by instance, topic, and group. For more information, see Policies and examples.

  3. Grant permissions to the RAM role that you created in Step 1. A newly created RAM role does not have permissions. You must attach a system policy or a custom policy to the RAM role.

  4. Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and then create a RAM user.

  5. Attach the AliyunSTSAssumeRoleAccess permission policy to the created RAM user.

    For more information, see Grant permissions to RAM users.

    Enterprise B must attach the AliyunSTSAssumeRoleAccess permission policy to a RAM user of Alibaba Cloud account B. This way, the RAM user can assume the RAM role that is created by Enterprise A.

Step 2: Access resources across Alibaba Cloud accounts

  • Access resources by using SDKs

    The RAM users of Enterprise B can access the ApsaraMQ for RocketMQ resources of Enterprise A to send and receive messages by using SDKs. To access resources by using SDKs, use one of the following methods to configure the SDK code:

    • A token generated by Security Token Service (STS): When you configure the SDK code by using a token that is generated by STS, you must provide the AccessKey pair of the RAM user and the temporary security token that is generated by STS for the RAM user. The temporary security token must be updated on a regular basis. For information about how to obtain a temporary security token by using STS, see AssumeRole.

      Important
      • This method is suitable for only the ApsaraMQ for RocketMQ SDK for Java 1.7.8.Final or later.

      • For information about how to obtain an AccessKey pair, see Create an AccessKey pair.

      Sample code

      • To configure SDK code by using a token generated by STS, you need only to specify the AccessKey pair and temporary security token that you obtained in the following code when you initialize the ApsaraMQ for RocketMQ client:

        Properties properties = new Properties();
        // Make sure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN are configured. 
        // The AccessKey ID of the RAM user. 
        properties.put(PropertyKeyConst.AccessKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
        // The AccessKey secret of the RAM user. 
        properties.put(PropertyKeyConst.SecretKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        // The security token of the RAM user. 
        properties.put(PropertyKeyConst.SecurityToken, System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN"));
        // Other attributes. 
        properties.put(PropertyKeyConst.NAMESRV_ADDR, "XXX");
        ......
        Producer client = ONSFactory.createProducer(properties);
        client.start();                    
      • If the security token expires, call the updateCredential method to dynamically update the token.

        Properties properties = new Properties();
        // Make sure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN are configured. 
        // The AccessKey ID of the RAM user. 
        properties.put(PropertyKeyConst.AccessKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
        // The AccessKey secret of the RAM user. 
        properties.put(PropertyKeyConst.SecretKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        // The security token of the RAM user. 
        properties.put(PropertyKeyConst.SecurityToken, System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN"));
        client.updateCredential(properties);                    
    • The RAM role attached to your Elastic Compute Service (ECS): If a RAM role is attached to your ECS instance, you do not need to specify the AccessKey pair or security token of the RAM user in the SDK code. You need only to enter the name of the RAM role. This simplifies code configuration. However, you must attach the RAM role to the ECS instance in which your application is deployed to grant the permissions of the RAM role to the ECS instance. For more information, see Attach an instance RAM role to an ECS instance.

      Important

      This method is suitable for the ApsaraMQ for RocketMQ SDK for Java 1.8.7.3.Final or later.

      Sample code

      Properties properties = new Properties();
      // The name of the RAM role that you created and attached to the ECS instance. 
      properties.put(PropertyKeyConst.RAM_ROLE_NAME,"XXX");
  • Access resources by using the console

    The RAM users of Enterprise B can access the resources of Enterprise A by using the ApsaraMQ for RocketMQ console. The following items describe the steps:

    1. Open the RAM User Logon page in your browser.

    2. In the Username field, enter the logon name of the RAM user and click Next. On the page that appears, enter the password. Then, click Log On.

      Note

      The logon name of the RAM user is in the <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> indicates the alias of your Alibaba Cloud account. If no alias is specified, the ID of your Alibaba Cloud account is used by default.

    3. In the upper-right corner of the homepage of the console, move the pointer over the profile icon and click Switch Identity.

    4. On the Switch Role page, enter the enterprise alias, domain name, or Alibaba Cloud account ID of Enterprise A in the Enterprise Alias / Domain / Account UID field, enter a role name in the Role Name field, and then click Submit.

    5. Manage the ApsaraMQ for RocketMQ resources of Enterprise A.

  • Access resources by calling API operations

    The RAM users of Enterprise B can also access the resources of Enterprise A by calling the API operations provided by ApsaraMQ for RocketMQ. For more information, see Make API requests.

References